TJX agreed to pay $9.75 million to forty-one states to settle an investigation of a data breach that it reported in January 2007. $2.5 million of the settlement amount will be used to create a data security fund for those states whose residents were affected by the data breach. TJX will pay $7.25 million in settlement and investigation costs. The settlement requires TJX, among other items, to take specific steps to tighten data security and to provide notice to consumers within ten days in the event of another data security breach. The settlement also allows state governments to monitor TJX’s data security efforts for three years.
TJX continues to emphasize that it “firmly believes it did not violate any consumer protection or data security laws.” TJX’s chief financial officer, Jeffrey Naylor, stated that the settlement will allow TJX and state attorneys general to take “leadership roles in exploring new technologies and approaches to solving systematic problems in the U.S. payment card industry.”
TJX reported that eleven people were arrested on hacking charges, two people pleaded guilty to hacking charges and two people have pleaded guilty to related charges in connection with the data security breach.