TJX to face security audits for the next 20 years for losing data - March 28, 2008
Tampa Florida -- TJX Cos Inc. will implement tighter security and allow its data to be audited to settle charges that its poor security led to the massive data security breach, the U.S. Federal Trade Commission said on Thursday.
Under a settlement agreement reached with the FTC, the discount retailer agreed to open its records to an audit. Specifically, TJX must obtain audits by independent third-party security professionals every other year for 20 years, the FTC said.
TJX also agreed to establish and maintain a comprehensive security program. The FTC said the program must protect the personal information it collects from or about consumers. The FTC is requiring the retailer to conduct a risk assessment to identify holes that could put consumer data at risk and then design and implement policies and security technologies to mitigate the risks. Had TJX had the right Firewalls from companies like Juniper or Barracuda Networks maybe thing would be a whole lot different.
The agreement also addresses TJX's process of selecting service providers to handle credit card transactions. The company must take steps in selecting a service provider and in handling consumer information it receives from business partnerswhich should of included encryption.
"By now, the message should be clear: companies that collect sensitive consumer information have a responsibility to keep it secure," said FTC Chairman Deborah Platt Majoras. "These cases bring to 20 the number of complaints in which the FTC has charged companies with security deficiencies in protecting sensitive consumer information. Information security is a priority for the FTC, as it should be for every business in America."
Scott Crawford, an analyst with Boulder, Colo.-based Enterprise Management Associates, called the settlement significant for the FTC, which is trying to send the message that it is ensuring enforcement of data security on businesses.
"The impact on individual consumers is what is at stake here and the FTC wants to make sure that TJX is not just paying a penalty but it is required to practice some standard of appropriate security," Crawford said.
The FTC does not have the ability to impose fines, but the agency has reached settlements before. In January, 2006, the FTC reached a settlement with ChoicePoint, which agreed to pay $10 million in civil penalties and $5 million in consumer redress to settle charges that its security and record-handling procedures violated consumers' privacy rights and federal laws.
A full, independent security audit monitored by the FTC would be a costly process, Crawford said. While enterprises won't be able to plug all holes, the FTC is trying to send the signal that organizations should be proactive on security of consumer data.
"The idea that you could hermetically seal an organization from outside threats is unrealistic," he said.
At last year's RSA conference, Majoras said the FTC would be aggressive in taking action against firms that fail to protect consumer data. She said the FTC has taken action against companies for a variety of issues from failing to protect against SQL injection attacks to low-tech attacks such as dumpster diving.
TJX, which operates over 2,500 stores worldwide used legacy Wi-Fi security. A report issued by Canadian privacy officials said the retailer should have moved faster to upgrade its Wi-Fi security from WEP encryption to WPA encryption. Hackers tapped into TJX's servers using the weaker Wi-Fi encryption, pilfering millions of credit and debit cards over an 18-month period by in what experts say was the biggest data breach in history.
Several banking associations reached an agreement with TJX in December, to be reimbursed for the costs associated with canceling and reissuing credit cards.
Since the breach, TJX has been steadily improving its security safeguards. In a prepared statement following the settlement, Daniel J. Forte, president, of the Massachusetts Bankers Association praised TJX for the steps it took to improve security following the breach.
"TJX maybe the first, but they will not be the last". "The message is lock it down or pay the price", states Brian McCarthy CEO and Security Consultant for Sencilo Solutions of Orlando Florida.
"We are pleased to see the steps undertaken by TJX to improve the protection of cardholder data. Those steps have resulted in TJX having recently been certified as fully PCI DSS compliant by an independent PCI-approved assessor," Forte said.
For more information please call (407) 265-6293 or visit us at: http://www.sencilo.com/products-security.php
About Us
Sencilo Solutions is a Florida-based integrator specializing in storage, security and networking solutions. Sencilo delivers a comprehensive portfolio of products from best-of-breed hardware and software from multiple manufacturers including VMware, EMC, NetApp, Juniper Networks, Hitachi, Symantec, Barracuda Networks, and HP. Its technical expertise is known throughout the storage and security industry. Clients include leading corporations, major financial institutions, top universities, government facilities, as well as small to medium size businesses. Sencilo's professional services include consulting, integration, project management, installation, maintenance and knowledge transfer.
Sencilo has offices throughout Florida including: Jacksonville, Miami, Tampa, St. Petersburg, Orlando, Hialeah, Fort Lauderdale, Tallahassee, Cape Coral, and Pembroke Pines.
Key words: Barracuda Networks Security RSA Encryption Cisco Decru Neoscale EMC NetApp HP IBM Quantum Compliance VTL Data Domain vs Gartner Magic Quadrant SSL SonicWall Secure Computing Firewall VPN Endpoint
