January 26, 2006 11:29 AM PST

ChoicePoint to pay $15 million over data leak

Data broker ChoicePoint will pay $15 million to settle Federal Trade Commission charges that its lax procedures violated consumer protection laws, the agency said Thursday.

Under the settlement, the Atlanta-based company agreed to hand over $10 million in civil penalties to the FTC, the largest civil fine in the agency's history. It will also provide $5 million to recompense consumers who suffered as a result of ChoicePoint's actions.

In February of last year, the data aggregator acknowledged that its database of consumer records had been accessed by suspected criminals passing themselves off as legitimate customers. The financial data of 163,000 people was exposed in the breach, and at least 800 cases of identity theft arose from it, the FTC noted.

Related story
Separating myth from reality in ID theft
There are fewer victims than most people think.

"The events of early 2005 provided critical lessons from which ChoicePoint, and indeed the entire industry, has learned a great deal," Derek Smith, ChoicePoint's chief executive, said in a statement. "The men and women of this company take nothing more seriously than their responsibility to safeguard consumer information."

The FTC had charged ChoicePoint with violating the Fair Credit Reporting Act (FCRA) and with making false and misleading statements about its privacy policies.

It alleged that ChoicePoint, which provides consumer data services to insurance companies, other businesses and government agencies, had supplied sensitive information without making sure applicants had a legitimate need to know it. The data included Social Security numbers to birth dates.

Subscribers were approved even though some lied about their credentials and used a commercial mail drop as a business address, the agency said. In other cases, ChoicePoint would receive multiple faxed applications from the same location, with each form listing the sender as a separate business.

Meanwhile, the company had made public statements such as "ChoicePoint allows access to your consumer reports only by those authorized under the FCRA" and "Every ChoicePoint customer must successfully complete a rigorous credentialing process," the FTC said.

According to the FTC, the data broker failed to tighten up its client screening and monitoring process even after it became aware of fraudulent activity involving some of its subscribers, which dated back to 2001.

As part of the settlement, ChoicePoint must take steps to improve its screening process. It has agreed to verify the identity of any business applying for a subscription and to install a client-monitoring policy that includes site visits and reviewing use of the service. The company is also required to obtain audits by independent third-party security experts every other year until 2026.

Last summer, ChoicePoint said its efforts to overhaul its system and procedures were nearly completed. Among the changes the company has engaged in is the creation of an independent chief officer for credentialing, compliance and privacy.

See more CNET content tagged:
ChoicePoint Inc., agency, identity theft, asset

1 comment

Join the conversation!
Add your comment
Not nearly enough
I really don't think $5M was enough recompence for those 800 people that had to endure the process of getting their identity and finances back in order.
Posted by sarcasticmama (11 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.