For Immediate Release
June 23, 2009
Associate Attorney General Richard Head
Attorney General Kelly Ayotte, together with 40 other State Attorneys General, announced a settlement with the TJX Companies, Inc. The Assurance of Discontinuance between the parties resolves an investigation concerning TJX's data security practices and whether they adequately protected customers' financial information and sufficiently guarded against a massive data breach that placed thousands of consumers' personal data at risk, nationwide. TJX has agreed to pay $9.75 million to the states and to implement and maintain a comprehensive information security program, designed to safeguard consumer data and address any weaknesses in TJX's systems in place at the time of the breach. Under the terms of the settlement, New Hampshire will receive $69,114.90 that can be used for consumer protection enforcement efforts in New Hampshire. TJX cooperated fully in the States' investigation.
Attorney General Ayotte stated, "It is essential that when a consumer provides a business with personal information, the business must take appropriate measures to protect that information. When personal information is compromised, both the business and consumers are injured."
In 2007, after TJX announced that certain persons had obtained unauthorized access to its computer systems enabling them to seize cardholder data and other personally identifiable information, the coalition of Attorneys General conducted an extensive investigation into TJX's data security policies and procedures in place when the breach occurred. That investigation concerned a number of alleged vulnerabilities in TJX's data security systems that may have facilitated the unlawful intrusion and allowed it to last undetected for an unacceptable duration. Today's settlement reflects the lessons learned from that data breach and requires TJX to implement an information security program designed to guard against future intrusions or unauthorized disclosures. The Assurance's relief, in that regard, is the most comprehensive relief achieved to date following a data breach investigation.
The settlement ensures that TJX will employ a comprehensive "Information Security Program" that assesses internal and external risks to consumers' personal information, implements the safeguards that will best protect that consumer information, and regularly monitors and tests the efficacy of those safeguards. TJX also will report regularly to the Attorneys General on the efficacy of its program, after obtaining a third-party assessment of its systems. Among other things, under the Information Security Program required by the Assurance, TJX must:
The investigation was led by Massachusetts Attorney General Martha Coakley and an Executive Committee including the Attorneys General of Arkansas, California, Connecticut, Florida, Illinois, New Jersey, Ohio, Oregon, Pennsylvania, Tennessee and Vermont.
The 41 States participating in today's agreement are Alabama, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Hawaii, Idaho, Illinois, Iowa, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, West Virginia, Wisconsin, and the District of Columbia.
New Hampshire Department of Justice | 33 Capitol Street | Concord, NH | 03301