ChoicePoint fine could indicate tougher FTC enforcement efforts

Computerworld - The $10 million fine imposed today by the Federal Trade Commission on data aggregator ChoicePoint Inc. for a data security breach is yet another indication of the increasingly tough stance the agency is taking on companies that fail to adequately protect sensitive data, legal experts said.
And it's not just companies that suffer data breaches that should be concerned. Those companies that are unable to demonstrate due diligence when it comes to information security practices could also wind up in the FTC's crosshairs, they added.

"There has been a definite change in the FTC's handling and analysis of security breaches," said Christopher Pierson, an attorney at Phoenix-based law firm Lewis and Roca LLP. "It appears that the FTC is not going to wait for federal [data security] legislation to come down the pipe and is instead going to take action using existing laws."
"This is a seminal reaction regarding information security" by the FTC, said Christopher Ford, an attorney at Alston & Bird LLP in Washington. Future victims of identity theft are going to be able to point to this settlement and say, "Look, you owe me something," Ford said. "I think it's a pretty significant precedent that's been set here."
The FTC this morning announced that it has reached an agreement with Alpharetta, Ga.-based ChoicePoint in a data theft case that took place in the fall of 2004 (see "FTC imposes $10M fine against ChoicePoint for data breach"). At the time it made the breach public in February 2005, ChoicePoint said the theft happened when "a small number of very-well-organized criminals posed as legitimate companies to gain access to personal information about consumers."
The breach resulted in the compromise of the financial records of more than 163,000 consumers in its databases, over 800 of whom have since become victims of identity theft.
"This is an important victory for consumers," FTC Chairman Deborah Platt Majoras said today in announcing the fine.
Under the settlement announced today, ChoicePoint will pay a fine of $10 million for violating the Fair Credit Reporting Act (FCRA). That law requires companies that furnish credit histories to maintain reasonable procedures for authenticating the identities of those who receive data. The FCRA also requires companies to ensure that the data is used properly.
In addition to the penalty, the largest ever levied by the FTC, ChoicePoint has been asked to set up a $5 million trust fund for individuals who might have become victims of identity theft as a result of the breach. ChoicePoint will also have