Breach, Compliance Management, Data Security, Incident Response, Privacy, TDR

ChoicePoint settles lawsuit over 2005 breach

Updated on Wednesday, January 30 at 2:59 p.m. EST

ChoicePoint will pay $10 million to settle a class-action lawsuit filed after the data aggregator and credentialing service admitted to a major data breach in 2005.

Under the settlement, announced last week, neither the company nor its executives admitted to any wrongdoing in the breach, in which identity thieves posed as customers to steal more than 160,000 consumer records.

ChoicePoint said in a statement that the payout, which is subject to court approval, is covered by reserved funds. This marks the last bit of pending litigation against the Alpharetta, Ga.-based firm, which has paid out another $45 million since the breach was announced, including $15 million in fines and customer redress ordered by the Federal Trade Commission.

Meanwhile, the federal Securities and Exchange Commission (SEC) announced last week that it has completed its investigation into ChoicePoint and will not take any enforcement action.

The agency was investigating the company after its Chief Executive Officer Derek Smith and Chief Operating Officer Doug Curling profited $16.6 million from stock sales prior to the breach revelation on Feb. 15, 2005.

John Heine, an SEC spokesman, said agency policy is to not comment on matters that are not acted upon in court.

Deepak Taneja, CEO of Aveksa, told SCMagazineUS.com today that the ChoicePoint breach signaled the need for improved corporate governance.

“Every enterprise has a lot of sensitive information assets,” he said. “Security teams and business teams need to work together on appropriate processes to make sure that data is protected and the appropriate people have access to that data.”

ChoicePoint has served as a poster child for data-loss incidents, and company executives have traveled across the country to chronicle their prior shortcomings and how they have worked to fix them, including implementing better customer verification protocols and discontinuing the sale of some consumer data.

Paul Kocher, president and chief scientist of Cryptography Research, said he expects more stringent privacy laws to be passed in the United States, in part because of companies such as ChoicePoint.

“They still have a fundamental conflict of interest,” Kocher told SCMagazineUS.com today. “The basic business model they have is disseminating and charging for people's information, and there's no way they can completely restrict and regulate that practice without affecting their profits.”

Roughly 70 percent of ChoicePoint's revenue is generated by providing consumer records for  insurance claim verifications and workplace background screenings, but the access is governed state and federal regulations, said Aurobindo Sundaram, vice president of information security at ChoicePoint.

"These transactions are all consumer initiated," he told SCMagazineUS.com. "I think the point we wanted to make is we're not a company going around willy-nilly selling data to anyone who wants it."

A small percentage of revenue is derived through the sale of public records to entities such as police departments and corporations, Sundaram said.

"They have to have a good reason to need access to this information," he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.