ChoicePoint Inc. will pay $15 million to settle charges that it failed to protect consumers' personal information, the Federal Trade Commission announced Thursday. It is the largest civil penalty over data security in the agency's history.
In addition to a $10 million fine, ChoicePoint will also create a $5 million fund to help consumers who became victims of identity theft after the data warehouser sold information on 163,000 consumers to an alleged crime ring.
"This is an important victory for consumers and an opportunity for ChoicePoint to get data security right," FTC chairman Deborah Platt Majoras said.
Last February, ChoicePoint revealed that criminals had stolen personal information on over 145,000 consumers, a number that later rose slightly. The incident touched off a flurry of data loss disclosures from a wide variety of corporations and other organizations. In all, there were some 25 major disclosures, with information on 52 million individuals exposed, according to , which keeps a running tally. Thursday's announcement marks the first fine connected to any of these security breaches.
The ChoicePoint disclosure was significant not only for its scale but for the light it shed on the growing data broker industry. ChoicePoint is a giant in the field, amassing databases of background information on virtually every U.S. citizen, including Social Security numbers and credit reports. The Alpharetta, Ga.-based company then sells such personal information to government agencies and private companies.
The FTC's complaint against ChoicePoint paints a picture of a firm that was selling data to all comers, even after obvious signs of trouble. Law enforcement agencies began to warn ChoicePoint of fraudulent activity back in 2001, the complaint alleges. ChoicePoint continued to sell data to companies with expired business licenses, with canceled telephones and after employees signaled them out as suspicious. The firm even continued to supply credit reports to the crime ring after the fake accounts it had set up were suspended by ChoicePoint for non-payment, the complaint says. It was made public for the first time at a news conference in Washington on Thursday.
ChoicePoint admitted no wrongdoing in agreeing to the settlement, but CEO Derek Smith said the company has made several procedural changes as a result of the incident.
"ChoicePoint and, indeed the entire industry, has learned a great deal,” Smith said in a statement. “The men and women of this company take nothing more seriously than their responsibility to safeguard consumer information and, as a direct result of those lessons learned, we have, for the past several months, been in the process of implementing nearly all of the changes reflected in today’s settlement with the Federal Trade Commission."
800 victims of ID theft
Majoras said 800 consumers had become victims of identity theft as a result of the ChoicePoint data breach, which was first revealed by MSNBC.com on Feb. 14, 2005.
The fine sends a strong message to America's companies, Majoras said. Majoras said ChoicePoint violated the Fair Credit Reporting Act by giving consumer credit information to people who didn't have a "permissible purpose" for the information.
"Companies are starting to realize it is a bad business practice to ignore the security of consumer data," she said.
Majoras said ChoicePoint failed to properly verify the identity of customers when requesting consumer information, even after the firm received subpoenas from law enforcement about unauthorized activity. The company also ignored other warning signs, the FTC complaint says, including:
- Poor business verification documents, such as delinquent utility bills and residential telephone bills
- Documentation with multiple addresses that contradicted each other
- Illogical application information, such a tax registration information that showed the business or articles of incorporation that had been suspended
- Applications with critical information missing, such as business license number or the applicant's last name
The alleged crime ring also engaged in obvious suspicious behavior, the complaint alleges, such as:
- Furnishing a number of credit reports to an alleged apartment leasing agency that far exceeded the number of rental units the fake firm had indicated on its application
- Continuing to furnish reports even after the applicant's telephone had been disconnected
- Continuing to furnish reports even after the applicant's ChoicePoint account had been suspended for non-payment
- Working with applications even after employees identified application documentation as suspicious
ChoicePoint spokesman James Lee said the company denies several of those assertions as described by the FTC in the complaint — including the allegation that employees had raised red flags — but agreed to the settlement to "put the matter behind us."
Lee also said that the firm disputes the FTC assertion that there have been 800 ID theft victims as a result of the incident; he said only 16 victims have been positively identified.
'Drop in the bucket'
Elizabeth Rosen, the first consumer to step forward after receiving a letter from ChoicePoint indicating her information had been sold to criminals, was angry about the settlement. She said government officials should have contacted her, or other victims, before agreeing to its terms. While a $5 million fund for identity theft victims has been created, Rosen and most others won't qualify because she has yet to find evidence that anyone has opened financial accounts in her name — she only knows her identity was sold by ChoicePoint.
"Do I have to hire a private investigator to find out if I am a victim of identity theft? I get nothing out of this. There's no satisfaction here. I don't like that nobody got any of us involved," she said. "It's still in the back of my mind that someone could have taken out a mortgage in my name and I wouldn't know. ... I've reconciled myself to the fact that I'm nobody and nobody wants to protect me."
ChoicePoint did provide free credit monitoring service to data theft victims, but such services are not not foolproof.
The $10 million penalty is "a drop in the bucket," Rosen said, adding that ChoicePoint still has not told her exactly what information about her was sold to the criminals. The firm has merely sent her a generic background report.
Soon after ChoicePoint revealed the extent of the breach last year, authorities arrested Nigerian-born Olatunji Oluwatosin in connection with the incident. Last month, he plead guilty to charges of conspiracy and grand theft. He is scheduled to be sentenced in February.
ChoicePoint also announced its quarterly results on Thursday. The firm said profits sunk by 29 percent. For the three months ending Dec. 31, ChoicePoint said it earned $27.68 million, or 30 cents a share, compared to a profit of $39.22 million, or 43 cents a share, for the same period a year ago.
Since the ChoicePoint incident, dozens of companies have revealed similar security lapses to consumers. Researcher Larry Ponemon of the Ponemon Institute says about 1 in 9 adult U.S. citizens has received a letter indicating their data has been put at risk by a company.
The data leaks continue, however. In the latest incident, Ameriprise Financial Inc. said Wednesday that a company laptop containing information about 158,000 of its clients had been stolen from an employee’s car.
The disclosures have led to . None have yet reached a floor vote.
While admitting ChoicePoint's procedures needed fixing, Lee said the string of disclosures last year show the company was no different from many other firms that warehouse consumer data.
"At that time no one really knew the magnitude of the issues surrounding consumer information security," he said. "We now know for sure this is not a ChoicePoint problem. This is an economy-wide problem, and we've addressed it."