Federal Privacy Commissioner Reports on TJX Data Breach as its Extent Grows

In January 2007, TJX Companies Inc (TJX) announced that its computer systems had been breached on several occasions dating back to 2005. In March 2007, TJX estimated that 45 million consumer credit and debit accounts were compromised. TJX wholly owns Winners Merchant International LP, which owns and operates Winners and HomeSense stores in Canada. As a result of these security breaches, several class actions were commenced in the US by affected consumers and financial institutions and the cases were consolidated into two class actions: a Consumer Track and Financial Institutions Track. In September 2007, the Consumer Track reached a settlement with TJX. In the US District Court in Boston a filing was made on October 23, 2007 by the financial institutions alleging that 94 million consumer accounts were compromised - a figure which is almost double the original estimate. A further court filing on October 25, 2007 by the financial institutions alleges that TJX inadequately protected its computer systems by failing to remedy non-compliance with the Payment Card Industry Data Security Standard (PCI DSS) about which TJX was allegedly warned in 2004. While the US class actions were proceeding, in a parallel development the PCI DSS was discussed by the Canadian Privacy Commissioner in her September 2007 report (Joint Report) issued jointly with the Alberta Privacy Commissioner investigating whether the TJX data breach contravened the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and/or the Alberta Personal Information Protection Act (PIPA). The investigation focused on personal information collected including credit card numbers and expiry dates for processing payments, and the names, addresses, telephone numbers and personal identification numbers, such as drivers' license numbers, of customers making merchandise returns. The Joint Report found that the collection of drivers' license numbers was excessive and that personal information was retained for longer than necessary to fulfill the given purposes. The PCI DSS was also alluded to in considering whether TJX had reasonable security safeguards to protect personal information. The Joint Report noted that TJX utilized a weak level of encryption and did not take steps to ensure consumer data was secure while converting to a higher level of encryption from October 2005 to January 2007. Additionally, inadequate monitoring systems were found to be in place, as the breach persisted from July 2005 to December 2006. Accordingly, the breach was found to be foreseeable. With respect to current security safeguards, TJX has complied with the Joint Report's recommendations such that the safeguard component of the complaint is "well-founded and resolved". For more information on the October 23 and October 25 court filings, respectively, visit: http://tinyurl.com/3atl6k; and http://tinyurl.com/2ltrzo For the Canadian Privacy Commissioner's Report of Findings, see: http://www.privcom.gc.ca/cf-dc/2007/TJX_rep_070925_e.asp For a US Securities and Exchange Commission filing on the TJX Settlement Agreement with the Consumer Track, see: http://tinyurl.com/3avfcz Summary by: Lauren Lodenquai