The group, which owns the 226-store UK-based TK Maxx chain, will have to implement comprehensive information security programmes and obtain audits by independent third-party security professionals every two years for 20 years.
TJX was the 20th firm charged by the FTC with leaving customer data unprotected. "By now the message should be clear - companies that collect sensitive consumer information have a responsibility to keep it secure," said FTC chairman Deborah Platt Majoras. "Information security is a priority for the FTC, as it should be for every business."
The Commission charged TJX with failing to use "reasonable and appropriate security measures to prevent unauthorised access to personal information on its computer networks".
It said an intruder had exploited these failures and obtained details of tens of millions of credit and debit payment cards used by consumers at TJX's stores, as well as the personal information of about 455,000 consumers who returned merchandise to the stores.
Banks have claimed tens of millions of dollars in fraudulent charges have been made on the cards and millions of cards have had to cancelled and reissued.
The settlement requires TJX "to establish and maintain a comprehensive security programme reasonably designed to protect the security, confidentiality and integrity of personal information it collects from or about consumers".
TJX sales for the four weeks to 1 March were up 6% to $1.3bn compared with the same period last year, and also rose in the quarter after the hack was reported.
In a separate settlement, the FTC required data broker Reed Elsevier Inc (REI), Computer Weekly's parent company, and Seisint to "establish and maintain comprehensive security programmes to protect personal information that is, in whole or part, non-public information. The settlements require the programmes to contain administrative, technical and physical safeguards appropriate to each company's size, the nature of its activities, and the sensitivity of the personal information it collects".
The settlements follow an FTC complaint that, among other security failures, the companies allowed customers to use easy-to-guess passwords to access Seisint's Accurint databases.
"The databases contained sensitive consumer information, including driver's licence numbers and social security numbers," the FTC said. "Identity thieves exploited these security failures, and through multiple breaches obtained access to sensitive information about at least 316,000 consumers from Accurint databases.
"The identity thieves used the information to activate credit cards and open new accounts, and made fraudulent purchases on the cards and new accounts. REI acquired Seisint in late 2004, and the breaches continued for at least nine months afterward, during which time REI controlled Seisint's practices."