FTC Makes a Point With ChoicePoint Penalties

Hits firm with largest civil fine ever in data breach case

The Federal Trade Commission last week imposed a $10 million fine¿the largest civil penalty ever levied by the agency¿on ChoicePoint Inc. for the highly publicized security breach that the data aggregator disclosed last year.

The settlement, which also includes a $5 million payment by ChoicePoint to help victims of the data theft, was the first in which the FTC has fined a company in connection with a security breach. Corporate security managers and several lawyers who specialize in security-related legal matters are viewing the stiff fine as an indication of the increasingly tough stance that the government is taking against businesses that fail to adequately protect sensitive customer information.

And it isn't just companies that suffer actual data breaches that need to be concerned, they warned—businesses unable to demonstrate due diligence on their information security practices could also find themselves being targeted by the FTC.

The financial penalties levied against ChoicePoint were "pretty severe" and should send a sobering message to corporate America, said the director of information security at a specialty retail chain based in California.

The security director, who asked not to be identified, said that "$15 million is not a lot of money for ChoicePoint, but it is far larger than any other fine we have seen so far, and people are calling for still-tougher penalties." The FTC's action drives home the point that Congress and federal officials are waking up to data protection issues, he added.

"There has been a definite change in the FTC's handling and analysis of security breaches," said Christopher Pierson, an attorney at Lewis and Roca LLP in Phoenix. "It appears that the FTC is not going to wait for federal [data security] legislation to come down the pipe and is instead going to take action using existing laws."

The penalties imposed on ChoicePoint are "a seminal reaction regarding information security" on the part of the FTC, said Christopher Ford, an attorney at Alston & Bird LLP in Washington. Future victims of identity theft will be able to point to last week's settlement and say to a company whose data was breached, "Look, you owe me something," Ford said.

The FTC charged that ChoicePoint failed to comply with its data protection obligations under the Fair Credit Reporting Act and made false and misleading statements about its data privacy policies.

In addition to paying the $10 million civil penalty, the Alpharetta, Ga.-based company will set up a $5 million trust fund that will be administered by the FTC for consumers who may have been victimized as a result of the security breach. The financial records of about 162,000 people were potentially compromised.

ChoicePoint also has to establish and maintain a comprehensive information-security program and submit to third-party audits of its data security procedures every two years for the next 20 years, according to the FTC.

Guarding Both Doors

The regulatory action against ChoicePoint puts companies on notice that they "must guard the front door as well as guard the back door against hackers," FTC Chairman Deborah Platt Majoras said during a press conference in Washington.

ChoicePoint didn't admit to any of the FTC's allegations about the company's lack of compliance with security regulations. But in a statement, ChoicePoint CEO Derek Smith said the security breach "provided critical lessons from which ChoicePoint, and indeed the entire industry, has learned a great deal."

Smith added that over the past few months, the company has implemented "nearly all of the changes" required by the FTC. That includes a series of information security measures outlined on the company's Web site last week.

ChoicePoint disclosed the breach last February, saying that it had allowed a group of criminals posing as legitimate customers to gain access to personal information about consumers. The incident at ChoicePoint was the first in a series of high-profile breaches that has put information security squarely in the public eye.

Except for the financial penalties, the FTC's settlement with ChoicePoint is similar to deals it reached with Columbus, Ohio-based shoe retailer DSW Inc. in December and Natick, Mass.-based BJ's Wholesale Club Inc. last June. Both of those companies also agreed to beef up their IT security programs and undergo biannual security audits in the wake of data breaches.

The settlements make it clear that the FTC is willing to escalate security-related enforcement actions, said Michael Overly, an attorney at Foley & Lardner LLP in Los Angeles.

"We knew something big was going to happen" after the DSW and BJ's settlements, Overly said. "The agreement with ChoicePoint shows that [FTC officials] have every intent of continuing with even more force this year."

Security Push

ChoicePoint said it has taken the following technology-related steps to improve security:

red_bullet.gif
Ensured the systemic implementation of technical, patch management and antivirus standards across its network.

red_bullet.gif
Began using external Web server scans and application scanning services to reduce security risks.

red_bullet.gif
Installed various technologies for secure messaging and encryption of databases and external data feeds.

red_bullet.gif
Achieved compliance with the Payment Card Industry standard for securing credit card data.

Copyright © 2006 IDG Communications, Inc.

  
Shop Tech Products at Amazon