TJX, FTC Settle Charges in Data Breach Case

The company agrees to strengthen security measures on its computer network after hackers stole thousands of credit card numbers.

The TJX Companies, which runs discount retail brands TJ Maxx and Marshalls, has settled charges brought by the Federal Trade Commission over last year's data security breach involving thousands of customer credit card records.

In the settlement, announced March 27, TJX agreed to strengthen the security of its computer network to prevent future data breaches like the one last year, in which hackers stole millions of customer credit card numbers.

Among the steps the company will take are to designate an employee or employees to coordinate an information security program; identifying internal and external risks to the security and confidentiality of personal information; assessing existing security measures; creating and implementing new measures and monitoring their effectives and developing procedures to select and monitor service providers who handle personal customer data.

TJX has also agreed to have third-party auditors review its security measures every two years for 20 years, and to allow the FTC to monitor its compliance with the settlement.

In a statement posted on the FTC Web site, Chairman Deborah Platt Majoras said companies who collect sensitive consumer information are responsible for keeping it secure.

"These cases [against TJX and a separate suit against Reed Elsevier and Seisint, which served as data brokers] bring to 20 the number of complaints in which the FTC has charged companies with security deficiencies in protecting sensitive consumer information," Majora said. "Information security is a priority for the FTC, as it should be for every business in America."

Joel Winston, associate director of privacy and identity protection for the FTC, said the cases against TJX and its data brokers serve as a reminder to the business community about the importance of securing customer data.

"We are sending the message it's not only good business, but the law," he said.

Officials with TJX did not return calls seeking comment. Ropes & Gray, the law firm that represented TJX in its case with the FTC, declined to comment for this article.

In a Feb. 29 press release, TJX President and CEO Carol Meyrowitz said the company has been "certified by a qualified US payment card industry assessor as fully compliant with all Payment Card Industry Data Security Standards."

According to FTC officials, banks have said that fraudulent charges totaling millions of dollars were made on card numbers that were stolen, and that millions of cards were canceled, with some being reissued.

Dan Berthiaume covers the retail space for eWEEK. For more industry news, check out's Retail Site.