ChoicePoint Settles With 44 States in Data Losses

Data broker ChoicePoint agreed Thursday to pay $500,000 to 44 states as part of a settlement stemming from a 2005 data breach at the Alpharetta, Ga.-based company. The breach involved more than 160,000 records.

As part of the settlement, ChoicePoint also agreed to strengthen its new customer review and credentialing process, marking the first time a data broker has agreed to provide the same protections to publicly available data as it does financial data, which is protected under federal law.

“With this settlement, ChoicePoint has taken the steps necessary to protect our sensitive personal information, including Social Security numbers,” Vermont Attorney General Sorrell said in a statement. “These stringent requirements will help to prevent unauthorized access to consumers’ personal information and help reduce the incidence of identity theft.”

ChoicePoint , one of the nation’s largest data brokers, is a credit report service used by businesses, government agencies and non-profit organizations. More than 50,000 landlords and merchants use ChoicePoint to conduct background checks on potential tenants and customers.

“The changes we are making as a result of our conversations with the states are clearly good for our business and, we expect, will ultimately be where the entire industry finds itself,” Matt Furman, ChoicePoint’s vice president for corporate communications, said in a statement. “In fact, we will be watching with interest as the attorneys general expand their focus on these critical issues across every sector of our economy.”

In February of 2005, ChoicePoint revealed that an ID theft ring gained access to the company’s vital credit information. According to the FTC, at least 800 individuals became victims of identity theft as a result of the security breach.

The company was forced to reveal the breach under a then first of its kind California law that requires data collection companies to notify affected individuals if there is a breach of their data. Dozens of states have subsequently approved similar laws. Congress has yet to approve a federal law requiring disclosure to consumers of data breaches.

“In the eyes of many of our harshest critics, independent analysts and even previously skeptical U.S. senators, ChoicePoint has become a model of privacy protection,” Furman said. “It is this hard-earned status that allowed us to reach such a fair and reasonable agreement with the attorneys general and we are pleased that their positive view of our efforts is so clearly evident in [Thursday’s] announcement. ”

A year after the breach, the Federal Trade Commission (FTC) hit ChoicePoint with a record $15 million penalty for failing to adequately protect the consumer information in its in databases. The total included a $10 million fine and a $5 million consumer restitution fund.

The lax security practices cited by the FTC included approving customers who used commercial mail drops as business addresses, cell phone numbers as office numbers and accepting payments by money orders drawn on multiple issuers. In at least one case, ChoicePoint continued to provide consumer reports for a customer whose account was repeatedly suspended for nonpayment.

“Identity theft is one of the nation’s fastest growing criminal enterprises,” Texas Attorney General Greg Abbott said in a statement. “With businesses and consumers losing billions of dollars each year, law enforcement must aggressively crack down on identity theft.”

ChoicePoint did not respond to a request for comment.

News Around the Web