Choicepoint Identity Theft to Cost Record $15 Million
The FTC gets tough with Choicepoint while the Securitities
and Exchange Commission (SEC) has an ongoing investigation
into stock sales made by the top two executives prior to the
public data disclosure last year.
In the largest civil penalty ever levied by the Federal Trade
Commission (FTC), Choicepoint agreed to pay $10 million to settle
the investigation plus another $5 million for "consumer redress".
In addition to the fines, Choicepoint must also establish and maintain
a comprehensive information security program as well as be audited
bi-annually by an 3rd party until 2026.
As a follow up to our first reporting of Choicepoint's major security
breach along with other equally if not larger data breaches in 2005,
the key question facing the other major offenders is will the FTC now
use the same "get tough" approach industry wide.
Is the FTC signaling to the business community a tougher standard
now exists for consumer data protection and enforcement?
While Choicepoint certainly was not the largest offender in 2005, it's
business practices, according to the FTC, left the company and
consumers significantly exposed to identity theft:
Did not have reasonable procedures to screen
prospective subscribers.
Turned over consumers’ sensitive personal information
to subscribers whose applications raised obvious
“red flags”.
Failed to tighten its application approval procedures or
monitor subscribers even after receiving subpoenas
from law enforcement authorities alerting it to
fraudulent activity going back to 2001.
Violated the Fair Credit Reporting Act (FCRA) by
furnishing consumer credit reports to subscribers
who did not have a permissible purpose to obtain
them.
Failing to maintain reasonable procedures to verify
both subscriber identities and how they intended to
use the consumer's information...
Violated the FTC Act by making false and misleading
statements about its privacy policies.
Choicepoint, a publicly held company, generated revenues of $1 Billion
last year. So, a $15 million settlement is a sharp "slap on the wrist"
but will not materially damage Choicepoint's ability to continue
operations (including being one of the leading suppliers to the
government's Patriot Act data mining efforts). The true financial
impact to Choicepoint will come later when the SEC completes it's
investigation into what may be determined to have been illegal stock
sales by the chairman and president before the public disclosures in
2005.
For now, though, the FTC chairman (who was herself an identity
theft victim in 2005) has at least, with a data broker (Choicepoint)
sent a strong message that consumer data must be protected
better.
The final answer to our question raised earlier within this
article, remains to be answered for now. That is will the
FTC apply the same standard to larger violators such as
CitiFinancial (3.9 million lost customer credit SSN &
address records) -or- Time Warner (600,000 lost), -or-
Bank of America
(over 100,000 lost covering 3 separate occassions)
-or- the largest of them all: Cardsystems Int'l. with
over 40 million account holders impacted?
We'll keep monitoring all of our sources and will notify
you when there's any significant movement to answer that
question (use our subscriber options for automatic updates
expedited straight to you).
So, our tip for today is to take action to insure your own personal
information is safe against identity theft. Institute a defensive
strategy of personal information denial to parties that do not
require your SSN. Shred old financial statements. Opt out from
the various marketing lists containing your name and address
along with even more sensitive public and non-public information.
Finally, to counter your defensive strategy, deploy an offensive
weapon to proactively guard against un-disclosed security
breaches involving your credit and non-credit information.