US Federal Trade Commission Settles With TJX, Reed Elsevier and Seisint

By Janine de Blois

In two unrelated data-breach decisions settled with the US Federal Trade Commission (FTC) three firms have agree to settle charges “that each engaged in practices that, taken together, failed to provide reasonable and appropriate security for sensitive consumer information.”

The settlements require the companies to implement comprehensive information security programs and obtain audits by independent third-party security professionals every other year for 20 years.

The settlements do not include fines as the FTC does not currently have the authority to levy them. It applied to Congress in 2005 for the ability to seek civil fines under the FTC Act, which prohibits unfair business practices.

TJX disagreed with the FTC’s allegations, but agreed to the settlement they believe to be consistent with the agreements between the FTC and other retailers victimized by cyber crime.

Sherry Lang senior vice president for investor and public relations said, “We have been at work for over a year implementing a comprehensive, improved information security program designed to protect the security, confidentiality and integrity of our customers’ personal information.”

They are also working with law enforcement in hopes of bringing the cyber criminals behind the attack to justice. The operator of T.J. Maxx and Marshalls said last March at least 45.7 million cards were exposed when hackers were able to access their system. The estimate is closer to 95 million according to court documents filed by banks suing for damages.

In the other case, identity thieves exploited security failures, and obtained access to sensitive information about at least 316,000 consumers from Seisent’s databases.

The identity thieves used the information to activate credit cards and open new accounts, which were then used to make fraudulent purchases.

Reed Elsevier (REI), through its LexisNexis data broker business acquired Seisint in late 2004, and the breaches continued for at least nine months afterward, during which time REI controlled Seisint’s practices. A spokeswoman for LexisNexis said the company has resolved the issues identified by the government.