FTC rules on TJX Data Breach, WSJ


I woke up this morning and was encouraged to see the FTC continue on its efforts to monitor the technology safeguards of companies in at least a consistent and security-risk minded approach. Now, while I am not a fan of unnecessary regulations and always feel a healthy bit of regular evaluation and expiration is necessary, it is suitable for companies that clearly do not abide by best practices are more closely supervised. This ruling by the FTC is consistent with that which was ruled for ChoicePoint in Georgia.

An interesting point is the scope of the required audit (physical safeguards through digital) and basic controls referenced under PCI. Specifically the FTC charged that TJX:

  • “Created an unnecessary risk to personal information by storing it on, and transmitting it between and within, its various computer networks in clear text;
  • Did not use readily available security measures to limit wireless access to its networks, thereby allowing an intruder to connect wirelessly to its networks without authorization;
  • Did not require network administrators and others to use strong passwords or to use different passwords to access different programs, computers, and networks;
  • Failed to use readily available security measures, such as firewalls, to limit access among its computers and the Internet; and
  • Failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as patching or updating anti-virus software.” Press Release by FTC

The additional news, and expected given PCI DSS policies, on the release was that the company would undergo regular future audits separate from the government audit that will extend for 20 years.

Catch the full press release here, the Choicepoint ruling here, and the WSJ article here.
Please post any other articles that expand on this… or your thoughts if the FTC is the right body to do this type of monitoring, as it has been a twist on their established authority.

Best regards,

James DeLuccia


One response to “FTC rules on TJX Data Breach, WSJ

  1. Pingback: PCI Blog - Compliance Demystified » Blog Archive » FTC rules on TJX case

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s