ChoicePoint Inc. will pay $15 million to settle Federal Trade Commission (FTC) charges over the data compromise that put it in the center of a media firestorm and pushed data protection to the top of the infosecurity community's priority list last year.
The FTC said in a statement Thursday that ChoicePoint has agreed to pay $10 million in civil penalties and $5 million in consumer redress to settle charges that its security and record-handling procedures violated consumers' privacy rights and federal laws. The settlement requires that ChoicePoint implement new procedures to ensure it provides consumer reports only to legitimate businesses for lawful purposes, to establish and maintain a comprehensive information security program; and to obtain audits by an independent third-party security professional every other year until 2026, the FTC said.
"The message to ChoicePoint and others should be clear: Consumers' private data must be protected from thieves," FTC Chairman Deborah Platt Majoras said in a statement. "Data security is critical to consumers, and protecting it is a priority for the FTC, as it should be to every business in America."
The Alpharetta, Ga.-based company, which specializes in providing personal records to insurance and credit companies, found itself at the heart of a media firestorm last February after disclosing that thieves stole personal financial records of more than 163,000 consumers by setting up fake business requests. The issue of data protection stayed on the media's front burner through 2005, as scores of other organizations were forced to disclose that their networks had been breached and that their customers' personal data had been compromised.
The data thefts motivated many states to pass laws similar to California's Security Breach Information Act (SB-1386), which required ChoicePoint to notify those Californians whose information was compromised. The company eventually informed everyone impacted by the breach. Steve Bell, a partner in the telecom group at New York-based law firm Willkie Farr & Gallagher LLP, said as of late November, 21 states had enacted laws mirroring SB-1386. Thirty-nine other states had either drafted or considered similar legislation at that point, he said at the time.
In today's announcement, the FTC said ChoicePoint lacked reasonable procedures to screen prospective subscribers and turned over consumers' sensitive personal information to subscribers whose applications raised obvious "red flags." The FTC added that ChoicePoint approved as customers people who lied about their credentials and used commercial mail drops as business addresses. In addition, ChoicePoint applicants reportedly used fax machines at public commercial locations to send multiple applications for purportedly separate companies, the commission said.
The FTC charged that ChoicePoint violated the Fair Credit Reporting Act (FCRA) by making credit histories available to subscribers who did not have a permissible purpose to obtain them, and by failing to maintain reasonable procedures to verify both their identities and how they intended to use the information.
The commission also charged that ChoicePoint violated the FTC Act by making false and misleading statements about its privacy policies. "Choicepoint had publicized privacy principles that address the confidentiality and security of personal information it collects and maintains with statements such as, 'ChoicePoint allows access to your consumer reports only by those authorized under the FCRA …' and 'Every ChoicePoint customer must successfully complete a rigorous credentialing process. ChoicePoint does not distribute information to the general public and monitors the use of its public record information to ensure appropriate use,'" the FTC said.