ChoicePoint Inc., the data broker that set off a national debateafter disclosing a data breach early in 2005, will pay US$15million in fines and other penalties for lax security standards,the U.S. Federal Trade Commission (FTC) announced Thursday.
ChoicePoint’s $10 million fine is the largest civil fine in theFTC’s history, the FTC said. Under a settlement with the FTC, theGeorgia company will also set up a $5 million fund to aid victimsof identity theft that resulted from the data breach, and thecompany has agreed to implement new security measures and have anindependent auditor review its security every other year until2026, said FTC Chairwoman Deborah Platt Majoras.
“This is an important victory for consumers and an equallyimportant opportunity for ChoicePoint to get data security right,”Majoras said. “Companies like ChoicePoint are realizing now that itis a bad business practice to ignore the security of customerdata.”
Last February, ChoicePoint announced that scammers had set up bogusbusinesses and contracted with the company to gain access to thepersonal information of 145,000 U.S. residents. The company, whichfound out about the breach in September 2004, later said the numberof affected people was 163,000.
ChoicePoint was notified by law enforcement officials ofpotentially fraudulent activity as early as 2001, the FTC said.”This breach occurred because ChoicePoint failed to implementreasonable and appropriate procedures for approving new customersand for monitoring existing ones,” Majoras said. “ChoicePointfailed to monitor or otherwise identify fraudulent customeractivity even after repeated subpoenas from law enforcement.”
ChoicePoint holds billions of personal records, including credithistories, Social Security numbers and employment histories. Thecompany provides background checks for more than 50,000 businessesand government agencies, and in most cases, the company does notnotify the people whose records it sells.
About 800 people have so far been identified as victims of IDtheft-related crimes in connection with the ChoicePoint breaches,Majoras said.
ChoicePoint, in a press release, said it has taken several steps toimprove security since the data breach was announced, including thehiring of an independent credentialing, compliance and privacyofficer. The company has also stopped selling products containingsensitive personal information in some markets, it said.
“The events of early 2005 provided critical lessons from whichChoicePoint and, indeed the entire industry, has learned a greatdeal,” Derek V. Smith, ChoicePoint chairman and chief executiveofficer, said in a statement. “The men and women of this companytake nothing more seriously than their responsibility to safeguardconsumer information and, as a direct result of those lessonslearned, we have, for the past several months, been in the processof implementing nearly all of the changes reflected in today’ssettlement.
“I firmly believe that the changes we’ve implemented in the pastyear were not only the right thing for this company to do, but areequally important for the entire industry to consider,” Smithadded.
The FTC alleged that ChoicePoint turned over sensitive personalinformation to subscribers whose applications raised obvious “redflags.” ChoicePoint approved contracts with customers who usedcommercial mail drops as business addresses and reportedly used faxmachines at public commercial locations to send multipleapplications for purportedly separate companies, the FTCsaid.
The FTC charged that ChoicePoint violated the U.S. Fair CreditReporting Act (FCRA) by giving credit histories to subscribers whodid not have a permissible purpose to obtain them, and by failingto maintain reasonable procedures to verify subscriberidentities.
The agency said that ChoicePoint also violated the U.S. FTC Actoutlawing unfair and deceptive business practices by making falseand misleading statements about its privacy policies. Among thecompany’s past privacy statements: “ChoicePoint allows access toyour consumer reports only by those authorized under the FCRA” and“Every ChoicePoint customer must successfully complete a rigorouscredentialing process. ChoicePoint does not distribute informationto the general public and monitors the use of its public recordinformation to ensure appropriate use.”
ChoicePoint’s data breach announcement in February, spurred by a2003 California breach notification law, was the first of dozens ofsuch announcements in 2005. More than 20 states have since passedbreach notification laws, and the U.S. Congress is considering anational law.
