FTC Settles With TJX, Reed and Seisint; No Fines Levied

Clothing retailer TJX and data brokers Reed Elsevier and Seisint have settled Federal Trade Commission charges that each engaged in practices that collectively failed to provide reasonable and appropriate security for sensitive consumer information.

The settlements will require that the companies implement comprehensive information security programs and obtain audits by independent third-party security professionals every other year for 20 years, according to the FTC.

No fines were levied in this case.

According to the FTC complaint, TJX, with more than 2,500 stores worldwide, failed to use reasonable and appropriate security measures to prevent unauthorized access to personal information on its computer networks.

Last March , TJX. said computer hackers stole credit card from at least 45.7 million credit and debit cards over an 18-month period beginning in Dec. 2002.

In a filing with the Securities and Exchange Commission, the parent firm of T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores admitted it discovered this apparent breach on Dec. 18, 2006.

Also stolen during the period were drivers’ license numbers and other personal data on 455 million people. This personal information was collected by TJX from customers who returned merchandise without a receipt (Direct Newsline, March 30, 2007).

Specifically, the FTC charged that TJX:

* Created an unnecessary risk to personal information by storing it on, and transmitting it between and within, its various computer networks in clear text.

* Did not use readily available security measures to limit wireless access to its networks, thereby allowing an intruder to connect wirelessly to its networks without authorization.

* Did not require network administrators and others to use strong passwords or to use different passwords to access different programs, computers and networks.

* Failed to use readily available security measures, such as firewalls, to limit access among its computers and the Internet.

* Failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as patching or updating anti-virus software.

In its action against Reed and Seisint, the Commission alleged that Reed–through its LexisNexis unit–and Seisint collected and stored in databases information about millions of consumers such as names, current and prior addresses, dates of birth, drivers license numbers and Social Security numbers.

They obtained information about consumers from credit reporting agencies and other sources, and sold products customers use online to find and retrieve the information from their databases. The companies relied on user IDs and passwords to control customer access to consumer information in their databases, the FTC continued.

The complaint further alleged that, among other security failures, they allowed customers to use easy-to-guess passwords to access Seisint