Consumer data broker ChoicePoint has been fined $10 million by the Federal Trade Commission for violating federal law and consumer privacy rights.
In addition to the $10 million fine— largest civil penalty in FTC history— will pay another $5 million in consumer redress.
The company has also created the post of chief credentialing, compliance and privacy officer, hiring Carol DiBattiste, who had been a senior law enforcement and security official for the Clinton and Bush administrations.
The FTC charged that ChoicePoint violated the Fair Credit Reporting Act and misrepresented its privacy policies. The Atlanta-based company misused its database of financial records of 163,000 consumers, selling the data to businesses without properly screening its subscribers. Some subscribers used mail drops as business addresses and used public fax machines to submit multiple applications that claimed to be from separate companies, the FTC said.
The commission said that ChoicePoint didn't tighten its application approval process or monitor subscribers even after it got subpoenas alerting ChoicePoint to fraudulent activity going back to 2001.
The data sold to 50,000-plus businesses included names, Social Security numbers, birth dates, employment information and credit histories.
As part of its penalty, ChoicePoint must develop strict screening processes, maintain a complete security program and submit third-party audits annually until 2026.
"The events of early 2005 provided critical lessons from which ChoicePoint and, indeed the entire industry, has learned a great deal," said ChoicePoint CEO Derek Smith in a statement. "We have, for the past several months, been in the process of implementing nearly all of the changes reflected in [the FTC settlement]. ... I firmly believe that the changes we've implemented in the past year were not only the right thing for this company to do but are equally important for the entire industry to consider."
