The firm will pay another $5 million into a fund for consumers affected by the data breach.
ChoicePoint announced last February that it had been targeted by a scam in which fraudsters posed as legitimate companies to gain access to ChoicePoint's massive credit database – normally used by businesses such as credit reference agencies, marketing agencies and insurance firms.
The fraudsters may have viewed consumers’ names, addresses, Social Security numbers and credit reports, the firm warned. In total, according to the FTC, around 163,000 individuals could have been affected, although reports suggest that only 800 consumers have actually become victims of identity theft.
The FTC began an investigation and recently filed charges that the firm’s security and record-handling procedures violated consumers’ privacy rights and federal laws
The FTC alleged that ChoicePoint did not have reasonable procedures to screen prospective subscribers, and turned over consumers’ sensitive personal information to subscribers whose applications raised obvious ‘red flags’. This included the granting of approval as customers to individuals who lied about their credentials and used commercial mail drops as business addresses.
In addition, ChoicePoint applicants reportedly used fax machines at public commercial locations to send multiple applications for purportedly separate companies.
According to the FTC, ChoicePoint failed to tighten its application approval procedures or monitor subscribers even after receiving subpoenas from law enforcement authorities alerting it to fraudulent activity going back to 2001.
The FTC charged that ChoicePoint violated the Fair Credit Reporting Act (FCRA) by furnishing consumer reports – credit histories – to subscribers who did not have a permissible purpose to obtain them, and by failing to maintain reasonable procedures to verify both their identities and how they intended to use the information.
The agency also charged that ChoicePoint violated the Federal Trade Commission Act by making false and misleading statements about its privacy policies. These included comments such as: “ChoicePoint allows access to your consumer reports only by those authorised under the FCRA… ”; and “Every ChoicePoint customer must successfully complete a rigorous credentialing process. ChoicePoint does not distribute information to the general public and monitors the use of its public record information to ensure appropriate use.”
ChoicePoint has now agreed settlement terms with the FTC under which it admits no wrongdoing but is required to pay $10 million in civil penalties – the largest civil penalty in FTC history – and to provide $5 million for consumer redress.
The settlement bars the company from furnishing consumer reports to people who do not have a permissible purpose to receive them and requires the company to establish and maintain reasonable procedures to ensure that consumer reports are provided only to those with a permissible purpose.
As part of this, ChoicePoint is required to verify the identity of businesses that apply to receive consumer reports, including making site visits to certain business premises and auditing subscribers’ use of consumer reports.
The order also requires ChoicePoint to establish, implement, and maintain a comprehensive information security program and to obtain, every two years for the next 20 years, an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order.
“The message to ChoicePoint and others should be clear: consumers’ private data must be protected from thieves,” said Deborah Platt Majoras, Chairman of the FTC. “Data security is critical to consumers, and protecting it is a priority for the FTC, as it should be to every business in America.”
In response, ChoicePoint chairman and CEO Derek Smith said: “The events of early 2005 provided critical lessons from which ChoicePoint and, indeed the entire industry, has learned a great deal”.
“The men and women of this company take nothing more seriously than their responsibility to safeguard consumer information and, as a direct result of those lessons learned, we have, for the past several months, been in the process of implementing nearly all of the changes reflected in today’s settlement,” he added.
However, the company is not yet completely off the hook. Private lawsuits have been filed against the firm, and the Securities and Exchange Commission is conducting its own investigation, according to reports.
