The Federal Trade Commission says it will require ChoicePoint Inc., a major supplier of consumer data to the insurance industry, to pay $10 million in civil penalties and $5 million in “consumer redress” to settle charges that data security lapses violated consumers’ privacy rights.
The FTC is calling the fine the largest civil penalty in FTC history.
ChoicePoint, Alpharetta, Ga., says in connection with the settlement that it “does not admit to the truth of, or liability for, any of the matters alleged by the FTC.”
But ChoicePoint has acknowledged that the personal financial records of more than 163,000 consumers were compromised by criminals.
At least 800 cases of identity theft may have resulted from the ChoicePoint data breach, the FTC says.
ChoicePoint reports that the Los Angeles district attorney has “indicted a perpetrator on 22 counts involving 16 victims” in connection with the data breach.
The FTC settlement announced today requires ChoicePoint to implement new privacy procedures, to maintain a comprehensive information security program, and to obtain independent information security audits every other year for the next 20 years.
The settlement bars ChoicePoint from furnishing consumer reports to unauthorized individuals and requires the company to establish and maintain reasonable procedures to ensure that consumer reports are provided “only to those with a permissible purpose,” the FTC says. The company is required to verify the identities of all who receive consumer reports, “including making site visits to certain business premises and auditing subscribers’ use of consumer reports.”
ChoicePoint says it recorded $8.8 million in charges in the fourth quarter of 2005 to reflect the cost of the FTC settlement.
News of the ChoicePoint data breach surfaced in February 2005, when ChoicePoint began notifying more than 30,000 consumers in California that their personal data might have been accessed. California was at that time the only state to have a data breach notification law in place.