FTC Settles Data-Breach Cases

TJX Cos. was one of three firms that agreed to settle charges that each "failed to provide reasonable and appropriate security for sensitive consumer information," federal regulators said Thursday in two unrelated data-breach decisions.

Data broker Reed Elsevier PLC and its Seisint subsidiary also avoided fines but have agreed to obtain third-party audits biennially for 20 years under a separate settlement with the Federal Trade Commission.

The agreements, which will be finalized after a 30-day public comment period, also require the companies to implement comprehensive information security programs.

"These cases bring to 20 the number of complaints in which the FTC has charged companies with security deficiencies in protecting sensitive consumer information," FTC Chairman Deborah Platt Majoras said in a release.

TJX said last March that at least 45.7 million cards were exposed to possible fraud in a breach of its computer systems. Court filings by banks that sued TJX estimated the number of cards affected at more than 100 million.

In the other case, personal information about hundreds of thousands of people held by Netherlands-based Reed Elsevier's LexisNexis unit may have been accessed in 2005 by unauthorized individuals using stolen passwords and IDs to access Seisint databases.

Sherry Lang, TJX's senior vice president for investor and public relations, said the company disagreed with the FTC's allegations, but agreed to the settlement "which is consistent with the agreements between the FTC and other retailers that have been victimized by cyber crime."

The Framingham, Mass.-based company's 2,500 stores include the T.J. Maxx and Marshalls chains.

"We have been at work for over a year implementing a comprehensive, improved information security program designed to protect the security, confidentiality and integrity of our customers' personal information," Lang said in a statement.