WASHINGTON (CN) – The Federal Trade Commission has agreed to settle alleged violations of federal unfair competition laws by data brokers Reed Elsevier and Seisint and off-price retailer TJX, which resulted in identity theft and credit card fraud according to summaries of orders made available for public comment.
Any comments are due to the FTC by April 28.
Reed Elsevier (through its LexisNexis division) and Seisint failed to provide reasonable and appropriate security for sensitive consumer information on databases which included millions of consumers’ names, addresses, dates of birth, driver’s license numbers, and Social Security numbers, according to the complaint. Identity thieves gained access to information of more than 300,000 consumers, and opened new credit accounts in the names of consumers or activated newly-issued credit cards stolen from legitimate cardholders.
TJX, which runs TJMaxx and Marshall’s, failed to provide reasonable and appropriate security for personal information on its computer networks, according to the FTC’s complaint. In selling its products, TJX has collected: (1) account number, expiration date, and an electronic security code for payment card authorization; (2) bank routing, account, and check numbers and, in some instances, driver’s license number and date of birth for personal check verification; and (3) name, address, and personal ID numbers for unreceipted returns. TJX also: (a) used clear text to store and transmit the information in-house; (b) did not use readily available security measures to limit unauthorized wireless access to its networks; (c) did not require network administrators and other users to use strong passwords or to use different passwords to access different programs, computers, and networks; (d) failed to use readily available security measures, such as by using a firewall to isolate card authorization computers; and (e) failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as by patching or updating anti-virus software or following up on security warnings and intrusion alerts. TJX’s breach compromised tens of millions of payment cards and the personal information of approximately 455,000 consumers who had made unreceipted returns. Issuing banks have claimed tens of millions of dollars in fraudulent charges on some of these payment card accounts, and have cancelled and re-issued millions of payment cards. Some consumers have had to get new personal ID numbers, such as new drivers’ licenses.
The proposed settlement orders require each of the companies to establish and maintain a comprehensive information security program reasonably designed to protect the security, confidentiality, and integrity of nonpublic personal information collected from or about consumers. Each also must obtain within 180 days, and on a biennial basis for 20 years, an assessment from a qualified, objective, independent third-party professional, certifying that it has such a security system operating. Click here for more details and other new notices and regulations.