FTC files settlement agreement with TJX

In a statement released March 27, 2008, The Federal Trade Commission agreed to settle charges against TJX Companies Inc. that alleges that a number of TJX's security practices violated provisions of the FTC Act of 1914, and failed to employ reasonable and appropriate security measures to protect sensitive consumer information on its networks.

In the complaint, issued jointly with the settlement agreement and approved by the FTC on a provisional basis, TJX engaged in a number of unfair practices since July 2005, including:

• Creating an unnecessary risk to personal information by storing and transmitting that data unencrypted
• Not using available security measures to limit wireless access, thus allowing an interloper to make unauthorized wireless connections to in-store networks
• Not requiring network administrators and other users to use strong passwords for secure access
• Failing to limit access to computers and the Internet, such as by implementing a firewall, that would have protected the internal network from outside hackers
• Failing to employ sufficient measures to detect and prevent unauthorized access, conduct security investigations or follow up on security warnings and intruder alerts

The FTC unanimously voted to accept the proposed agreement. In the consent order, the agreement between the FTC and TJX states:

• The agreement is subject to public comment for 30 days, continuing through April 28, 2008, after which the FTC will vote again to finalize the settlement agreement.
• If approved after the comment period, the settlement becomes an order that can be enforced in federal court.
• TJX waives any further legal steps and all rights to judicial review, or otherwise challenge or contest the settlement agreement.
• TJX will implement and maintain a comprehensive information security program, fully documented in writing, and designed to protect the confidentiality and integrity of personal consumer information.
• Security safeguard assessments will be made by a third party auditor once in the first six months and every two years thereafter for 20 years.

Keep it secure

"By now, the message should be clear: Companies that collect sensitive consumer information have a responsibility to keep it secure," FTC Chairman Deborah Platt Majoras said. "Information security is a priority for the FTC, as it should be for every business in America."

TJX owns more than 2,400 retail stores, including T.J. Maxx, Marshalls, A.J. Wright, Bob's Stores and HomeGoods stores in the United States; Winners and HomeSense in Canada; and T.K. Maxx stores in the U.K., Ireland and Germany.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.