- Consumer Data Company Pays Record Fine to Settle Privacy Case
- February 23, 2006
- Law Firm: Reed Smith LLP - Pittsburgh Office
ChoicePoint, Inc. has agreed to pay a $10 million civil penalty and another $5 million for consumer redress to settle a case brought by the Federal Trade Commission following disclosure of security breaches.
The settlement includes the largest civil penalty ever issued by the FTC. ChoicePoint, a consumer data broker headquartered in Atlanta with more than 5,500 employees, acknowledged last year that the personal financial records of more than 163,000 consumers in its database had been compromised. The company now must take measures to tighten security and obtain audits to ensure it is complying with the terms of the settlement agreement.
ChoicePoint alerted law enforcement officials last year to "suspicious activity" in Los Angeles. Third parties had gained access to ChoicePoint's data by opening fraudulent accounts, using stolen identities and altering documents. In some cases, parties also used legitimate customer IDs and passwords.
The FTC alleged that ChoicePoint violated the Fair Credit Reporting Act (FCRA) by furnishing consumer credit histories to subscribers that did not have a permissible purpose to obtain them.
"ChoicePoint did not have reasonable procedures to screen prospective subscribers and turned over consumers' sensitive personal information to subscribers whose applications raised obvious 'red flags,'" the FTC alleged. For example, ChoicePoint customers and applicants lied about their credentials, used commercial mail drops as business addresses, and submitted applications from public commercial fax machines, the agency stated.
ChoicePoint also was charged with violating the FTC Act for allegedly making false and misleading statements about its privacy policies, such as the claim that ChoicePoint only allowed access to personal information by those who are authorized under FCRA to obtain such information.
ChoicePoint responded in public statements that it had settled the matter without admitting fault or liability. The company noted that the security breaches were the result of fraudulent activities of third parties, and that the company had alerted public officials once it learned of the illegal behavior.
ChoicePoint supplies data to businesses and government organizations. Nearly 60 percent of the company's revenue is derived from transactions that consumers request, such as applications for home and auto insurance and employment, and through Internet purchases, the company stated.
The company agreed in its settlement with the FTC to improve its credentialing security by verifying the identity of businesses that apply to receive consumer reports through measures such as site visits to business premises. ChoicePoint also pledged to audit its subscribers' use of consumer reports. The company is required to obtain its own audit from an independent third party, every two years for the next 20 years, certifying the company's security program.
ChoicePoint has taken additional, voluntary measures that include hiring a credentialing, compliance and privacy officer, and retaining Ernst & Young to conduct a best-practices study and recommend further enhancements to the company's practices.
Why This Matters: Identity theft topped the list of most frequent consumer complaints lodged with the FTC last year. Businesses that collect consumer information should be aware that government officials are increasingly concerned about whether businesses comply with industry and legal privacy standards -- as well as whether businesses are living up to their own claims concerning their privacy policies and security standards. But there is an upsetting aspect of this case. If ChoicePoint did indeed "blow the whistle" and come to the FTC with its concerns, it paid a very heavy price for being upfront with the Commission. While there may have been facts that warranted the FTC's aggressive action against ChoicePoint, the outcome certainly puts a chilling effect on reporting problems to government authorities.