Record Fine for Data Breach

By Arshad Mohammed
Washington Post Staff Writer
Friday, January 27, 2006

Data broker ChoicePoint Inc. yesterday agreed to pay a $10 million federal fine over security breaches that exposed more than 160,000 people to possible identity theft. Privacy experts praised the settlement as a warning to companies to get more serious about protecting sensitive information.

The Alpharetta, Ga.-based company, one of the nation's largest buyers and sellers of personal information such as Social Security numbers, birth dates and addresses, also agreed to pay $5 million into a fund to compensate people who suffered as a result of the breaches.

The Federal Trade Commission, which said the fine was the largest civil penalty it had ever imposed, said ChoicePoint violated consumers' privacy and breaking federal laws by mishandling the information and misleading people about its privacy policy.

ChoicePoint said it did not admit to any of the FTC's charges but was happy to have resolved the matter.

The ChoicePoint case has galvanized public concerns both about the ease with which personal information can be bought and sold and about the lax security procedures at data brokers that last year alone led to security breaches affecting tens of millions of people.

ChoicePoint told about 145,000 people in February that their personal information was obtained from the company by suspected criminals who masqueraded as legitimate businesspeople. Later in the year, it told another 17,000 people that information such as their names, addresses, dates of birth, Social Security numbers and summary credit information had been compromised.

The FTC said the incidents led to at least 800 cases of identity theft, which has been the top type of consumer complaint logged by the agency for the past six years.

Privacy experts said the FTC settlement, which required ChoicePoint to tighten its security procedures and to submit to outside security audits for the next 20 years, was designed to remind companies in the growing business of selling personal information that they must do more to protect consumers.

"It sends a big signal," said Peter Swire, a law professor at Ohio State University who was the Office of Management and Budget's chief counselor for privacy during the Clinton administration. "All major companies that handle personal information will see that the bar is being raised."

Consumer advocates say the prevalence of identity theft in part reflects the failure of many information brokers, retailers and credit issuers to adequately protect records or to do enough to stop criminals who seek them by verifying their identities.

As a part of the settlement, ChoicePoint agreed to take steps to ensure that it provides consumer reports only to legitimate businesses, and it will create an "information security program" to protect the personal information it collects on people.

"The message to ChoicePoint and others should be clear: consumers' private data must be protected from thieves," FTC Chairman Deborah Platt Majoras said in a statement.

"I am gratified we were able to work with the FTC and reach an agreement that protects all parties and am even more pleased that we can now put this chapter behind us," ChoicePoint chief executive Derek V. Smith said in a statement, adding that the company had already begun carrying out nearly all the policy changes demanded by the FTC.

The settlement was announced as ChoicePoint released its fourth-quarter profit, which fell to $27.7 million (30 cents a share), from $39.2 million (43 cents) a year earlier. Revenue rose to $257.9 million from $232.5 million. The company took a charge of about $8.8 million in the quarter because of the settlement with the FTC.

© 2006 The Washington Post Company