ChoicePoint to pay $15 million over data leak
Settlement with FTC over charges it broke consumer protection laws includes a record $10 million in civil penalties.
Under the settlement, the Atlanta-based company agreed to hand over $10 million in civil penalties to the FTC, the largest civil fine in the agency's history. It will also provide $5 million to recompense consumers who suffered as a result of ChoicePoint's actions.
In February of last year, the data aggregator acknowledged that its database of consumer records had been accessed by suspected criminals passing themselves off as legitimate customers. The financial data of 163,000 people was exposed in the breach, and at least 800 cases of identity theft arose from it, the FTC noted.
"The events of early 2005 provided critical lessons from which ChoicePoint, and indeed the entire industry, has learned a great deal," Derek Smith, ChoicePoint's chief executive, said in a statement. "The men and women of this company take nothing more seriously than their responsibility to safeguard consumer information."
The FTC had charged ChoicePoint with violating the Fair Credit Reporting Act (FCRA) and with making false and misleading statements about its privacy policies.
It alleged that ChoicePoint, which provides consumer data services to insurance companies, other businesses and government agencies, had supplied sensitive information without making sure applicants had a legitimate need to know it. The data included Social Security numbers to birth dates.
Subscribers were approved even though some lied about their credentials and used a commercial mail drop as a business address, the agency said. In other cases, ChoicePoint would receive multiple faxed applications from the same location, with each form listing the sender as a separate business.
Meanwhile, the company had made public statements such as "ChoicePoint allows access to your consumer reports only by those authorized under the FCRA" and "Every ChoicePoint customer must successfully complete a rigorous credentialing process," the FTC said.
According to the FTC, the data broker failed to tighten up its client screening and monitoring process even after it became aware of fraudulent activity involving some of its subscribers, which dated back to 2001.
As part of the settlement, ChoicePoint must take steps to improve its screening process. It has agreed to verify the identity of any business applying for a subscription and to install a client-monitoring policy that includes site visits and reviewing use of the service. The company is also required to obtain audits by independent third-party security experts every other year until 2026.
Last summer, ChoicePoint said its efforts to overhaul its system and procedures were nearly completed. Among the changes the company has engaged in is the creation of an independent chief officer for credentialing, compliance and privacy.