In two unrelated Federal Trade Commission actions, discount retailer TJX and data brokers Reed Elsevier and Seisint have agreed to settle charges that each engaged in practices that, taken together, failed to provide reasonable and appropriate security for sensitive consumer information. The settlements will require that the companies implement comprehensive information security programs and obtain audits by independent third-party security professionals every other year for 20 years.
“By now, the message should be clear: companies that collect sensitive consumer information have a responsibility to keep it secure,” said FTC Chairman Deborah Platt Majoras. “These cases bring to 20 the number of complaints in which the FTC has charged companies with security deficiencies in protecting sensitive consumer information. Information security is a priority for the FTC, as it should be for every business in America.”
According to the FTC complaint, TJX, with over 2,500 stores worldwide, failed to use reasonable and appropriate security measures to prevent unauthorized access to personal information on its computer networks. An intruder exploited these failures and obtained tens of millions of credit and debit payment cards that consumers used at TJX’s stores, as well as the personal information of approximately 455,000 consumers who returned merchandise to the stores. Banks have claimed that tens of millions of dollars in fraudulent charges have been made on the cards and millions of cards have been cancelled and reissued.
Specifically, the agency charged that TJX:
In the FTC’s action against data brokers Reed Elsevier (REI) and Seisint, the complaint alleges that REI - through its LexisNexis data broker business - and Seisint collect and store in databases information about millions of consumers, including names, current and prior addresses, dates of birth, drivers license numbers and Social Security numbers. They obtain information about consumers from credit reporting agencies and other sources, and sell products customers use online to find and retrieve the information from their databases. The companies relied on user IDs and passwords (or “user credentials”) to control customer access to consumer information in their databases.
The complaint alleges that, among other security failures, they allowed customers to use easy-to-guess passwords to access Seisint’s “Accurint” databases. The databases contained sensitive consumer information, including drivers license numbers and Social Security numbers. Identity thieves exploited these security failures, and through multiple breaches obtained access to sensitive information about at least 316,000 consumers from Accurint databases. The identity thieves used the information to activate credit cards and open new accounts, and made fraudulent purchases on the cards and new accounts. REI acquired Seisint in late 2004, and the breaches continued for at least nine months afterward, during which time REI controlled Seisint’s practices.
The agency charged that Seisint and REI:
The settlement with TJX requires it to establish and maintain a comprehensive security program reasonably designed to protect the security, confidentiality, and integrity of personal information it collects from or about consumers. The settlement with REI and Seisint requires them to establish and maintain comprehensive security programs to protect personal information that is in whole or part nonpublic information. The settlements require the programs to contain administrative, technical, and physical safeguards appropriate to each company’s size, the nature of its activities, and the sensitivity of the personal information it collects. Specifically, the companies must:
The settlements require the companies to retain independent, third-party security auditors to assess their security programs on a biennial basis for the next 20 years. The auditors will be required to certify that the companies’ security programs meet or exceed the requirements of the FTC’s orders and are operating with sufficient effectiveness to provide reasonable assurance that the security of consumers’ personal information is being protected.
The settlements also contain bookkeeping and record keeping provisions to allow the agency to monitor compliance with its orders.
The FTC coordinated its investigation of TJX with 39 state Attorneys General, lead by the office of the Massachusetts Attorney General, and acknowledges the invaluable assistance of the states in the agency’s investigation.
The FTC acknowledges the invaluable assistance of the Hayward, California Police Department and the REACT (Rapid Enforcement Allied Computer Team) Task Force in the agency’s investigation of Seisint and REI.
The Commission votes to accept the proposed consent agreements were 5-0. The FTC will publish an announcement regarding the agreements in the Federal Register shortly. The agreements will be subject to public comment for 30 days, beginning today and continuing through April 28, after which the Commission will decide whether to make them final. Comments should be addressed to the FTC, Office of the Secretary, Room H-135, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.
Copies of the complaints, proposed consent agreements, and analyses of the agreements to aid in public comment are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580.
The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, click http://www.ftc.gov/ftc/complaint.shtm or call 1-877-382-4357. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to more than 1,600 civil and criminal law enforcement agencies in the U.S. and abroad. For free information on a variety of consumer topics, click http://ftc.gov/bcp/consumer.shtm.