Three companies will avoid paying fines to settle federal charges over two separate data breach incidents.
TJX Companies, owner of retail discount chains T.J. Maxx and Marshalls, has settled FTC charges over a security breach last year that exposed at least 45.7 million cards to possible fraud. The company will not have to pay a fine, although it is required to put comprehensive information security programs in place and submit to biannual information audits for 20 years.
In a separate settlement, data broker Reed Elsevier PLC and its Seisint subsidiary struck a similar deal with the agency over a breach involving its LexisNexis unit, agreeing to install information security programs and conduct biannual audits while escaping any fines.
According to a March 27 press release from the agency, it had charged all three companies with failing “to provide reasonable and appropriate security for sensitive consumer information.”
In the press release, FTC Chairwoman Deborah Platt Majoras said,
“These cases bring to 20 the number of complaints in which the FTC has charged companies with security deficiencies in protecting sensitive consumer information.”
Last March TJX revealed that a security breach of its computer system exposed at least 45.7 million credit cards to possible fraud. In court filings, several banks that have sued TJX over the breach estimated that number at more than 100 million.
In the breach involving Reed Elsevier’s LexisNexis subsidiary, unauthorized individuals using stolen passwords and IDs broke into Seisint databases in 2005 to access personal information about hundreds of thousands of people.
The FTC said it did not fine the companies because it lacks the power to levy fines under the FTC Act. For the last three years it has asked Congress for such authority to no avail.
In January 2006 consumer data provider ChoicePoint Inc. was fined $15 million in a settlement of FTC charges over a security breach. Because ChoicePoint is a credit reporting agency, the agency brought charges under the Fair Credit Reporting Act, which grants it the ability to issue monetary penalties.