The firm will pay another $5 million into a
fund for consumers affected by the data breach.
ChoicePoint announced last February that it had been targeted by
a scam in which fraudsters posed as legitimate
companies to gain access to ChoicePoint's massive credit
database – normally used by businesses such as credit reference
agencies, marketing agencies and insurance firms.
The fraudsters may have viewed consumers’ names, addresses,
Social Security numbers and credit reports, the firm warned. In
total, according to the FTC, around 163,000 individuals could have
been affected, although reports suggest that only 800 consumers
have actually become victims of identity theft.
The FTC began an investigation and recently filed charges that
the firm’s security and record-handling procedures violated
consumers’ privacy rights and federal laws
The FTC alleged that ChoicePoint did not have reasonable
procedures to screen prospective subscribers, and turned
over consumers’ sensitive personal information to subscribers whose
applications raised obvious ‘red flags’. This included the granting
of approval as customers to individuals who lied about their
credentials and used commercial mail drops as business
addresses.
In addition, ChoicePoint applicants reportedly used fax machines
at public commercial locations to send multiple applications for
purportedly separate companies.
According to the FTC, ChoicePoint failed to tighten its
application approval procedures or monitor subscribers
even after receiving subpoenas from law enforcement authorities
alerting it to fraudulent activity going back to 2001.
The FTC charged that ChoicePoint violated the Fair
Credit Reporting Act (FCRA) by furnishing consumer reports
– credit histories – to subscribers who did not have a permissible
purpose to obtain them, and by failing to maintain reasonable
procedures to verify both their identities and how they intended to
use the information.
The agency also charged that ChoicePoint violated the
Federal Trade Commission Act by making false and
misleading statements about its privacy policies.
These included comments such as: “ChoicePoint allows access to your
consumer reports only by those authorised under the FCRA… ”; and
“Every ChoicePoint customer must successfully complete a rigorous
credentialing process. ChoicePoint does not distribute information
to the general public and monitors the use of its public record
information to ensure appropriate use.”
ChoicePoint has now agreed settlement terms with the FTC under
which it admits no wrongdoing but is required to pay $10 million in
civil penalties – the largest civil penalty in FTC history – and to
provide $5 million for consumer redress.
The settlement bars the company from furnishing consumer reports
to people who do not have a permissible purpose to receive them and
requires the company to establish and maintain reasonable
procedures to ensure that consumer reports are provided only to
those with a permissible purpose.
As part of this, ChoicePoint is required to verify the identity
of businesses that apply to receive consumer reports, including
making site visits to certain business premises and auditing
subscribers’ use of consumer reports.
The order also requires ChoicePoint to establish, implement, and
maintain a comprehensive information security program and to
obtain, every two years for the next 20 years, an audit from a
qualified, independent, third-party professional to ensure that its
security program meets the standards of the order.
“The message to ChoicePoint and others should be clear:
consumers’ private data must be protected from thieves,” said
Deborah Platt Majoras, Chairman of the FTC. “Data security is
critical to consumers, and protecting it is a priority for the FTC,
as it should be to every business in America.”
In response, ChoicePoint chairman and CEO Derek Smith said: “The
events of early 2005 provided critical lessons from which
ChoicePoint and, indeed the entire industry, has learned a great
deal”.
“The men and women of this company take nothing more seriously
than their responsibility to safeguard consumer information and, as
a direct result of those lessons learned, we have, for the past
several months, been in the process of implementing nearly all of
the changes reflected in today’s settlement,” he added.
However, the company is not yet completely off the hook.
Private lawsuits have been filed against the firm,
and the Securities and Exchange Commission is
conducting its own investigation, according to reports.
