In two unrelated Federal Trade Commission actions, discount retailer TJX and data brokers Reed Elsevier and Seisint have agreed to settle charges that each engaged in practices that, taken together, failed to provide reasonable and appropriate security for sensitive consumer information.
The settlements will require that the companies implement comprehensive information security programs and obtain audits by independent third-party security professionals every other year for 20 years.
"By now, the message should be clear: companies that collect sensitive consumer information have a responsibility to keep it secure," said FTC Chairman Deborah Platt Majoras. "These cases bring to 20 the number of complaints in which the FTC has charged companies with security deficiencies in protecting sensitive consumer information. Information security is a priority for the FTC, as it should be for every business in America."
According to the FTC complaint, TJX, with over 2,500 stores worldwide, failed to use reasonable and appropriate security measures to prevent unauthorized access to personal information on its computer networks. An intruder exploited these failures and obtained tens of millions of credit and debit payment cards that consumers used at TJX's stores, as well as the personal information of approximately 455,000 consumers who returned merchandise to the stores. Banks have claimed that tens of millions of dollars in fraudulent charges have been made on the cards and millions of cards have been cancelled and reissued.
Specifically, the agency charged that TJX:
- Created an unnecessary risk to personal information by storing it on, and transmitting it between and within, its various computer networks in clear text;
- Did not use readily available security measures to limit wireless access to its networks, thereby allowing an intruder to connect wirelessly to its networks without authorization;
- Did not require network administrators and others to use strong passwords or to use different passwords to access different programs, computers, and networks;
- Failed to use readily available security measures, such as firewalls, to limit access among its computers and the Internet; and
- Failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as patching or updating anti-virus software.
In the FTC's action against data brokers Reed Elsevier (REI) and Seisint, the complaint alleges that REI - through its LexisNexis data broker business - and Seisint collect and store in databases information about millions of consumers, including names, current and prior addresses, dates of birth, drivers license numbers and Social Security numbers. They obtain information about consumers from credit reporting agencies and other sources, and sell products customers use online to find and retrieve the information from their databases. The companies relied on user IDs and passwords (or "user credentials") to control customer access to consumer information in their databases.
The complaint alleges that, among other security failures, they allowed customers to use easy-to-guess passwords to access Seisint's "Accurint" databases. The databases contained sensitive consumer information, including drivers license numbers and Social Security numbers. Identity thieves exploited these security failures, and through multiple breaches obtained access to sensitive information about at least 316,000 consumers from Accurint databases. The identity thieves used the information to activate credit cards and open new accounts, and made fraudulent purchases on the cards and new accounts. REI acquired Seisint in late 2004, and the breaches continued for at least nine months afterward, during which time REI controlled Seisint's practices.
The agency charged that Seisint and REI:
- Failed to make Seisint user credentials hard to guess;
- Failed to require periodic changes of Seisint user credentials;
- Failed to suspend credentials after a certain number unsuccessful log-in attempts;
- Allowed Seisint customers to store their credentials in a vulnerable format in cookies on their computers;
- Failed to require Seisint customers to encrypt or protect credentials, search queries or search results in transit between customer computers and Seisint Web sites;
- Allowed customers to create new user credentials without confirming that the new credentials were created by customers rather than identity thieves;
- Permitted users to share credentials;
- Did not adequately assess the vulnerability of Seisint's Web applications and computer network to commonly known attacks; and
- Did not implement simple, low-cost, and readily available defenses to such attacks.
The settlement with TJX requires it to establish and maintain a comprehensive security program reasonably designed to protect the security, confidentiality, and integrity of personal information it collects from or about consumers. The settlement with REI and Seisint requires them to establish and maintain comprehensive security programs to protect personal information that is in whole or part nonpublic information. The settlements require the programs to contain administrative, technical, and physical safeguards appropriate to each company's size, the nature of its activities, and the sensitivity of the personal information it collects.
Specifically, the companies must:
- Designate an employee or employees to coordinate the information security program;
- Identify internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place;
- Design and implement safeguards to control the risks identified in the risk assessment and monitor their effectiveness;
- Develop reasonable steps to select and oversee service providers that handle the personal information they receive from the companies; and
- Evaluate and adjust their information security programs to reflect the results of monitoring, any material changes to their operations, or other circumstances that may impact the effectiveness of their security programs;
The settlements require the companies to retain independent, third-party security auditors to assess their security programs on a biennial basis for the next 20 years. The auditors will be required to certify that the companies' security programs meet or exceed the requirements of the FTC's orders and are operating with sufficient effectiveness to provide reasonable assurance that the security of consumers' personal information is being protected.
The settlements also contain bookkeeping and record keeping provisions to allow the agency to monitor compliance with its orders.
The FTC coordinated its investigation of TJX with 39 state Attorneys General, lead by the office of the Massachusetts Attorney General, and acknowledges the invaluable assistance of the states in the agency's investigation.
The FTC acknowledges the invaluable assistance of the Hayward, California Police Department and the REACT (Rapid Enforcement Allied Computer Team) Task Force in the agency's investigation of Seisint and REI.