FTC increases security obligations of ChoicePoint
The Federal Trade Commission has punished ChoicePoint for another data breach after the agency concluded the data broker failed to properly implement security measures as prescribed in the wake of its watershed 2005 incident.
The FTC found that ChoicePoint, in April 2008, turned off a security tool that was necessary to monitor access to one of its databases, according to an agency statement on Monday. The tool remained off for four months, and during part of that period, thieves were able to conduct searches of the information repository and gain access to the personal information of 13,750 people, according to the FTC.
Under the settlement, announced Monday, ChoicePoint, now a subsidiary of LexisNexis parent Reed Elsevier, must pay $275,000. In addition, the company must report to the FTC every two months for two years on how it is protecting databases containing personal information.
In a statement, ChoicePoint blamed the 2008 breach on a former government customer, who it said failed to protect the user ID and password that provides access to ChoicePoint's AutoTrack XP product.
The 2008 breach occurred prior to the acquisition by Reed Elsevier and did not involve any customer financial information, the statement said.
The FTC said the failure by the security tool to detect the unauthorized activity was a violation of ChoicePoint's settlement with the agency over its 2005 breach, in which criminals, posing as customers, stole the personal information of 163,000 people. The incident served as a watershed moment in terms of disclosure to victims and creation of state laws around breach notification. ChoicePoint ultimately was ordered to pay $15 million in fines and customer redress to settle charges that its record-handling procedures violated consumers' privacy rights and federal laws.
In the case of the latest breach, ChoicePoint disputed that turning off the monitoring solution was a violation of the 2006 settlement. In the statement, the company said its security improvements predated that agreement and were done on ChoicePoint's own volition, not at the order of the FTC. (ChoicePoint admitted that the tool was temporarily disabled due to "human error.")
"ChoicePoint strives to protect the personal information that it maintains and disseminates so it is not accessed impermissibly," the statement said. "This includes the use of appropriate administrative, physical, and technical safeguards. Over the past several years, ChoicePoint has devoted substantial resources to enhancing the strength and quality of its security policies and practices."
A company spokesman declined further comment Tuesday, referring any questions to the statement.