ChoicePoint to pay $10M to settle last breach-related lawsuit

Computerworld - Data broker ChoicePoint Inc. has agreed to pay $10 million to settle the last remaining class-action lawsuit filed against the company in connection with a data breach disclosed in early 2005 in which the personal information of more than 160,000 people was exposed.

Alpharetta, Ga.-based ChoicePoint announced the settlement last Thursday, along with its financial results for last year's fourth quarter (download PDF). ChoicePoint said it didn't admit to any liability for the breach as part of the settlement, which is still subject to court approval.

According to a company spokesman, the legal settlement involves a shareholder lawsuit filed against ChoicePoint in U.S. District Court in Georgia. All of the other lawsuits brought against the company in connection with the data breach had previously been settled, dismissed or otherwise resolved, the spokesman said.

Separately last week, ChoicePoint disclosed that the U.S. Securities and Exchange Commission has concluded a breach-related investigation that included a probe of stock trades by the company's top two executives, without recommending any enforcement actions against either of them or ChoicePoint itself.

The SEC's investigation involved the sale of nearly $18 million worth of ChoicePoint stock by Chairman and CEO Derek Smith and Douglas Curling, the company's president and chief operating officer, in the months between the initial discovery of the breach in October 2004 and its public disclosure the following February.

Whereas the SEC is letting ChoicePoint off the hook, the Federal Trade Commission two years ago assessed a $10 million civil penalty against the company for violations of the Fair Credit Reporting Act. The FTC said that ChoicePoint had failed to implement reasonable procedures for protecting the billions of personal records -- including the names, Social Security numbers, and bank and credit card information of consumers -- that it collected and maintained.

At the time, FTC Chairman Deborah Platt Majoras described the fine as the largest ever levied by the commission. In addition to the penalty, the FTC ordered ChoicePoint to set up a $5 million trust fund for individuals who might have become identity-theft victims as a result of the breach. ChoicePoint also was required to submit to comprehensive security audits every two years for the next 20 years.

Last May, ChoicePoint reached another agreement with the attorneys general in 43 states and the District of Columbia, under which it promised to make substantial changes in the way it screens and authenticates new customers. As part of that settlement, the company also agreed to pay a total of $500,000 to the states to cover legal fees and costs.

When it disclosed the breach three years ago, ChoicePoint said that no computer systems had been broken into or otherwise compromised. Rather, the data was stolen when "a small number of very well-organized criminals posed as legitimate companies to gain access to personal information about consumers," the company said.

The breach led lawmakers at both the state and federal levels to call for tougher controls on ChoicePoint and other data aggregators. However, Congress has yet to approve any legislation of that sort.

Read more about security in Computerworld's Security Knowledge Center.