The U.S. Federal Trade Commission (FTC) has imposed a $10 million civil penalty against data aggregator ChoicePoint Inc. for a massive data security breach that resulted in the compromise of nearly 160,000 consumer records last year (see "ChoicePoint to tighten data access after ID theft").
In addition to the penalty, which FTC Chairman Deborah Platt Majoras described as the largest ever levied by the agency, ChoicePoint has been asked to set up a $5 million trust fund for individuals who might have become victims of identity theft as a result of the breach.
As part of its agreement with the FTC, Alpharetta, Ga.-based ChoicePoint will also have to submit to comprehensive security audits every two years for the next 20 years.
"This is an important victory for consumers," Majoras said. "This tells companies that they must protect sensitive consumer information. They must guard the front door as well as guard the back door against hackers."
ChoicePoint provides data to credit providers, government agencies, landlords and others who use personal information to process loans, leases and other contracts. In a statement today (download PDF), Derek V. Smith, the company's chairman and CEO, said the incident "provided critical lessons from which ChoicePoint, and indeed the entire industry, has learned a great deal.
"The men and women of this company take nothing more seriously than their responsibility to safeguard consumer information and, as a direct result of those lessons learned, we have for the past several months been in the process of implementing nearly all the changes reflected into today's settlement," Smith said.
ChoicePoint publicly acknowledged the data theft last February, but the incident itself took place in the fall of 2004. At the time it made the breach public, ChoicePoint said the theft happened when "a small number of very well-organized criminals posed as legitimate companies to gain access to personal information about consumers."
It also said later that it was taking steps to better protect customer data, pointing to a "rigorous re-credentialing of broad categories of customer accounts" as well as changes including masking or truncating sensitive personal identifier information such as Social Security numbers and driver's license numbers.
The $10 million penalty is being levied for violations of the Fair Credit Reporting Act (FCRA), Majoras said. Though ChoicePoint collected and maintained billions of pieces of consumer data -- including consumer names, Social Security numbers, and bank and credit card information -- the company failed to implement reasonable procedures for protecting the data, she said.
In its decision, the FTC slammed ChoicePoint, saying that it did not have reasonable procedures in place to screen prospective subscribers and that it turned over sensitive personal information to subscribers whose applications raised obvious red flags. The FTC said ChoicePoint approved customers for its service who lied about their credentials and used commercial mail drops as business addresses. In addition, the applicants reportedly used fax machines at public commercial locations to send multiple applications for separate companies.
According to the FTC, ChoicePoint also failed to tighten its application approval procedures or monitor subscribers, even after it got subpoenas from law enforcement authorities alerting it to fraudulent activity that dated to 2001.
The agency also charged that ChoicePoint violated the FCRA by making false and misleading statements about its privacy policies.
Under the agreement with the FTC, ChoicePoint is barred from providing consumer reports to individuals and companies that cannot demonstrate a legitimate need for that information, Majoras said. To ensure compliance with that requirement, ChoicePoint will be required to certify the nature of the business of each of its subscribers and how the consumer information will be used, Majoras said.
ChoicePoint is also required to do site visits to authenticate its subscribers, except in cases where the company might have already done so. The company also must implement reasonable measures to ensure that its subscribers use consumer information in the manner they attest to in their applications, she said.
Until now, the largest civil penalty imposed by the FTC against a company was in March 2003, when the agency imposed a $7 million fine against Boston Scientific for anticompetitive practices.
Read more news and commentary about data breaches:
- Bank tape lost with data on 90,000 customers
- Update: Security breach at Sam's Club exposes credit card data
- New York breach notification law goes into effect
- DSW to beef up computer security in FTC settlement
- TransUnion notifies consumers of data loss
- Lessons learned from corporate security breaches
- Are companies prepared for fallout from a security breach?
- IT Blogwatch - The best IT Blogs on the 'Net: ChoicePoint fined, but not much
- Security Blogs