June 23, 2009
Jefferson City, Mo. - Attorney General Chris Koster today announced a settlement between Missouri and 39 other states, and the TJX Companies, Inc., resolving an investigation concerning TJX's data-security practices and whether they adequately protected customers' financial information and sufficiently guarded against a massive data breach that placed thousands of consumers' personal data at risk.
Under the terms of the settlement, TJX will implement and maintain a comprehensive information security program to address weaknesses in its computer security systems at the time of the breach. In addition, Missouri will receive $67,423.80 to aid consumer protection enforcement.
"Data privacy is of great concern to my office. Customer data should be kept secure by companies that deal with the public so that personally identifying information is not exposed to computer hackers," Koster said. "This resolution helps ensure customer privacy."
The coalition of Attorneys General launched an extensive investigation into TJX's data security policies and procedures after a breach in 2007 where individuals obtained cardholder data and other personally identifiable information. That investigation uncovered a number of vulnerabilities and flaws in TJX's data security systems.
The settlement requires TJX to implement an information security program designed to guard against future intrusions or unauthorized disclosures. The settlement ensures that TJX will employ a comprehensive "Information Security Program" that assesses internal and external risks to consumers' personal information, implements the safeguards that will best protect that consumer information, and regularly monitors and tests the efficacy of those safeguards. TJX also will report regularly to the Attorneys General on the efficacy of its program, after obtaining a third-party assessment of its systems.
Specifically, TJX must: