The US Federal Trade Commission has settled data-breach complaints against retailer TJX and data broker Reed Elsevier, requiring both companies to establish comprehensive information security programmes and submit to biennial data security audits over the next 20 years.
The settlements, announced last week, also require the companies to identify internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place.
The settlements don't include fines because the FTC doesn't have authority to levy civil fines in violations of the FTC Act, which prohibits unfair business practices. The FTC has asked Congress for the ability to seek civil fines under the FTC Act, an agency spokeswoman said.
The settlement with TJX, which owns TK Maxx stores in the UK, together with TJ Maxx, Marshalls and other retailers in the US, comes in response to a data breach that exposed more than 45 million customers' credit and debit cards. The company reported the 2005 breach last year, and some banks have alleged that the number of cards affected is 94 million.
Reed Elsevier and subsidiaries LexisNexis and Seisint announced in March 2005 that hackers had stolen passwords, names, addresses, Social Security and drivers license numbers of about 32,000 customers. Since then, the number of compromised customers has risen to 316,000.
The FTC has brought a total of 20 complaints against companies that had data breaches. "By now, the message should be clear: companies that collect sensitive consumer information have a responsibility to keep it secure," FTC Chairman Deborah Platt Majoras said in a statement. "Information security is a priority for the FTC, as it should be for every business in America."
LexisNexis, which acquired Seisint in 2005, has "resolved the issues identified by the FTC," the company said in a statement. The company is "committed to maintaining the enhanced security safeguards that we put in place following the acquisition."
A TJX spokeswoman wasn't immediately available for comment. The company settled several class-action lawsuits related to the breach in September, with some customers getting free credit monitoring and credit insurance and another group getting one or two $30 vouchers.
"TJX has worked diligently with some of the world's best computer security firms to further enhance our computer security," Carol Meyrowitz, the company's president and CEO, said in a statement last month. "We have also continued to work with law enforcement and government agencies and very much want to see the cyber criminals who attacked our computer system brought to justice."