On Feb. 5, the Rhode Island attorney general’s office confirmed that it is launching a formal investigation of TJX’s data breach, including what caused it, why it wasn’t detected more quickly and why the announcement of it was delayed.
The investigation—technically, a Civil Investigative Demand on the authority of both Rhode Island’s Deceptive Trade Practices Act and its Identity Theft Protection Act of 2005—will likely begin in earnest with its first meeting with TJX officials on Feb. 12 at the attorney general’s office in Providence, said Edmund Murray Jr., a special assistant attorney general who is in charge of the probe.
Both Murray and the department’s public information officer, Michael Healey, said the next stages will be dictated by the facts uncovered during the probe. Typically, though, state AG offices seek compensation for state residents who are trying to defend themselves against identity theft, including credit report costs and possibly money to pay for help processing such claims.
But if conduct established in the probe is severe enough, more substantial options—including a civil lawsuit and possibly criminal charges—could be considered. One key concern, Murray said, is the monthlong delay between the breach’s discovery and when it was announced. Rhode Island law requires that impacted consumers be notified “immediately.” Unfortunately, Murray said, the statute does not define “immediately.”
Although no announcements have been made, the national nature of TJX’s chain makes it likely that other states may want to conduct their own probes.
Read the full story on eWEEK.com: R.I. Attorney General Is TJX’s Latest Headache.
