ChoicePoint has agreed to pay $15 million in fines and consumer redress to settle Federal Trade Commission charges that its record-handling procedures violated consumers' privacy rights and federal laws, the agency announced today.
The settlement also requires ChoicePoint to implement procedures ensuring that it provides consumer reports only to legitimate organizations, to maintain an information security program and to be audited biennially by an independent, third-party security professional until 2026.
ChoicePoint acknowledged last year that the personal financial information of more than 163,000 customers had been compromised.
Deborah Platt Majoras, FTC chairperson, said Thursday that the settlement should be a lesson that the agency is taking data security seriously.
"The message to ChoicePoint and others should be clear: Consumers' private data must be protected from thieves," she said. "Data security is critical to consumers, and protecting it is a top priority for the FTC, as it should be to every business in America."
The FTC had alleged that the company did not have reasonable procedures in place to screen companies to which they sent personal information of customers.
The company also failed to monitor subscribers even after receiving law enforcement subpoenas telling them to do so since 2001, the agency had alleged.
The FTC also charged that the company violated the Fair Credit Reporting Act by furnishing credit reports and violated the FTC act by making false and misleading statements about privacy policies.
Derek V. Smith, chairman and chief executive officer of ChoicePoint, said in a statement on Thursday that his company has made significant changes.
"The events of early 2005 provided critical lessons from which ChoicePoint and, indeed the entire industry, has learned a great deal," he said. "The men and women of this company take nothing more seriously than their responsibility to safeguard consumer information, and as a direct result of those lessons learned, we have, for the past several months, been in the process of implementing nearly all of the changes reflected in today's settlement with the Federal Trade Commission."
Smith said the company has also hired Carol DiBattiste, a former law enforcement and security official in both the Clinton and Bush administrations, as its new chief credentialing, compliance and security officer.DiBattiste said information traded by ChoicePoint is now more secure.
"ChoicePoint offers businesses, government agencies and not-for-profit organizations vital information necessary to reduce fraud and make society safer. In order to do this, effectively, we must aggregate and share private consumer information – only with appropriate parties – and I am confident that the changes made and the nearly daily review of our improved procedures will allow us to perform our valuable role with minimal risk to consumers," she said.
Paul Kurtz, executive director of the Cyber Security Industry Alliance, said Thursday that many companies must yet increase information safeguards, saying, "The fact that this is the largest civil penalty in the FTC's long and storied history speaks for itself."
"Companies that do not have adequate information security safeguards in place are risking breaches that not only hurt the brand among customers and investors, but are also increasingly likely to bring unwanted attention from regulators and law enforcement agencies," he said. "This will particularly be the case when the information at stake is confidential personal data on individual consumers."