FTC Reprimands ChoicePoint for Latest Data Breach Incident

ChoicePoint, one of the nation’s largest data brokers, agreed to pay $275,000 to redress consumers this week after the Federal Trade Commission said it failed to adequately safeguard one of its databases, an oversight that exposed the personal information of 13,750 people in 2008.

In an FTC statement released Monday, the agency took ChoicePoint to task for failing to “implement a comprehensive information security program protecting consumers’ sensitive information as required by a previous court order.”

ChoicePoint, now a subsidiary of Reed Elsevier Inc., has a less-than-stellar track record when it comes to protecting personal and financial data.

In 2007, the company agreed to pay $500,000 to 44 states as part of a settlement stemming from a 2005 data breach at the Alpharetta, Ga.-based company that exposed more than 160,000 records.

Following a 2005 incident in which ChoicePoint acknowledged that it was duped into releasing personal data of another 145,000-plus people, divulging social security numbers and credit scores, the company received a court order requiring it to strengthen its security practices and technology.

This time, the FTC alleges ChoicePoint turned off a key electronic security tool used to monitor access to one of its databases. This mistake was compounded by the fact that ChoicePoint officials didn’t notice the security device was disabled for four months, making Social Security numbers and other customer data available to an “unknown person” who conducted unauthorized searches of the database for 30 days.

“Due to human error, for which the company took appropriate action, one of our monitoring tools was temporarily turned off,” ChoicePoint spokesman Nick Ludlum said in an e-mail to InternetNews.com. “We have addressed the issue and added redundancies to try to prevent future human error.”

The FTC said ChoicePoint has now agreed to a modified court order that expands its data security assessment and reporting duties and to pay the $275,000 for consumer redress and other related expenses. It added that ChoicePoint brought the data breach to the FTC’s attention once it discovered the snafu.

The FTC alleged that if the security software tool had been working, ChoicePoint likely would have detected the intrusions much earlier and minimized the extent of the breach.

Under the new modified court order, filed on the FTC’s behalf by the Department of Justice, ChoicePoint must report to the FTC detailed information about how it’s protecting the breached database and other databases every two months for the next two years.

The new court order also extends the record-keeping and monitoring requirements of the 2006 order, and gives the FTC the right to request up to two additional biennial assessments of ChoicePoint’s overall data security program.

This story updates an earlier version, clarifying the FTC’s action and adding comments from ChoicePoint.

News Around the Web