FTC settles with TJX, data brokers.

• Author: Swartz, Nikki
• Position: UP FRONT - United States. Federal Trade Commission

Retailer TJX and data brokers Reed Elsevier and Seisint have agreed to settle charges with the Federal Trade Commission (FTC) that each engaged in practices that failed to provide reasonable and appropriate security for sensitive consumer information. The settlements will require that the companies implement comprehensive information security programs and obtain audits by independent third-party security professionals every other year for 20 years.

"By now, the message should be clear: Companies that collect sensitive consumer information have a responsibility to keep it secure," said FTC Chairman Deborah Platt Majoras in a press release.

According to the FTC complaint, TJX, with more than 2,500 stores worldwide, failed to use reasonable, appropriate security measures to prevent unauthorized access to personal information on its computer networks. As a result, a hacker obtained tens of millions of credit and debit payment cards that consumers used at TJX's stores, as well as the personal information of approximately 455,000 consumers who had returned merchandise to the stores. Banks have claimed that tens of millions of dollars in fraudulent charges have been made on the cards and that millions of cards have been cancelled and reissued.

In the FTC's action against data brokers Reed Elsevier and Seisint, the complaint alleges that Reed Elsevier--through its LexisNexis data broker business--and Seisint collected and stored in databases information about millions of consumers, including names, current and prior addresses, dates of birth, driver's license numbers, and Social Security numbers (SSNs). They obtained information about consumers from credit reporting agencies and other sources and sold products customers use online to find and retrieve the information from their databases. The companies relied on user IDs and passwords (or "user credentials") to control customer access to consumer information in their databases.

The complaint also alleges that they allowed customers to use easy-to-guess passwords to access Seisint's "Accurint" databases. The databases contained...