The Massachusetts Attorney General is heading up a group of more than 30 states trying to force answers to how the massive TJX Companies data breach happened.
“The scope of this is very broad,” Massachusetts Attorney General Martha Coakley said in an interview Feb. 7, a few hours after her office announced the multi-state probe of the apparel and home fashions retailer.
“Were going to be looking at appropriate business practices and whether they put consumers at risk.” She added that “businesses need to run their businesses, and they need certain amounts of information.”
Coakley would not identify which states are involved, only saying that “there are at least 30 who are interested in doing this.”
Recently, Rhode Island announced that it was pursuing its own investigation of TJX.
The Rhode Island probe will continue, and Rhode Island is not—at this time—participating in the multi-state effort led by Massachusetts, said Michael Healy, the public information officer for Rhode Island Attorney General Patrick C. Lynch.
Healy added that the first meeting that Rhode Island prosecutors are having with TJX has been delayed two days—from Feb. 12 to Feb. 14—because TJX officials said they needed more time.
The TJX incident was announced in mid-January, and according to TJX statements, discovered in mid-December.
That monthlong delay before public disclosure is a key issue in the Massachusetts probe. TJX has also said that the data problem began in mid-May and hadnt been discovered until mid-December, which is also something the Massachusetts group will likely examine. The $16 billion global retail chain owns T.J. Maxx and Marshalls, among other brands.
Coakley stressed that her multi-state probe will not be limited to credit- and debit-card transactions, but will look at a wide range of “paperless transactions of financial information,” including TJXs retention of drivers license information required to handle in-store receipt-less product returns.
An issue that these multi-state data breach probes often focus on is how to compensate consumers efforts to protect themselves.
TJX, for example, has opted to not pay for credit bureau checks for consumers, arguing that such efforts wouldnt be productive in protecting consumers.
One area that Rhode Island is exploring is whether retailers should pay for professionals to clean up the accounts of consumers, so consumers do not have to spend hours listening to hold music to clean up a mistake that was someone elses fault.
Coakley said that Massachusetts and the other states are also actively considering such options.
“Its the whole issue of who pays for the burden” in terms of both cost and time and the “inconvenience.” She added: “The states recognize that the time has now come to take a look at this.”
Retail Center Editor Evan Schuman can be reached at [email protected].
Editors Note: This story was updated to clarify Rhode Islands position with information from Rhode Island Attorney General Patrick C. Lynch.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.