Attorney General Jim Hood, together with 40 other State Attorneys General, today announced a settlement with the TJX Companies, Inc. The company is a discount retailer that owns stores such as
T J Maxx and Marshall’s.

The “Assurance of Discontinuance” between the parties resolves an investigation concerning TJX ‘s data security practices and whether they adequately protected customers’ financial information and sufficiently guarded against a massive data breach that placed thousands of consumers’ personal data at risk, nationwide. TJX has agreed to pay $9.75 million to the states involved, and to implement and maintain a comprehensive information security program designed to safeguard consumer data and address any weaknesses in TJX’s systems in place at the time of the breach. Under the terms of the settlement, the state of Mississippi will receive $26,837 to aid consumer protection enforcement and efforts to protect consumers’ personally-identifiable information.

“It is very important for our consumers to be able to shop at these stores without worrying about their personal data being stolen,” said Attorney General Jim Hood.

In 2007, after TJX announced that certain persons had obtained unauthorized access to its computer systems enabling them to seize cardholder data and other personally identifiable information, the coalition of Attorneys General conducted an extensive investigation into TJX’s data security policies and procedures in place when the breach occurred. That investigation uncovered a number of alleged vulnerabilities and flaws in TJX’s data security systems that facilitated the unlawful intrusion and allowed it to last undetected for an unacceptable duration. Today’s settlement reflects the lessons learned from that data breach and requires TJX to implement an information security program designed to guard against future intrusions or unauthorized disclosures. The Assurance’s relief, in that regard, is the most comprehensive relief achieved to date following a data breach investigation. The company cooperated fully in the States’ investigation.

The settlement ensures that TJX will employ a comprehensive “Information Security Program” that assesses internal and external risks to consumers’ personal information, implements the safeguards that will best protect that consumer information, and regularly monitors and tests the efficacy of those safeguards. TJX also will report regularly to the Attorneys General on the efficacy of its program, after obtaining a third-party assessment of its systems.

Among other things, under the Information Security Program required by the Assurance, TJX must:
. Upgrade all Wired Equivalency Privacy (“WEP’) based wireless systems in TJX retail stores to wired systems or Wi-Fi Protected Access (“WPA”) wired systems;
. Not store credit card or debit card data on its network any longer than necessary for legitimate business purposes;
. Appropriately segment from the rest of the TJX computer system those network-based portions of the TJX computer system that store, process, or transmit personal information by firewalls, access controls, and other appropriate measures;
. Implement proper security password management for portions of the TJX computer system that store, process, or transmit personal information.

Of the $9.75 million monetary payment under the settlement, $5.5 million is to be dedicated to data protection and consumer protection efforts by the states, and $1.75 million is to reimburse the costs and fees of the investigation. The remaining $2.5 million of the settlement will fund a Data Security Trust Fund to be used by the State Attorneys General to advance enforcement efforts and policy development in the field of data security and protecting consumers’ personal information.

The 41 States participating in today’s agreement are Alabama, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Hawaii, Idaho, Illinois, Iowa, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, West Virginia, Wisconsin, and the District of Columbia.

AG Jim Hood Press Release