http://www.eweek.com/article2/0,1895,2091585,00.asp By Evan Schuman Ziff Davis Internet February 7, 2007 Updated: The Massachusetts Attorney General is heading up a group of more than 30 states trying to force answers to how the massive TJX data breach happened. The Massachusetts Attorney General is heading up a group of more than 30 states trying to force answers to how the massive TJX Companies data breach happened. "The scope of this is very broad," Massachusetts Attorney General Martha Coakley said in an interview Feb. 7, a few hours after her office announced the multi-state probe of the apparel and home fashions retailer. "We're going to be looking at appropriate business practices and whether they put consumers at risk." She added that "businesses need to run their businesses, and they need certain amounts of information." Coakley would not identify which states are involved, only saying that "there are at least 30 who are interested in doing this." Recently, Rhode Island announced that it was pursuing its own investigation of TJX. The Rhode Island probe will continue, and Rhode Island is notat this timeparticipating in the multi-state effort led by Massachusetts, said Michael Healy, the public information officer for Rhode Island Attorney General Patrick C. Lynch. Healy added that the first meeting that Rhode Island prosecutors are having with TJX has been delayed two daysfrom Feb. 12 to Feb. 14because TJX officials said they needed more time. The TJX incident was announced in mid-January, and according to TJX statements, discovered in mid-December. That monthlong delay before public disclosure is a key issue in the Massachusetts probe. TJX has also said that the data problem began in mid-May and hadn't been discovered until mid-December, which is also something the Massachusetts group will likely examine. The $16 billion global retail chain owns T.J. Maxx and Marshall's, among other brands. Coakley stressed that her multi-state probe will not be limited to credit- and debit-card transactions, but will look at a wide range of "paperless transactions of financial information," including TJX's retention of driver's license information required to handle in-store receipt-less product returns. An issue that these multi-state data breach probes often focus on is how to compensate consumers' efforts to protect themselves. TJX, for example, has opted to not pay for credit bureau checks for consumers, arguing that such efforts wouldn't be productive in protecting consumers. One area that Rhode Island is exploring is whether retailers should pay for professionals to clean up the accounts of consumers, so consumers do not have to spend hours listening to hold music to clean up a mistake that was someone else's fault. Coakley said that Massachusetts and the other states are also actively considering such options. "It's the whole issue of who pays for the burden" in terms of both cost and time and the "inconvenience." She added: "The states recognize that the time has now come to take a look at this." Retail Center Editor Evan Schuman can be reached at Evan_Schuman (at) ziffdavis.com. Editor's Note: This story was updated to clarify Rhode Island's position with information from Rhode Island Attorney General Patrick C. Lynch. ______________________________________ Subscribe to the InfoSec News RSS Feed http://www.infosecnews.org/isn.rss
This archive was generated by hypermail 2.1.3 : Wed Feb 07 2007 - 22:46:59 PST