The Federal Trade Commission says it will require ChoicePoint Inc., a major supplier of consumer data to the insurance industry, to pay $10 million in civil penalties and $5 million in “consumer redress” to settle charges that data security lapses violated consumers’ privacy rights.
The FTC is calling the fine the largest civil penalty in FTC history.
ChoicePoint, Alpharetta, Ga., says in connection with the settlement that it “does not admit to the truth of, or liability for, any of the matters alleged by the FTC.”
But ChoicePoint has acknowledged that the personal financial records of more than 163,000 consumers were compromised by criminals.
At least 800 cases of identity theft may have resulted from the ChoicePoint data breach, the FTC says.
ChoicePoint reports that the Los Angeles district attorney has “indicted a perpetrator on 22 counts involving 16 victims” in connection with the data breach.
The FTC settlement announced today requires ChoicePoint to implement new privacy procedures, to maintain a comprehensive information security program, and to obtain independent information security audits every other year for the next 20 years.
The settlement bars ChoicePoint from furnishing consumer reports to unauthorized individuals and requires the company to establish and maintain reasonable procedures to ensure that consumer reports are provided “only to those with a permissible purpose,” the FTC says. The company is required to verify the identities of all who receive consumer reports, “including making site visits to certain business premises and auditing subscribers’ use of consumer reports.”
ChoicePoint says it recorded $8.8 million in charges in the fourth quarter of 2005 to reflect the cost of the FTC settlement.
News of the ChoicePoint data breach surfaced in February 2005, when ChoicePoint began notifying more than 30,000 consumers in California that their personal data might have been accessed. California was at that time the only state to have a data breach notification law in place.
Attorneys general outside California then demanded that ChoicePoint notify the consumers in their states who might have been affected.
The FTC alleges that ChoicePoint “turned over consumers’ sensitive personal information to subscribers whose applications raised obvious ‘red flags.’”
ChoicePoint approved as customers individuals who lied about their credentials and used commercial mail drops as business addresses, the FTC says.
ChoicePoint failed to tighten its application procedures or monitor subscribers thoroughly even after receiving subpoenas from law enforcement authorities starting in 2001, the FTC says.
But a ChoicePoint spokesperson says, “ChoicePoint exercised due diligence in the verification process at that time” and that the company is continuing to enhance and improve the verification process.
The ChoicePoint spokesperson declined to respond to the FTC’s allegations about ChoicePoint’s response to the subpoenas but maintained that the company has since addressed the application procedure and subscriber monitoring issues.
ChoicePoint lists a number of privacy enhancements that have been made or are being made by the company.
The privacy enhancements include discontinuing sales of products that contain sensitive, personally identifiable information, such as Social Security numbers, in selected markets, at a cost of $15 million to $20 million in revenue; changing processes for distributing sensitive information; establishing a centralized corporate credentialing center; “recredentialing” existing customers; and adding encryption technology.
ChoicePoint also has created an “independent chief credentialing, compliance and privacy officer” position.