The full impact of ChoicePoint’s data breach of two years ago is still being felt. This week, the Federal Trade Commission (FTC) is mailing another 2,400 reimbursement forms to consumers who may be victims of the breach.
Tuesday’s mailing follows FTC notices to 1,500 consumers in April and an initial mailing to 1,400 consumers in December 2006, bringing the total number to 5,300 who have identified as potential victims of the Alpharetta, Ga.-based data broker’s breach.
The victims will be paid from a $5 million consumer restitution fund established by ChoicePoint as a part of its January 2006 settlement with the FTC, which also included a record $10 million fine for not adequately protecting the data.
ChoicePoint admitted in early 2005 that it sold information in 2004 to people who turned out to be identity thieves. ChoicePoint said then the data loss could affect as many as 160,000 consumers.
“ChoicePoint is fully supportive of the FTC’s efforts to identify and assist actual victims of our fraudulent data access incident,” a Choicepoint spokesman told internetnews.com in an e-mail statement. “At the same time, ChoicePoint continues to improve the ways we protect information and privacy, and are working hard to make our products more responsive and transparent to consumers.”
The company was forced to reveal the breach under a California law that requires data collection companies to notify affected individuals if there is a breach of their data. Dozens of states have subsequently approved similar laws. Congress has yet to approve a federal law requiring disclosure to consumers of data breaches.
The lax security practices cited by the FTC included approving customers who used commercial mail drops as business addresses, cell phone numbers as office numbers and accepting payments by money orders drawn on multiple issuers. In at least one case, ChoicePoint continued to provide consumer reports for a customer whose account was repeatedly suspended for nonpayment.
In January 2006, the FTC hit ChoicePoint with a $15 million penalty for failing to adequately protect the consumer information in its databases. The company agreed to pay a record FTC fine of $10 million fine and to establish a $5 million consumer restitution fund.
Earlier this month, ChoicePoint agreed to pay $500,000 to 44 states as part of a settlement stemming from the breach. ChoicePoint also agreed to strengthen its new customer review and credentialing process, marking the first time a data broker has agreed to provide the same protections to publicly available data as it does financial data, which is protected under federal law.
“Since ChoicePoint discovered and assisted law enforcement in the investigation of our 2004 fraudulent data access, our company has devoted enormous resources and time to becoming an industry leader in protecting consumers’ privacy and their personal information,” the ChoicePoint spokesman said. “Many of our harshest critics are now saying that ChoicePoint has become a model of privacy protection.”
According to the FTC, consumers who receive a letter and have out-of-pocket expenses due to identity theft caused by the ChoicePoint security breach should submit claims promptly. Consumers who do not receive a letter, but who believe that they have identity theft-related expenses due to the breach, also may submit a claim by completing the form available on the FTC’s site.