ChoicePoint to pay $15 million over data breach

Bob Sullivan Technology correspondent • Profile • E-mail

ChoicePoint Inc. will pay $15 million to settle charges that it failed to protect consumers' personal information, the Federal Trade Commission announced Thursday. It is the largest civil penalty over data security in the agency's history.

In addition to a $10 million fine, ChoicePoint will also create a $5 million fund to help consumers who became victims of identity theft after the data warehouser sold information on 163,000 consumers to an alleged crime ring.

"This is an important victory for consumers and an opportunity for ChoicePoint to get data security right," FTC chairman Deborah Platt Majoras said.

Last February, ChoicePoint revealed that criminals had stolen personal information on over 145,000 consumers, a number that later rose slightly. The incident touched off a flurry of data loss disclosures from a wide variety of corporations and other organizations. In all, there were some 25 major disclosures, with information on 52 million individuals exposed, according to The Privacy Rights Clearinghouse, which keeps a running tally. Thursday's announcement marks the first fine connected to any of these security breaches.

The ChoicePoint disclosure was significant not only for its scale but for the light it shed on the growing data broker industry. ChoicePoint is a giant in the field, amassing databases of background information on virtually every U.S. citizen, including Social Security numbers and credit reports. The Alpharetta, Ga.-based company then sells such personal information to government agencies and private companies.

The FTC's complaint against ChoicePoint paints a picture of a firm that was selling data to all comers, even after obvious signs of trouble. Law enforcement agencies began to warn ChoicePoint of fraudulent activity back in 2001, the complaint alleges.  ChoicePoint continued to sell data to companies with expired business licenses, with canceled telephones and after employees signaled them out as suspicious. The firm even continued to supply credit reports to the crime ring after the fake accounts it had set up were suspended by ChoicePoint for non-payment, the complaint says. It was made public for the first time at a news conference in Washington on Thursday.

ChoicePoint admitted no wrongdoing in agreeing to the settlement, but CEO Derek Smith said the company has made several procedural changes as a result of the incident.

"ChoicePoint and, indeed the entire industry, has learned a great deal,” Smith said in a statement. “The men and women of this company take nothing more seriously than their responsibility to safeguard consumer information and, as a direct result of those lessons learned, we have, for the past several months, been in the process of implementing nearly all of the changes reflected  in today’s settlement with the Federal Trade Commission."

800 victims of ID theft
Majoras said 800 consumers had become victims of identity theft as a result of the ChoicePoint data breach, which was first revealed by MSNBC.com on Feb. 14, 2005.

The fine sends a strong message to America's companies, Majoras said. Majoras said ChoicePoint violated the Fair Credit Reporting Act by giving consumer credit information to people who didn't have a "permissible purpose" for the information.

"Companies are starting to realize it is a bad business practice to ignore the security of consumer data," she said.

MORE FROM SECURITY

Security Section Front

Facebook gives users more privacy controls Surprise! Merchants say Web fraud is down Facebook forms board on online safety Man in stolen cell phone pic turns himself in Teen Internet addicts more likely to self harm Beware of online ‘Breaking Dawn’ casting scam Web ad group launches privacy education effort Facebook to overhaul privacy structure Avoid flirty patients on Facebook, doctors told ‘Black screen of death’ for some Windows users Security Section Front   Add Security headlines to your news reader: