« Go Back

June 24, 2009

Little Rock, Arkansas - Today, Attorney General Dustin McDaniel, together with 40 other State Attorneys General announced a settlement with the TJX Companies, Inc. The Assurance of Voluntary Compliance between the parties resolves an investigation concerning a massive data breach that placed thousands of consumers' personal data at risk, nationwide.
TJX has agreed to implement and maintain a comprehensive information security program to address weaknesses in TJX's computer security systems in place at the time of the breach. Also, under the terms of the settlement, Arkansas will receive $277,719.60 out of a total of $9.75 million paid to the states for their investigatory effort. These funds will be used to aid consumer protection enforcement including efforts to protect consumers from identity theft. "The TJX agreement and payment to the States will assist our office in safeguarding the personal information of Arkansas consumers and ensuring that it is protected from unauthorized access by criminals who would seek to use it for their personal gain," Attorney General Dustin McDaniel said of the settlement.
In 2007, after TJX announced that certain persons had obtained unauthorized access to its computer systems enabling them to seize cardholder data and other personally identifiable information, the coalition of Attorneys General conducted an extensive investigation which uncovered a number of vulnerabilities and flaws in TJX's data security systems. Today's settlement requires TJX to implement the most comprehensive information security program achieved to date following a data breach investigation. Among other things, under the Information Security Program required by the Assurance, TJX must:

• Upgrade all Wired Equivalency Privacy ("WEP") based wireless systems in TJX retail stores to wired systems or Wi-Fi Protected Access ("WPA") wired systems;
• Not store credit card or debit card data on its network any longer than necessary for legitimate business purposes;
• Appropriately segment from the rest of the TJX computer system those network-based portions of the TJX computer system that store, process or transmit personal information, by firewalls, access controls, and other appropriate measures; and
• Implement proper security password management for portions of the TJX computer system that store, process or transmit personal information.
• Report regularly to the Attorneys General on the efficacy of the program and obtain independent third party assessments
The investigation was led by Massachusetts Attorney General Martha Coakley and an Executive Committee including the Attorneys General of Arkansas, California, Connecticut, Florida, Illinois, New Jersey, Ohio, Oregon, Pennsylvania, Tennessee and Vermont.
The 41 States participating in today's agreement are Alabama, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Hawaii, Idaho, Illinois, Iowa, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, West Virginia, Wisconsin, and the District of Columbia.