ChoicePoint to pay $15M in fines
FTC levies largest penalty in its history for the company's failure to protect consumer privacy.
WASHINGTON (CNN) - The Federal Trade Commission has levied the largest fine in its history against consumer data broker ChoicePoint Inc. for the company's failure to protect consumer privacy and violations of federal laws that resulted in 800 cases of identity theft.
"This is an important victory for consumers and an equally important opportunity for ChoicePoint to get data security right," said FTC Chairman Deborah Platt Majoras.
An FTC statement said the settlement "requires ChoicePoint to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to establish and maintain a comprehensive information security program, and to obtain audits by an independent third-party security professional every other year until 2026."
Last February, ChoicePoint announced that fake companies bought information from it, potentially compromising the personal financial records of thousands of consumers.
"At least 163,000 consumers had their personal information compromised and at least 800 of those consumers became victims of identity theft," Majoras said at the news conference.
The incident was first discovered in October 2004, when a law enforcement agency investigating an identity theft crime contacted ChoicePoint. Research by the company revealed that as many as 50 fake firms had registered with ChoicePoint to gain access to consumer data.
"The events of early 2005 provided critical lessons from which ChoicePoint and, indeed the entire industry, has learned a great deal," said a statement from ChoicePoint Chairman and Chief Executive Derek V. Smith.
"The men and women of this company take nothing more seriously than their responsibility to safeguard consumer information and, as a direct result of those lessons learned, we have, for the past several months, been in the process of implementing nearly all of the changes reflected in today's settlement with the Federal Trade Commission," his statement added.
One of the most significant steps the Atlanta-based company has made is to appoint Carol DiBattiste -- a senior law enforcement and security official for both the Clinton and Bush administrations -- as the person who will ensure "not only that the events of 2005 cannot again occur but that ChoicePoint remains the industry leader in screening its customers and protecting its information," the company statement said.
ChoicePoint obtains and sells consumers' personal information -- including their names, Social Security numbers, birth dates, employment information and credit histories -- to more than 50,000 businesses, according to the FTC statement.
The commission charged that the company did not have strong enough procedures to screen prospective subscribers "and turned over consumers' sensitive personal information to subscribers whose applications raised obvious 'red flags,'" the FTC statement said.
The company failed to strengthen its procedures "even after receiving subpoenas from law enforcement authorities alerting it to fraudulent activity going back to 2001."
After the FTC news conference Thursday, DiBattiste said ChoicePoint is now "committed to being an industry leader in protecting consumers' sensitive information."
"First, we have taken extreme measures to limit who gets access to the most sensitive consumer personal information," she said.
"Second, even in the product where we provide consumer information, we have truncated or masked the most sensitive of that information. Third, we have tightened and enhanced our credentialing procedures, and what I mean by that is we go to great lengths, through multiple internal and external sources, to verify that our customer is who they say they are, that they are legitimate and that they are using the data for permissible purposes," DiBattiste added.
Are you a victim of identity theft? Click here for how to fix it all.