For Immediate Release - July 30, 2009

Attorney General Martha Coakley Announces Multi-State Settlement with the TJX Companies, Inc., Over Massive Data Breach

Massachusetts to Receive over $950,000 to Ensure Protection of Personal Data

View accompanying media:

BOSTON - Today, a group of 41 Attorneys General, led by the Office of Massachusetts Attorney General Martha Coakley, announced a settlement with the Framingham-based TJX Companies, Inc. ("TJX") The Assurance of Discontinuance between the parties, filed in Suffolk Superior Court today, resolves claims relating to TJX's failure to appropriately protect its customers' financial information and to guard against a massive data breach that placed thousands of consumers' personal data at risk, nationwide. TJX has agreed to pay $9.75 million to the states and to implement and maintain a comprehensive information security program, designed to safeguard consumer data and address any weaknesses in TJX's systems in place at the time of the breach. Under the terms of the settlement, Massachusetts will receive approximately $951,000 to aid efforts to protect consumers' personally-identifiable information and to cover the costs of the investigation. TJX cooperated fully with the multistate investigation.

"Protecting consumers' personally-identifiable information is of paramount importance to prevent fraudulent use of credit and identity theft. All retailers and companies that hold or use personally-identifiable information must employ data security systems that guard against the improper disclosure or use of that information," said Attorney General Coakley. "This settlement ensures that companies cannot write-off the risk of a data breach as a cost of doing business. In addition to the monetary relief, this agreement requires TJX to implement and maintain a substantial data security program to ensure that this kind of data breach does not happen again."

In January 2007, TJX announced that certain persons had obtained unauthorized access to its computer systems enabling them to seize cardholder data and other personally identifiable information. Attorney General Coakley's office led a coalition of Attorneys General that conducted an extensive investigation into TJX's data security policies and procedures in place when the breach occurred. That investigation concerned a number of alleged vulnerabilities in TJX's data security systems that may have facilitated the unlawful intrusion and allowed it to last undetected for an unacceptable duration. The settlement reflects the lessons learned from that breach and provides for an information security program designed to guard against future intrusions or unauthorized disclosures. The settlement's relief, in that regard, is the most comprehensive relief achieved to date following a data breach investigation.

The settlement ensures that TJX will employ a comprehensive "Information Security Program" that assesses internal and external risks to consumers' personal information, implements the safeguards that will best protect that consumer information, and regularly monitors and tests the efficacy of those safeguards. TJX also will report regularly to the Attorneys General on the efficacy of its program, after obtaining a third-party assessment of its systems. Among other steps, under the Information Security Program required by the Assurance, TJX must:

  • Upgrade all Wired Equivalency Privacy (WEP) based wireless systems in TJX retail stores to wired systems or Wi-Fi Protected Access (WPA) wired systems;
  • Not store credit card or debit card data on its network any longer than necessary for legitimate business purposes;
  • Appropriately segment from the rest of the TJX computer system those network-based portions of the TJX computer system that store, process or transmit personal information, by firewalls, access controls, and other appropriate measures; and
  • Implement proper security password management for portions of the TJX computer system that store, process or transmit personal information.

Of the $9.75 million monetary payment under the settlement, $5.5 million is to be dedicated to data protection and consumer protection efforts by the states, and $1.75 million is to reimburse the costs and fees of the investigation. Further, $2.5 million of the settlement will fund a Data Security Trust Fund to be used by the state Attorneys General to advance enforcement efforts and policy development in the field of data security and protecting consumers' personal information.

Attorney General Coakley's Office led an Executive Committee, which included Assistant Attorneys General in Arkansas, California, Connecticut, Florida, Illinois, New Jersey, Ohio, Oregon, Pennsylvania, Tennessee and Vermont.

The 41 States participating in today's agreement are Alabama, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Hawaii, Idaho, Illinois, Iowa, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, West Virginia, Wisconsin, and the District of Columbia.

The investigation and settlement was handled by Assistant Attorney General Margret Cooke with assistance from Assistant Attorneys General John Stephan and Christopher K. Barry-Smith, Chief of the Public Protection and Advocacy Bureau.

#########

S upporting Materials

Download and view the complaint:

Press Conference Audio

Listen to the press conference audio from July 23, 2009:

Download and view a transcript from the press conference:

Press Conference Video