14 DAY TRIAL // TJX, the parent company of Marshalls, T.J. Maxx, HomeGoods and other big retail chains, has settled with Attorney Generals from 41 U.S. states regarding what was once considered the biggest data breach in history. The company agreed to a total of $9.75-million payment that would cover investigative costs ($1.75 million), establishing a Data Security Trust Fund ($2 million) and supporting future data protection and consumer protection efforts by the states ($5.5 million).
Back in January 2007, a massive data breach incident that resulted in the compromise of between 45 and 95 million payment cards was announced by TJX. Eleven people from U.S, Ukraine, Estonia, Belarus and China have been charged for their roles in the hack, which involved penetrating the company's wireless network at various weak spots and intercepting unencrypted credit card data.
This latest settlement has received mixed responses from privacy advocates, business analysts, security experts and government representatives. "This settlement ensures that companies cannot write-off the risk of a data breach as a cost of doing business," Massachusetts Attorney General Martha Coakley, whose office headed up the investigation, said.
Some people have argued that it was inappropriate for the Massachusetts AG's Office to lead the probe, as the company was headquartered in the same state and was one of the its largest employers. Furthermore, the investigation revealed few to none new information that wasn't already known since shortly after the incident.
Others questioned the impact of the $9.75-million amount, since TJX established a $216-million reserve back in 2007 specifically to cover costs related to this data breach, including lawsuits. The insurance check cashed by the company after the incident was alone almost two times this settlement's figure.
However, the agreement also imposes some security-related requirements on TJX, such as upgrading from WEP wireless encryption to WPA or better, limiting the storage time of credit card data on the company's network, separating systems that store or transmit personal information from the rest of the network and enforcing stricter access controls, employing two-factor authentication for remote access to the network and encouraging the development of new technologies within the Payment Card Industry, such as end-to-end encryption.
Some industry professionals pointed out that, while all of these requirements were good in principle, they did not exceed the boundaries of what the payment card industry already enforced or recommended. All companies handling credit card data, TJX included, already need to be compliant with the PCI DSS (Payment Card Industry's Data Security Standard) in order to do business.