ChoicePoints Data Breach Fine Sets Record

The ID verification services vendor's compliance requirements include the largest civil fine from the FTC on record.

ID verification services vendor ChoicePoints breach of personal financial data for more than 163,000 consumers will cost the company $15 million in fines to the Federal Trade Commission—including the largest civil penalty in FTC history.

Under a settlement approved unanimously by the commission, ChoicePoint must also submit to independent security audits every other year for the next 20 years.

The FTC charged that ChoicePoint did not use reasonable procedures to screen subscribers and that its security processes and data handling violated privacy rights and federal laws, including the Fair Credit Reporting Act and the FTC Act.

Under the settlement, ChoicePoint must establish a comprehensive security program and implement new procedures to ensure that only legitimate businesses obtain consumer reports.

New required record-handling procedures aim to ensure that consumer data is not sold to businesses "whose applications raised obvious red flags," the FTC said Thursday.

/zimages/6/28571.gifClick here to read about a data breach bill approved by a Senate panel.

Additionally, every two years until 2026, ChoicePoint must obtain an audit from an independent third party to review the security program.

"The message to ChoicePoint and others should be clear: Consumers private data must be protected from thieves," said Deborah Platt Majoras, FTC chairman.

The fines are broken down into $10 million in civil penalties—the FTCs largest civil fine ever— and $5 million in consumer redress.

According to the FTCs charges, ChoicePoint sold personal financial information to customers who lied about their credentials and listed commercial mail drops as their addresses.

As early as 2001, the company received subpoenas from law enforcement officials warning it of fraudulent activity, but did not tighten its customer approval procedures in response.

Under the Fair Credit Reporting Act, credit histories can be sold only to businesses that have a permissible purpose to buy them. Under the settlement, ChoicePoint must verity the identity of subscribers, audit subscribers use of consumer reports and make site visits to some businesses.

/zimages/6/28571.gifA lawsuit seeks payback for a major data breach at credit card processing company CardSystems Solutions. Read more here.

The FTC Act, which ChoicePoint was also accused of violating, prohibits false and misleading statements about privacy policies.

"I am gratified we were able to work with the FTC and reach an agreement that protects all parties and am even more pleased that we can now put this chapter behind us," said Derek Smith, chairman and CEO of ChoicePoint.

"I firmly believe that the changes weve implemented in the past year were not only the right thing for this company to do but are equally important for the entire industry to consider."

For several months, ChoicePoint has been implementing the changes required in the FTC settlement, narrowing the types of organizations that it sells sensitive personal data to and restricting the sale of some data even to businesses authorized to receive personal information, Smith said. The company also created a chief credentialing, compliance and privacy officer.

ChoicePoint listed a charge of approximately $8.8 million in the fourth quarter as a result of the settlement.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.