FTC Lacks Power to Impose Penalties After Massive Security Breaches
More than a year after millions of T.J. Maxx and Marshalls customers found out their credit card information had been hacked into, the discount stores' operator agreed to have its information audited but avoided paying federal fines. TJX was one of three firms that agreed to settle charges that it "failed to provide reasonable and appropriate security for sensitive consumer information," federal regulators said yesterday in two unrelated data-breach decisions. Data broker Reed Elsevier and its Seisint subsidiary also avoided fines but have agreed to obtain third-party audits biennially for 20 years under a separate settlement with the Federal Trade Commission. The FTC did not impose financial penalties against the companies because it lacks the authority to do so. The commission has asked Congress for such authority since 2005.
Companies Avoid Financial Penalties After Massive Computer Data Breaches, Washington Post, March 28, 2008.