Posted on June 24, 2009 by Amy C. Purcell

TJX Reaches Settlement In Data Security Breach Investigation

TJX agreed to pay $9.75 million to forty-one states to settle an investigation of a data breach that it reported in January 2007.  $2.5 million of the settlement amount will be used to create a data security fund for those states whose residents were affected by the data breach.  TJX will pay $7.25 million in settlement and investigation costs.  The settlement requires TJX, among other items, to take specific steps to tighten data security and to provide notice to consumers within ten days in the event of another data security breach.  The settlement also allows state governments to monitor TJX's data security efforts for three years.
 
TJX continues to emphasize that it "firmly believes it did not violate any consumer protection or data security laws."  TJX's chief financial officer, Jeffrey Naylor, stated that the settlement will allow TJX and state attorneys general to take "leadership roles in exploring new technologies and approaches to solving systematic problems in the U.S. payment card industry." 
 
TJX reported that eleven people were arrested on hacking charges, two people pleaded guilty to hacking charges and two people have pleaded guilty to related charges in connection with the data security breach.
Tags: , , , , , ,
Posted on June 19, 2009 by Amy C. Purcell

Eleventh Circuit Court of Appeals Rejects Veterans' Claims For Damages

On June 17, 2009, the Eleventh Circuit Court of Appeals affirmed the decision of the United States District Court for the District of Alabama and held that veterans were not entitled to damages as a result of data security breach.

In February 2007, the Department of Veterans Affairs announced that a computer hard drive, which contained the unencrypted names, social security numbers, birth dates and healthcare files for more than 198,000 living veterans, was missing. Veterans instituted a lawsuit against the VA and claimed that the "stress caused by their fear of identity theft" and "from their loss of trust in the VA" aggravated certain of their medical conditions. The district court granted the VA's motion for summary judgment and dismissed the veterans' claims. The Eleventh Circuit upheld the district court's decision and stated that the veterans were not entitled to monetary damages because they failed to prove "actual damages" or "pecuniary losses". The Eleventh Circuit did, however, remand the case to the district court to order the VA to take certain steps to avoid similar incidents in the future.

Tags: , , , , , , ,
Posted on June 9, 2009 by Amy C. Purcell

Data Breach Sharing Website Started

The risk management technology company, Intersections Inc., and the Identity Theft Assistance Center launched www.Breachcenter.com today.  Breachcenter.com is a website where companies that have suffered data breaches can share their experiences. Instead of focusing on the "technical aspects of breach recovery" or "breach prevention", Breachcenter.com focuses on the "human side" of responding to a data breach. Breachcenter.com serves as a "community-fueled knowledge base" that includes practical information about how to respond to a data breach, including legal obligations to notify consumers who may be affected by the breach.

Tags: , , , , , , ,
Posted on May 1, 2009 by Scott L. Vernick

Heartland To Address Data Breach

Next week, at a meeting of the Payments Processing Information Sharing Council, an organization created to share information about threats, risk mitigation and fraud, Robert O. Carr, chairman and chief executive of Heartland Payments Systems Inc., will discuss the company's recent widely reported data breach. The Payments Processing Information Sharing Council is an offshoot of the Financial Services Information Sharing and Analysis Center, a trade group that assists businesses and government agencies share information about data security issues, including network intrusions. A spokesperson for Heartland stated that the "new organization grew out of Bob Carr's feeling that payment processors needed a forum to share information on breaches like the kind that we experienced. Heartland should be able to share information with others in our industry so that an international cyber thief can't use the same malicious software to penetrate another processor."

Tags: , , , , ,