By Evan Schuman
Ziff Davis Internet
February 7, 2007
Updated: The Massachusetts Attorney General is heading up a group of
more than 30 states trying to force answers to how the massive TJX data
The Massachusetts Attorney General is heading up a group of more than 30
states trying to force answers to how the massive TJX Companies data
"The scope of this is very broad," Massachusetts Attorney General Martha
Coakley said in an interview Feb. 7, a few hours after her office
announced the multi-state probe of the apparel and home fashions
"We're going to be looking at appropriate business practices and whether
they put consumers at risk." She added that "businesses need to run
their businesses, and they need certain amounts of information."
Coakley would not identify which states are involved, only saying that
"there are at least 30 who are interested in doing this."
Recently, Rhode Island announced that it was pursuing its own
investigation of TJX.
The Rhode Island probe will continue, and Rhode Island is notat this
timeparticipating in the multi-state effort led by Massachusetts, said
Michael Healy, the public information officer for Rhode Island Attorney
General Patrick C. Lynch.
Healy added that the first meeting that Rhode Island prosecutors are
having with TJX has been delayed two daysfrom Feb. 12 to Feb. 14because
TJX officials said they needed more time.
The TJX incident was announced in mid-January, and according to TJX
statements, discovered in mid-December.
That monthlong delay before public disclosure is a key issue in the
Massachusetts probe. TJX has also said that the data problem began in
mid-May and hadn't been discovered until mid-December, which is also
something the Massachusetts group will likely examine. The $16 billion
global retail chain owns T.J. Maxx and Marshall's, among other brands.
Coakley stressed that her multi-state probe will not be limited to
credit- and debit-card transactions, but will look at a wide range of
"paperless transactions of financial information," including TJX's
retention of driver's license information required to handle in-store
receipt-less product returns.
An issue that these multi-state data breach probes often focus on is how
to compensate consumers' efforts to protect themselves.
TJX, for example, has opted to not pay for credit bureau checks for
consumers, arguing that such efforts wouldn't be productive in
One area that Rhode Island is exploring is whether retailers should pay
for professionals to clean up the accounts of consumers, so consumers do
not have to spend hours listening to hold music to clean up a mistake
that was someone else's fault.
Coakley said that Massachusetts and the other states are also actively
considering such options.
"It's the whole issue of who pays for the burden" in terms of both cost
and time and the "inconvenience." She added: "The states recognize that
the time has now come to take a look at this."
Retail Center Editor Evan Schuman can be reached at Evan_Schuman (at)
Editor's Note: This story was updated to clarify Rhode Island's position
with information from Rhode Island Attorney General Patrick C. Lynch.
Subscribe to the InfoSec News RSS Feed