June 24, 2009, 8:48 PM — More than two years after TJX Companies Inc. acknowledged that it was hit with a massive data breach, the Framingham, Mass.-based retailer agreed to boost its security measures and pay 41 states nearly $10 million to cover the costs of investigating the incident.
Under the terms of the settlement announced yesterday, TJX will pay the states a total of $7.25 million for the investigations and will also create a $2.5 million data security fund available to the states for projects that "advance" effective data security and technology, the company said in a statement.
The settlement also requires that TJX certify that its computer systems meets "detailed data security requirements" prescribed by the states, and that it "encourage" the development of new technologies that can better secure payment card data.
TJX, which operates the retail chains like T.J. Maxx, Marshalls and Bob's Stores, disclosed in January 2007 what was widely seen at the time as the biggest breach of payment cards ever. The company had said that at least 45 million cards were exposed in the breach, and that the total could have been as high as 94 million cards.
The payment cards were compromised by intruders who broke into the TJX Companies networks via poorly configured wireless access points at some of its stores in Florida.
In a statement yesterday, TJX insisted that it did not violate any consumer or data protection laws in connection with the breach. The company said it agreed to the settlement because it wanted to "concentrate on its core business without distraction".
To date, 11 people have been charged on ID theft and computer fraud counts in connection with the case, and at least two have pleaded guilty. Three of the 11 are U.S. citizens while the rest are from Estonia, Ukraine, China and Belarus.
TJX had already set aside funds for the to pay settlement and other costs in connection with the incident.
In a statement announcing the settlement, Massachusetts Attorney General Martha Coakley said that TJX has also agreed to upgrade all of its wireless systems to a more secure protocol. The agreement also requires that TJX limit the time payment card data is stored on its networks, and to isolate the portion of its network carrying payment card data from the corporate network, she added. "This settlement ensures that companies cannot write-off the risk of a data breach as a cost of doing business," Coakley said.
In a similar statement, California Attorney General Edmund Brown Jr. said that investigations determined that the intrusion followed the failure of TJX to address security flaws that were unearthed in a 2004 internal audit. The agreement ensures that the TJX systems will meet highest "contemporary standards," Brown added.
Gartner Inc. analyst Avivah Litan criticized the agreement, contending that state governments have no business mandating corporate security requirements.
"I think the AGs are better off focusing on disclosure rules and consumer protection than on security technology," she said. "As soon as the government starts mandating or recommending technologies, like end-to-end encryption, their mandates or recommendations will become out-of-date."
Also considering that consumers did not suffer direct financial harm due to the breach, the attorneys general should have focused instead on "preventing future breaches through enhanced breach disclosure laws and more effective consumer protection laws" Litan said.
