The FTC has reached settlements with The TJX Companies Inc. and Reed Elsevier after alleging the firms did not provide sufficient security for consumer information.
Under the settlements, the companies must implement new security programs and undergo security audits by third-party professionals every other year for 20 years.
“By now, the message should be clear: companies that collect sensitive consumer information have a responsibility to keep it secure,” FTC chairman Deborah Platt Majoras said in a statement.
She added that the FTC has filed 20 complaints in which the agency has charged companies with security deficiencies in protecting sensitive consumer information.
The companies agreed to similar settlements, which stipulated that they must designate employees to coordinate security programs, identify risks and assess safeguards already in place. Once risks are assessed, the companies must design and implement new safeguards, monitor their effectiveness and put programs into place that show the results of this monitoring. TJX and Reed Elsevier must also select and oversee service providers that handle the personal information they receive.
The FTC’s investigation of Reed Elsevier focused on its data brokerage division LexisNexis and 2004 acquisition Seisint. The agency charged Reed Elsevier and Seisint after identity thieves accessed personal information from at least 316,000 Seisint customers. Reed Elsevier was implicated because the breaches continued for nine months after its acquisition of Seisint.
“Under the agreement, LexisNexis agrees to maintain a comprehensive information security program, as confirmed by periodic, third-party audits,” Suzanne D’Agostino, VP of corporate communications for LexisNexis, said in a statement. “We have resolved the issues identified by the FTC, which relate to data breaches previously disclosed in 2005, and are committed to maintaining the enhanced security safeguards that we put in place following the acquisition.”
Charges stated that Seisint and Reed Elsevier allowed customers to use easy-to-guess passwords for database access and did not require periodic changes of user credentials or suspend credentials after multiple unsuccessful login attempts. Other charges included failure to require customers to encrypt or protect credentials, allowing customers to store credentials in vulnerable formats, and allowing users to share credentials and create new credentials with no verification of the new identities. Seisint and Reed Elsevier also failed to implement readily available defenses or adequately assess the vulnerability of its system to such attacks, according to the charges
Complaints against TJX were filed when an intruder accessed personal information on its stores’ computer networks, stealing tens of millions of debit and credit card numbers and the personal information of nearly half a million TJX shoppers.
The FTC said that TJX created unnecessary risk to the information by storing and transmitting it in clear text and by not using readily available measures to limit wireless access to its networks. TJX was also charged because it allegedly did not require workers to use strong passwords to access its data, did not use firewalls and other security measures to limit access to its computers and did not have measure in place to detect and prevent unauthorized access to customer data.
TJX could not be reached for comment as of press time.
Thirty-nine state attorneys general assisted the FTC in its investigation of TJX. The Hayward, CA, Police Department and Rapid Enforcement Allied Computer Team Task Force aided in the investigation of Seisint and Reed Elsevier.