In re TJX Companies

Citation: In re TJX Companies, Inc., FTC File No. 072-3055 (March 27, 2008).

Factual Background
According to the Federal Trade Commission's complaint, TJX Companies (TJX), with over 2,500 stores worldwide, failed to use reasonable and appropriate security measures to prevent unauthorized access to personal information on its computer networks. An intruder exploited these failures and obtained tens of millions of credit and debit payment cards that consumers used at TJX’s stores, as well as the personal information of approximately 455,000 consumers who returned merchandise to the stores. Banks have claimed that tens of millions of dollars in fraudulent charges have been made on the cards and millions of cards have been cancelled and reissued.

Specifically, the agency charged that TJX:


 * Created an unnecessary risk to personal information by storing it on, and transmitting it between and within, its various computer networks in clear text;
 * Did not use readily available security measures to limit wireless access to its networks, thereby allowing an intruder to connect wirelessly to its networks without authorization;
 * Did not require network administrators and others to use strong passwords or to use different passwords to access different programs, computers, and networks;
 * Failed to use readily available security measures, such as firewalls, to limit access among its computers and the Internet; and
 * Failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as patching or updating anti-virus software.

Agreement Containing Consent Order
The settlement with TJX (contained in the Agreement Containing Consent Order) requires it to establish and maintain a comprehensive security program reasonably designed to protect the security, confidentiality, and integrity of personal information it collects from or about consumers. The settlement requires the program to contain administrative, technical, and physical safeguards appropriate to the company’s size, the nature of its activities, and the sensitivity of the personal information it collects. Specifically, TJX must:


 * Designate an employee or employees to coordinate the information security program;
 * Identify internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place;
 * Design and implement safeguards to control the risks identified in the risk assessment and monitor their effectiveness;
 * Develop reasonable steps to select and oversee service providers that handle the personal information they receive from the companies; and
 * Evaluate and adjust their information security programs to reflect the results of monitoring, any material changes to their operations, or other circumstances that may impact the effectiveness of their security programs.

The settlement requires TJX to retain independent, third-party security auditors to assess their security programs on a biennial basis for the next 20 years. The auditors will be required to certify that the company’s security programs meet or exceed the requirements of the FTC’s order and is operating with sufficient effectiveness to provide reasonable assurance that the security of consumers’ personal information is being protected.

The settlement also contains bookkeeping and record keeping provisions to allow the agency to monitor compliance with its order.