For Release: January
ChoicePoint Settles Data Security Breach Charges; to Pay $10
Million in Civil Penalties, $5 Million for Consumer Redress
At Least 800 Cases of Identity Theft Arose From
Company’s Data Breach
Consumer data broker ChoicePoint, Inc., which
last year acknowledged that the personal financial records of more than 163,000
consumers in its database had been compromised, will pay $10 million in civil
penalties and $5 million in consumer redress to settle Federal Trade Commission
charges that its security and record-handling procedures violated consumers’
privacy rights and federal laws. The settlement requires ChoicePoint
to implement new procedures to ensure that it provides consumer reports only to
legitimate businesses for lawful purposes, to establish and maintain a
comprehensive information security program, and to obtain audits by an
independent third-party security professional every other year until 2026.
“The message to ChoicePoint and others should
be clear: Consumers’ private data must be protected from thieves,” said Deborah
Platt Majoras, Chairman of the FTC. “Data security is
critical to consumers, and protecting it is a priority for the FTC, as it
should be to every business in America.”
ChoicePoint is a publicly traded company based in
suburban Atlanta. It obtains and
sells to more than 50,000 businesses the personal information of consumers,
including their names, Social Security numbers, birth dates, employment
information, and credit histories.
The FTC alleges that ChoicePoint did not have
reasonable procedures to screen prospective subscribers, and turned over
consumers’ sensitive personal information to subscribers whose applications
raised obvious “red flags.” Indeed, the FTC alleges that ChoicePoint
approved as customers individuals who lied about their credentials and used
commercial mail drops as business addresses. In addition, ChoicePoint
applicants reportedly used fax machines at public commercial locations to send
multiple applications for purportedly separate companies.
According to the FTC, ChoicePoint failed to
tighten its application approval procedures or monitor subscribers even after
receiving subpoenas from law enforcement authorities alerting it to fraudulent
activity going back to 2001.
The FTC charged that ChoicePoint violated the
Fair Credit Reporting Act (FCRA) by furnishing consumer reports – credit
histories – to subscribers who did not have a permissible purpose to obtain
them, and by failing to maintain reasonable procedures to verify both their identities
and how they intended to use the information.
The agency also charged that ChoicePoint
violated the FTC Act by making false and misleading statements about its
privacy policies. Choicepoint had publicized privacy
principles that address the confidentiality and security of personal
information it collects and maintains with statements such as, “ChoicePoint allows access to your consumer reports only by
those authorized under the FCRA . . . ” and “Every ChoicePoint customer must successfully complete a rigorous
credentialing process. ChoicePoint does not
distribute information to the general public and monitors the use of its public
record information to ensure appropriate use.”
The stipulated final judgment and order requires ChoicePoint
to pay $10 million in civil penalties – the largest civil penalty in FTC
history – and to provide $5 million for consumer redress. It bars the company
from furnishing consumer reports to people who do not have a permissible
purpose to receive them and requires the company to establish and maintain
reasonable procedures to ensure that consumer reports are provided only to
those with a permissible purpose. ChoicePoint is
required to verify the identity of businesses that apply to receive consumer
reports, including making site visits to certain business premises and auditing
subscribers’ use of consumer reports.
The order requires ChoicePoint to establish,
implement, and maintain a comprehensive information security program designed
to protect the security, confidentiality, and integrity of the personal
information it collects from or about consumers. It also requires ChoicePoint to obtain, every two years for the next 20
years, an audit from a qualified, independent, third-party
professional to ensure that its security program meets the standards of the
order. ChoicePoint will be subject to standard
record-keeping and reporting provisions to allow the FTC to monitor compliance.
Finally, the settlement bars future violations of the FCRA and the FTC Act.
This case is being brought with the invaluable assistance of the U.S.
Department of Justice and the Securities and Exchange Commission.
The Commission vote to accept the settlement was 5-0.
NOTE: A stipulated final judgment and order is
for settlement purposes only and does not constitute an admission by the
defendant of a law violation. Consent judgments have the force of law when
signed by the judge.
Copies of the complaint and
stipulated final judgment and order will be available from the FTC’s Web site
at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania
Avenue, N.W., Washington, D.C. 20580. The FTC works for
the consumer to prevent fraudulent, deceptive, and unfair business practices in
the marketplace and to provide information to help consumers spot, stop, and
avoid them. To file a complaint in English or Spanish (bilingual counselors are
available to take complaints), or to get free information on any of 150
consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the
complaint form at http://www.ftc.gov. The FTC
enters Internet, telemarketing, identity theft, and other fraud-related
complaints into Consumer Sentinel, a secure, online database available to
hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.