ChoicePoint Breach Exposed 13,750 Consumer Records

ChoicePoint Inc., one of the nation's consumer data brokers, agreed to pay $275,000 to federal regulators as a result of a data breach last year that exposed Social Security numbers and other personal information on 13,750 people. The agreement comes in response to claims by the Federal Trade Commission that ChoicePoint violated the terms of a settlement reached following a separate data breach at the company in 2005 that led to hundreds of cases of identity theft. In 2006, ChoicePoint - now a subsidiary of Reed Elsevier Inc - paid $15 million to settle charges that it violated federal consumer protection laws when it allowed criminals to purchase sensitive financial and personal data on at least 163,000 Americans. The FTC had sued ChoicePoint, charging that the incident led to at least 800 confirmed identity theft crimes. ChoicePoint was supposed to take steps to protect consumer data. But the FTC alleged that in April 2008 the company switched off an internal electronic monitoring system designed to watch customer accounts for signs of unauthorized or suspicious activity. According to the FTC, that safety system remained inactive for four months, during which time unauthorized individuals used stolen credentials to look up personal information on 13,750 people in one of ChoicePoint's consumer databases. In a written statement, ChoicePoint blamed the incident on a government customer that failed to properly safeguard one of its user IDs needed to access ChoicePoint's AutoTrack XP Product, which according to the company "references an enormous amount of data - addresses, driver licenses, property deed transfers, corporate information and much more," including court records. ChoicePoint said its customer notified affected consumers shortly after the breach was discovered early last fall. But the company denies that its failure to leave the monitoring system running violated the terms of the original settlement, saying that its fraud monitoring system pre-dated the 2006 settlement and was adopted on the company's own initiative. The company also notes that the breached database did not contain personal information subject to the Fair Credit Reporting Act -namely, consumer financial information. Elizabeth Tucci, a trial attorney for the FTC's enforcement division, said the agency has no evidence this time around that the thieves responsible used the information to hijack consumers' identities. But she said companies such as ChoicePoint need to be held accountable because they do not answer to the consumers whose data they sell to third parties. "ChoicePoint has no direct relationship with the consumer, so the consumer is powerless to prevent this kind of thing," Tucci said. "Because much of this information is sensitive and the fact that the consumer has no control over the sale of that information, [ChoicePoint] was under a mandate to have a very comprehensive security program in place." ChoicePoint has agreed to pay $275,000 into a fund administered by the FTC for consumer redress. The revised agreement also extends period of time in which ChoicePoint must report the results of biennial security audits, until the year 2030. The $15 million ChoicePoint agreed to pay in response to the 2005 breach remains the largest civil penalty ever obtained by the agency. Update, 7:57 p.m. ET: An earlier version of this story incorrectly stated who was responsible for notifying affected customers of the 2008 breach. The above text has been corrected. In addition, the company took issue with my use of the word "blame," saying it merely "outlined the facts and circumstances of the case, which include the fact that the customer provided notice due to its failure to properly safeguard its user ID and password." Finally, ChoicePoint said that with regard to identity theft crimes, "the FTC advised us in June 2008 that they closed out the consumer redress fund with a final tally as follows: payments were made to 131 consumers."