BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
TJX Cos Inc. will implement tighter security and allow its data to be audited to settle charges that its poor security led to the massive data security breach, the U.S. Federal Trade Commission said on Thursday.
Under a settlement agreement reached with the FTC, the discount retailer agreed to open its records to an audit. Specifically, TJX must obtain audits by independent third-party security professionals every other year for 20 years, the FTC said.
TJX also agreed to establish and maintain a comprehensive security program. The FTC said the program must protect the personal information it collects from or about consumers. The FTC is requiring the retailer to conduct a risk assessment to identify holes that could put consumer data at risk and then design and implement policies and security technologies to mitigate the risks.
The agreement also addresses TJX's process of selecting service providers to handle credit card transactions. The company must take steps in selecting a service provider and in handling consumer information it receives from business partners.
"By now, the message should be clear: companies that collect sensitive consumer information have a responsibility to keep it secure," said FTC Chairman Deborah Platt Majoras. "These cases bring to 20 the number of complaints in which the FTC has charged companies with security deficiencies in protecting sensitive consumer information. Information security is a priority for the FTC, as it should be for every business in America."
Scott Crawford, an analyst with Boulder, Colo.-based Enterprise Management Associates, called the settlement significant for the FTC, which is trying to send the message that it is ensuring enforcement of data security on businesses.
"The impact on individual consumers is what is at stake here and the FTC wants to make sure that TJX is not just paying a penalty but it is required to practice some standard of appropriate security," Crawford said.
The FTC does not have the ability to impose fines, but the agency has reached settlements before. In January, 2006, the FTC reached a settlement with ChoicePoint, which agreed to pay $10 million in civil penalties and $5 million in consumer redress to settle charges that its security and record-handling procedures violated consumers' privacy rights and federal laws.
A full, independent security audit monitored by the FTC would be a costly process, Crawford said. While enterprises won't be able to plug all holes, the FTC is trying to send the signal that organizations should be proactive on security of consumer data.
"The idea that you could hermetically seal an organization from outside threats is unrealistic," he said.
At last year's RSA conference, Majoras said the FTC would be aggressive in taking action against firms that fail to protect consumer data. She said the FTC has taken action against companies for a variety of issues from failing to protect against SQL injection attacks to low-tech attacks such as dumpster diving.
TJX, which operates over 2,500 stores worldwide used legacy Wi-Fi security. A report issued by Canadian privacy officials said the retailer should have moved faster to upgrade its Wi-Fi security from WEP encryption to WPA encryption. Hackers tapped into TJX's servers using the weaker Wi-Fi encryption, pilfering millions of credit and debit cards over an 18-month period by in what experts say was the biggest data breach in history.
Several banking associations reached an agreement with TJX in December, to be reimbursed for the costs associated with canceling and reissuing credit cards.
Since the breach, TJX has been steadily improving its security safeguards. In a prepared statement following the settlement, Daniel J. Forte, president, of the Massachusetts Bankers Association praised TJX for the steps it took to improve security following the breach.
"We are pleased to see the steps undertaken by TJX to improve the protection of cardholder data. Those steps have resulted in TJX having recently been certified as fully PCI DSS compliant by an independent PCI-approved assessor," Forte said.