TJX Settles with State Attorneys General for $9.75 Million

The TJX breach saga came a little closer to an end (excluding of course the still-pending case being pursued by a couple of issuing banks) with the announcement of a settlement with 41 State attorneys general that brought actions under their State's respective consumer fraud and deceptive practices laws (a copy of the settlement document can be found:  HERE).  This is a summary of the TJX settlement. Monetary Settlement Breakdown

    The total monetary settlement amounted to $9.75 million, which is broken down as follows:

    • $5.5 million to the Attorneys General for State consumer protection activities related to data security or otherwise, including consumer education and outreach, prevention or monitoring programs, consumer protection enforcement, litigation, local consumer aid funds, consumer protection enforcement funds and public protection funds
    • $2.5 million to develop a "data security fund" to be used by the States to research the benefits of data security technology and develop best practices, protocols, policies or model legislation or regulations concerning data security or data security technology, develop and implement programs, education and outreach for consumers with respect to data security, and for other efforts to examine data security matters and to protect consumer privacy
    • $1.75 million in fees and costs associated with the States' investigation of the TJX breach

    This brings the total reportedly paid out for settling various actions against TJX to approximately $75 million (this does not include forensic expense, attorney fees, etc.). Information Security Program In addition to monetary payments, the settlement also requires TJX to "implement and maintain a comprehensive Information Security Program reasonably designed to protect the security, confidentiality and integrity of Personal Information."  The general description of the mandated program essentially matches the information security program required pursuant to TJX's consent order with the FTC. However, this settlement goes beyond the general requirements of the FTC's consent order and mandates specific information security controls and actions, including:

    • Replacement of all WEP based wireless systems with WPA wireless systems (or equivalent)
    • No storage of sensitive authentication information related to payment cards (e.g. magnetic stripe track data, PIN numbers/PIN Blocks, and CVC2/CVV2/CID numbers)
    • Segmentation of TJX networks storing, processing or transmitting Personal Information (including Cardholder Information) from the rest of TJX's network
    • "Security password management" for the portions of the TJX computer system that store, process or transmit Personal Information
    • Implementation of a security patching protocol for the portions of the TJX computer system that store, process or transmit Personal Information
    • Use of Virtual Private Networks/encryption for transmitting Personal Information
    • Anti-virus software
    • Intrusion detection systems
    • Access control measures

    The order indicates that the previously mentioned requirements alone do not necessarily amount to reasonable actions to protect Cardholder or Personal Information.  The settlement sets a 120 day deadline for TJX to implement the required information security program.  TJX must also have a third party security assessor to create a report certifying compliance.  The first report of the third party assessor is due 180 days after the settlement agreement date, and subsequent assessments must occur on a biennial basis (although TJX does not need to provide them to that AGs unless requested).  TJX's obligations with respect to the information security program (and other requirements of the settlement) are to last for 20 years. Breach Notification The settlement requires TJX to provide notice to the relevant attorney general 10 days after it has provided notice to its customers of any breach of personal information.  The settlement sets forth several categories of information that must be provided to the attorneys general. TJX Payment Card Security Advocate This is where the settlement agreement gets more interesting.  As a condition of the settlement, TJX essentially has to advocate for improvements in the security of the payment card system.  In particular, TJX must contact Visa and Mastercard and its acquiring bank and volunteer to participate in pilot programs for testing new security-related payment card technology (such as chip-and-PIN technology).   TJX also must take steps encourage the payment card industry to achieve "end-to-end" encryption of cardholder data (all the way through the bank authorization process).  TJX must take such steps within 180 days and must submit a report to the Attorneys General indicating TJX's progress.