Consumer data broker ChoicePoint Inc. has agreed to pay $15 million to settle Federal Trade Commission charges that its security and record-handling procedures violated consumers’ privacy rights and federal laws.
Without admitting any wrongdoing to the FTC, the company will pay $10 million in civil penalties and $5 million in consumer redress to settle charges that it violated the Fair Credit Reporting Act by furnishing consumer credit histories to parties that did not have a permissible purpose to obtain them. The FTC also charged that ChoicePoint violated the FTC Act by making false and misleading statements about its privacy policies.
ChoicePoint also will implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to establish and maintain a comprehensive information security program, and to obtain audits by an independent third-party security professional every other year until 2026, according to the FTC.
“The message to ChoicePoint and others should be clear: Consumers’ private data must be protected from thieves,” said FTC chairman Deborah Platt Majoras, in a statement. “Data security is critical to consumers, and protecting it is a priority for the FTC, as it should be to every business in America.”
ChoicePoint obtains and sells to more than 50,000 businesses the personal information of consumers, reported the Associated Press — names, Social Security numbers, birth dates, employment information, credit histories, and other data. Last year, the company acknowledged that its database had been compromised by thieves posing as small-business customers, who then obtained personal financial records of more than 163,000 consumers.
The AP noted that the company disclosed the breach to the public in February, more than four months after discovering it; ChoicePoint reportedly asserted that initially, authorities asked the company to keep the news secret.
The now-settled FTC charges alleged that ChoicePoint did not have reasonable procedures to screen prospective subscribers (that is, businesses), and that it turned over consumer information to subscribers whose applications raised obvious “red flags.” The agency alleged that ChoicePoint approved customers that used commercial mail drops as business addresses, and that applicants used fax machines at public commercial locations to send multiple applications for purportedly separate companies.
The FTC also alleged that ChoicePoint failed to tighten its application procedures or monitor subscribers even after receiving subpoenas warning of fraudulent activity going back to 2001.
In a related matter, the Securities and Exchange Commission has launched its own investigation in stock trading by chief executive officer Derek Smith and chief operating officer Doug Curling. The two individuals earned a combined $16.6 million in the months after the company learned of the data breach and before it was made public, according to the AP.