Sponsored Content WEBINAR: ELECTION 2008: E-mail Tips from a Political Insider   WEBINAR: Becoming the Illusionist: The Magic of Using "Brand" to Drive Response without Results Disappearing in the Process   WEBINAR: Score and Win Through Cooperation   TOOLS OF THE TRADE: Holiday's are prime-time for email marketing - maximize your ROI by getting to the inbox   ON DEMAND WEBINAR--MASTER CLASS: High Performance Online and Off-line Strategies for Large Scale Customer Acquisition   FREE WHITE PAPER - Direct Mail and the Internet Find any supplier you need - agencies, CRM, fulfillment, lists, e-commerce, paper, printers, telemarketing, and more. Featured Categories Lists and Data Telemarketing Database Marketing E-commerce Web Marketing Agency & Creative Services Print, Production & Paper Lists and Data Processing :: view all categories Get free access to more than 50,000 list data cards - one of the most comprehensive databases in the industry. >> Search Now DIRECT Buzz Blog Webinars Buyer's Guide Calculators JobZone ListFinder Promo Calendar Research Store E-Newsletters Print Magazine This Month in Direct Magazine Deal With It Direct had a full house for this year's list roundtable. Considering all the additional responsibilities on brokers' plates, that's impressive... See Full July Issue

Clothing retailer TJX and data brokers Reed Elsevier and Seisint have settled Federal Trade Commission charges that each engaged in practices that collectively failed to provide reasonable and appropriate security for sensitive consumer information.

The settlements will require that the companies implement comprehensive information security programs and obtain audits by independent third-party security professionals every other year for 20 years, according to the FTC.

No fines were levied in this case.

According to the FTC complaint, TJX, with more than 2,500 stores worldwide, failed to use reasonable and appropriate security measures to prevent unauthorized access to personal information on its computer networks.

Last March , TJX. said computer hackers stole credit card from at least 45.7 million credit and debit cards over an 18-month period beginning in Dec. 2002.

In a filing with the Securities and Exchange Commission, the parent firm of T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores admitted it discovered this apparent breach on Dec. 18, 2006.

Also stolen during the period were drivers' license numbers and other personal data on 455 million people. This personal information was collected by TJX from customers who returned merchandise without a receipt (Direct Newsline, March 30, 2007).

Specifically, the FTC charged that TJX:

* Created an unnecessary risk to personal information by storing it on, and transmitting it between and within, its various computer networks in clear text.

* Did not use readily available security measures to limit wireless access to its networks, thereby allowing an intruder to connect wirelessly to its networks without authorization.

* Did not require network administrators and others to use strong passwords or to use different passwords to access different programs, computers and networks.

* Failed to use readily available security measures, such as firewalls, to limit access among its computers and the Internet.

* Failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as patching or updating anti-virus software.

In its action against Reed and Seisint, the Commission alleged that Reed--through its LexisNexis unit--and Seisint collected and stored in databases information about millions of consumers such as names, current and prior addresses, dates of birth, drivers license numbers and Social Security numbers.

They obtained information about consumers from credit reporting agencies and other sources, and sold products customers use online to find and retrieve the information from their databases. The companies relied on user IDs and passwords to control customer access to consumer information in their databases, the FTC continued.

The complaint further alleged that, among other security failures, they allowed customers to use easy-to-guess passwords to access Seisint’s “Accurint” databases. The databases contained sensitive consumer information including drivers license numbers and Social Security numbers.

According to the FTC, alleged identity thieves exploited these security failures, and through multiple breaches obtained access to sensitive information about at least 316,000 consumers from Accurint databases. The alleged identity thieves used the information to activate credit cards and open new accounts, and made fraudulent purchases on the cards and new accounts. REED acquired Seisint in late 2004, and the breaches continued for at least nine months afterward, during which time Reed controlled Seisint’s practices.

The agency charged that Seisint and Reed:

* Failed to make Seisint user credentials hard to guess.

* Failed to require periodic changes of Seisint user credentials.

* Failed to suspend credentials after a certain number unsuccessful log-in attempts.

* Allowed Seisint customers to store their credentials in a vulnerable format in cookies on their computers.

* Failed to require Seisint customers to encrypt or protect credentials, search queries or search results in transit between customer computers and Seisint Web sites.

* Allowed customers to create new user credentials without confirming that the new credentials were created by customers rather than alleged identity thieves.

* Permitted users to share credentials.

* Did not adequately assess the vulnerability of Seisint’s Web applications and computer network to commonly known attacks.

* Did not implement simple, low-cost, and readily available defenses to such attacks.

The settlement with TJX requires the firm to establish and maintain a comprehensive program reasonably designed to protect the security, confidentiality and integrity of personal information it collects from or about consumers, according to the FTC.

The settlement with Reed and Seisint requires them to establish and maintain comprehensive security programs to protect personal information that is in whole or part nonpublic information. The settlements require the programs to contain administrative, technical, and physical safeguards appropriate to each company’s size, the nature of its activities and the sensitivity of the personal information it collects, according to the FTC.

The FTC said that, specifically, the companies must:

* Designate an employee or employees to coordinate the information security program.

* Identify internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place.

* Design and implement safeguards to control the risks identified in the risk assessment and monitor their effectiveness.

* Develop reasonable steps to select and oversee service providers that handle the personal information they receive from the companies.

* Evaluate and adjust their information security programs to reflect the results of monitoring any material changes to their operations, or other circumstances that may impact the effectiveness of their security programs.

The settlements also require the companies to retain independent, third-party security auditors to assess their security programs on a biennial basis for the next 20 years. The auditors will be required to certify that the companies’ security programs meet or exceed the requirements of the FTC’s orders and are operating with sufficient effectiveness to provide reasonable assurance that the security of consumers’ personal information is being protected.
The FTC coordinated its investigation of TJX with 39 state Attorneys General, lead by the office of the Massachusetts Attorney General.