For several years, hackers taking advantage of security holes in the information system of TJX Companies, Inc. stole sensitive credit and debit card information belonging to at least 45.7 million customers. The TJX breach is one of the largest thefts of consumer information in history and is illustrative of the recent wave of security breaches. Private lawsuits against companies that fail to protect consumer information have typically failed. However, the Federal Trade Commission has taken enforcement action against such companies that fail to implement reasonable security measures to protect customers’ personal information. These complaints have resulted in settlement agreements requiring the businesses to implement comprehensive security programs, complete with third party auditing, for up to 20 years. This Article analyzes the various types of legal violations alleged by the FTC in security breach cases, the factors cited as contributing to the violations, and the remedies typically agreed upon when the complaints are settled. This Article also distinguishes different violations that may result depending on the type of information stolen through a security breach.
Joel B. Hanson,
Liability for Consumer Information Security Breaches: Deconstructing FTC Complaints and Settlements,
4 Shidler J. L. Com. & Tech.
Available at: https://digitalcommons.law.uw.edu/wjlta/vol4/iss4/4