DENVER — Colorado Attorney General John Suthers announced today that he has joined with 39 other attorneys general in reaching a $9.75 million settlement with TJX Companies, Inc., after an investigation showed the retail company’s data storage practices left the personal data on thousands of Coloradans at risk for theft or misuse
“It is critical that companies that handle consumer data take proper steps to protect their customers from identity theft,” Suthers said. “This settlement will help provide another layer of security for Colorado consumers.”
As part of the settlement, TJX has agreed to pay $9.75 million to the states and to implement and maintain a comprehensive information security program aimed at safeguarding consumer data and addressing any weaknesses in TJX’s systems. Colorado will receive $50,000 from the multistate settlement.
The investigation began in 2007 after TJX announced that someone had breached its computer systems, resulting in the theft of consumers’ personal and financial information. The multistate investigation revealed numerous vulnerabilities in TJX’s computer systems that could have opened the door to the unauthorized access. The probe also revealed that the unauthorized access went undetected for several months.
Under the settlement, TJX must implement a comprehensive “Information Security Program,” which includes regular assessments of internal and external threats to consumers’ personal and financial information. TJX also will be required to implement basic safeguards, including:
- Upgrading all Wired Equivalency Privacy based wireless systems in TJX retail stores to wired systems or Wi-Fi Protected Access wired systems;
- Not storing credit card or debit card data on its network, any longer than necessary for legitimate business purposes;
- Appropriately segregating the network-based portions of the TJX computer system that store, process or transmit personal information, by firewalls, access controls and other appropriate measures; and,
- Implementing appropriate security password management for portions of the TJX computer system that store, process or transmit personal information.
The 39 other states participating in the settlement are Alabama, Arizona, Arkansas, California, Connecticut, Delaware, Florida, Hawaii, Idaho, Illinois, Iowa, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, West Virginia and Wisconsin. The District of Columbia also participated in the settlement.