$9.75 Million Settlement Reached with National Retailer

Phoenix, Arizona A $9.75 million nationwide settlement has been reached between Attorneys General from 41 states, inluding Arizona, with TJX Companies, Inc. (TJX), which owns retailers TJ Maxx, HomeGoods, A.J. Wright and Marshalls stores. The agreement concerns a massive data breach that placed thousands of TJXs consumers personal data at risk. The victims of the breach included 600 Arizonans. In addition to the financial settlement, TJX has agreed to implement a comprehensive information security program to safeguard consumer data and address weaknesses in its computer security systems. In 2007, unauthorized individuals obtained access to TJXs computer systems and seized cardholder data and other personally identifiable information. A multi-year investigation into the breach conducted by the Attorneys General examined TJXs data security policies and procedures in place when the breach occurred. That investigation identified a number of potential vulnerabilities in TJXs data security systems that may have facilitated the unlawful intrusion. According to the settlement, TJX will employ a comprehensive Information Security Program that assesses internal and external risks to consumers personal information, implements the safeguards that will best protect that consumer information, and regularly monitors and tests the efficacy of those safeguards. TJX also will regularly obtain third-party assessments of its security systems and report to the Attorneys General on the efficacy of its program. Among other things, TJX must: ● Upgrade all Wired Equivalency Privacy (WEP) based wireless systems in TJX retail stores to wired systems or Wi-Fi Protected Access (WPA) wired systems. ● Not store credit card or debit card data on its network any longer than necessary for legitimate business purposes. ● Appropriately segment from the rest of the TJX computer system those network-based portions of the TJX computer system that store, process or transmit personal information, by firewalls, access controls, and other appropriate measures. ● Implement proper security password management for portions of the TJX computer system that store, process or transmit personal information. Of the $9.75 million monetary payment under the settlement, $5.5 million is to be dedicated to data protection and consumer protection efforts by the states, and $1.75 million is to reimburse the costs and fees of the investigation. The remaining $2.5 million will fund a Data Security Trust Fund to be used by the Attorneys General to advance enforcement efforts and policy development in the field of data security and protecting consumers personal information. The 41 states participating in the agreement are Alabama, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Hawaii, Idaho, Illinois, Iowa, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, West Virginia, Wisconsin and the District of Columbia.