[Dataloss] [update] Massachusetts Leads National TJX Data Probe

security curmudgeon jericho at attrition.org
Thu Feb 8 02:50:29 EST 2007 


---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://www.eweek.com/article2/0,1895,2091585,00.asp

By Evan Schuman
Ziff Davis Internet
February 7, 2007

Updated: The Massachusetts Attorney General is heading up a group of more 
than 30 states trying to force answers to how the massive TJX data breach 
happened.

The Massachusetts Attorney General is heading up a group of more than 30 
states trying to force answers to how the massive TJX Companies data 
breach happened.

"The scope of this is very broad," Massachusetts Attorney General Martha 
Coakley said in an interview Feb. 7, a few hours after her office 
announced the multi-state probe of the apparel and home fashions retailer.

"We're going to be looking at appropriate business practices and whether 
they put consumers at risk." She added that "businesses need to run their 
businesses, and they need certain amounts of information."

Coakley would not identify which states are involved, only saying that 
"there are at least 30 who are interested in doing this."

Recently, Rhode Island announced that it was pursuing its own 
investigation of TJX.

The Rhode Island probe will continue, and Rhode Island is notat this 
timeparticipating in the multi-state effort led by Massachusetts, said 
Michael Healy, the public information officer for Rhode Island Attorney 
General Patrick C. Lynch.

Healy added that the first meeting that Rhode Island prosecutors are 
having with TJX has been delayed two daysfrom Feb. 12 to Feb. 14because 
TJX officials said they needed more time.

The TJX incident was announced in mid-January, and according to TJX 
statements, discovered in mid-December.

That monthlong delay before public disclosure is a key issue in the 
Massachusetts probe. TJX has also said that the data problem began in 
mid-May and hadn't been discovered until mid-December, which is also 
something the Massachusetts group will likely examine. The $16 billion 
global retail chain owns T.J. Maxx and Marshall's, among other brands.

Coakley stressed that her multi-state probe will not be limited to credit- 
and debit-card transactions, but will look at a wide range of "paperless 
transactions of financial information," including TJX's retention of 
driver's license information required to handle in-store receipt-less 
product returns.

An issue that these multi-state data breach probes often focus on is how 
to compensate consumers' efforts to protect themselves.

TJX, for example, has opted to not pay for credit bureau checks for 
consumers, arguing that such efforts wouldn't be productive in protecting 
consumers.

One area that Rhode Island is exploring is whether retailers should pay 
for professionals to clean up the accounts of consumers, so consumers do 
not have to spend hours listening to hold music to clean up a mistake that 
was someone else's fault.

Coakley said that Massachusetts and the other states are also actively 
considering such options.

"It's the whole issue of who pays for the burden" in terms of both cost 
and time and the "inconvenience." She added: "The states recognize that 
the time has now come to take a look at this."

Retail Center Editor Evan Schuman can be reached at Evan_Schuman (at) 
ziffdavis.com.

Editor's Note: This story was updated to clarify Rhode Island's position 
with information from Rhode Island Attorney General Patrick C. Lynch.

More information about the Dataloss mailing list