RealTime IT News

FTC Slaps Record Fine on ChoicePoint

WASHINGTON - The Federal Trade Commission (FTC) hit data broker ChoicePoint with a $15 million penalty Thursday for failing to adequately protect the consumer information in its databases.

The Atlanta-based ChoicePoint agreed to pay a $10 million fine -- the largest in FTC history -- and to establish a $5 million consumer restitution fund.

"The message to ChoicePoint and others should be clear: Consumers' private data must be protected from thieves," said FTC Commissioner Deborah Platt Majoris.

Last February, ChoicePoint revealed that an ID theft ring gained access to the company's vital credit information involving more than 160,000 records. Majoris said at least 800 individuals became victims of identity theft as a result of the security breach.

ChoicePoint is a credit report service used by more than 50,000 landlords and merchants to conduct background checks on potential tenants and customers. It also has several law enforcement and government agencies as clients.

The FTC claims that ChoicePoint did not have reasonable procedures to screen prospective clients, turning over consumer personal data to customers whose applications raised obvious red flags.

Majoris said the settlement sends the message to other data brokers that they "must guard the front door through procedures for verifying and identifying customers as well as guard the backdoor against hackers."

The lax security practices cited by the FTC included approving customers who used mail commercial mail drops as business addresses, cell phone numbers as office numbers, accepting payments by money orders drawn on multiple issuers.

In at least one case, ChoicePoint continued to provide consumer reports for a customer whose account was repeatedly suspended for nonpayment.

In addition to financial penalties, the settlement requires ChoicePoint to implement new procedures to ensure that it provides reports only to legitimate businesses for lawful purposes. The company must also establish and maintain a comprehensive information security program subject to third-party audits every other year until 2026.

ChoicePoint Chairman and CEO Derek V. Smith issued a statement claiming he was "gratified we were able to work with the FTC and reach an agreement that protects all parties and am even more pleased that we can put this chapter behind us."

As a result of the settlement, Smith said ChoicePoint took a fourth quarter charge of approximately $8.8 million. In midday trading, ChoicePoint's stock was down $3.05 a share to $43.25. Smith, who is under investigation by the Securities and Exchange Commission for stock sales made shortly before ChoicePoint's disclosure of the massive data breach, also announced Carol DiBattiste as the company's chief credentialing, compliance and privacy officer.

DiBattise, a former senior law enforcement and security officials in both the Clinton and Bush administrations, told reporters Thursday she was "sorry for what happened" and that "fraudsters had beat the process" that "we thought could beat the people who beat us."