ChoicePoint Hit with Fine for Data Breach

January 27, 2006 – Yesterday, the Federal Trade Commission announced that it had reached a settlement agreement to fine ChoicePoint $10 million. The fine is a result of two data breaches last year that exposed personally identifiable financial data of 160,000 consumers to identity thieves. The exposure led to more than 800 cases of identity theft.

ChoicePoint also agreed to pay $5 million into a fund to compensate those who actually became victims of identity theft due their security breaches.

The FTC said that the fine is the largest single civil penalty it has ever imposed on a company. The agency said that ChoicePoint had violated federal laws by mishandling consumer data and misleading consumers on matters of the company’s privacy policy.

ChoicePoint is one the country’s largest data brokers. Companies engaged in this business buy and sell consumer data including names, addresses and Social Security Numbers. ChoicePoint’s database contains this information on most Americans. The data is highly sensitive and can easily be used for identity theft if it falls into the wrong hands.

Last February, ChoicePoint was forced by a California law to begin notifying consumers that their data had been exposed to potential identity thieves. The company was less than honest in its initial announcement, saying that only the data of 30,000 Californians had been exposed. But due to public pressure and media attention, the company was forced to change its story, revising the announcement to say that the data of 145,000 consumers spread across the entire country had actually been exposed. Later in the year, the company experienced a small breach, exposing another 17,000 people.

This first incident has been the impetus behind an effort to more heavily regulate data brokers. It has lead to the passage of laws similar to California’s in twenty states.

Because of the efforts of the states to regulate the industry, ChoicePoint and their competitors have started lobbying Congress. They want Congress to impose much less stringent federal regulations on the industry, and to take the right to regulate the industry away from the states. Unfortunately, the FTC is backing these efforts.

While a variety of privacy rights organizations have come out in support of the action against ChoicePoint, ACCESS is forced to take a much more cynical view. We believe that the fine may simply be an effort by both ChoicePoint and the FTC to show the public that federal regulators can be tough and that state regulation is really not required.

ACCESS disagrees. If not for California’s law, the ChoicePoint incident never would have come to the public’s attention. And if the standard that Congress is currently discussing becomes law, future data breaches are unlikely to become public. Under the most likely federal proposal to become law, all regulatory authority for data brokers would become the responsibility of the FTC. This is the same organization that is currently responsible for stopping identity theft; something which they already proven that they are incapable of doing.

It should also be pointed out that while ChoicePoint’s fine may be the largest in FTC history, it may be inadequate to deal with this incident. It is quite likely that there will be additional cases of identity theft as a result of these two breaches and that exposed consumers will be at risk for years to come.

ACCESS believes that consumers have the right to know when their personal data is mishandled, and that the states should have the right to continue to regulate industry practices within their borders.

Technorati Tags : identity+theft, id+theft, privacy, private, privacy+law, FTC, federal+trade+commission, choicepoint, lexis-nexis, data+brokers, data+brokerage