FTC settles with TJX, LexisNexis
But it does not have the power to impose fines on the companies
IDG News Service - WASHINGTON -- The U.S. Federal Trade Commission (FTC) has settled data breach complaints against retailer TJX Companies Inc. and data broker Reed Elsevier, requiring both companies to establish comprehensive information security programs and submit to biennial data security audits over the next 20 years.
The settlements, announced Thursday, also require the companies to identify internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place. The settlements don't include fines because the FTC doesn't have authority to levy civil fines in violations of the FTC Act, which prohibits unfair business practices. The FTC has asked Congress for the ability to seek civil fines under the FTC Act, an agency spokeswoman said.
The settlement with TJX, which owns T.J. Maxx, Marshalls and other retailers, comes in response to a data breach that exposed more than 45 million customer credit and debit cards. The company reported the 2005 breach in January 2007; some banks have alleged that the number of cards affected is 94 million.
Reed Elsevier and subsidiaries LexisNexis and Seisint announced in March 2005 that hackers had stolen passwords, names, addresses, Social Security and driver's license numbers of about 32,000 customers. Since then, the number of compromised customers has risen to 316,000.
The FTC has brought 20 complaints against companies that had data breaches. "By now, the message should be clear: Companies that collect sensitive consumer information have a responsibility to keep it secure," FTC Chairman Deborah Platt Majoras said in a statement. "Information security is a priority for the FTC, as it should be for every business in America."
The agency charged that TJX stored and transmitted personal information in clear text, did not use "readily available" security measures to limit wireless access to its networks, did not use strong passwords and did not use security measures such as firewalls.
The FTC charged that Reed Elsevier allowed customers to use easy-to-guess passwords to access Seisint's Accurint databases containing sensitive personal information such as driver's license numbers and Social Security numbers. Identity thieves then exploited these security failures, and used the information to activate credit cards and open new accounts.
The FTC charged that the company failed to make Seisint user credentials hard to guess, failed to periodically change user credentials and failed to suspend credentials after a number of unsuccessfully log-in attempts. The company also allowed Seisint customers to store credentials on cookies on their computers, permitted users to share credentials, did not adequately address vulnerabilities in Seisint's Web applications and computer network, and did not implement "simple, low-cost and readily available" defense against attacks.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Neustar 2014 DDoS Attacks and Impact Report For the third consecutive year, Neustar surveyed hundreds of companies on distributed denial of service (DDoS) attacks. The survey reveals evidence that the...
- Acxiom Case Study This case study, which focuses on Acxiom, explores how the company was able to secure employee data, reduce migration costs and boost productivity...
- Windows® XP Migration: Protect and Secure Critical Data With the end of the Microsoft Windows XP operating system's lifecycle on April 8, 2014, businesses are faced with the decision to migrate...
- Enhancing Application Protection and Recovery with a Modern Approach to Snapshot Management This CommVault Business Value and Technology White Paper explains how Simpana IntelliSnap® Recovery Manager can make your application recovery fast and reliable.
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts