The Federal Trade Commission levied a $10 million fine – the largest in its history, the agency said -- against information firm ChoicePoint. The FTC also required ChoicePoint to set aside $5 million for consumer redress.
The fees stem from incidents in which ChoicePoint released personal records of more than 163,000 consumers to fraud artists posing as legitimate businesses, as well as to individuals within legitimate corporate clients who misused their access privileges. The breaches were first reported publicly in February 2005.
The final judgment also:
* Outlined verification and certification processes ChoicePoint is required to undertake before furnishing customer reports to either existing or prospective clients;
* Called for ChoicePoint to establish a comprehensive information security program, and to obtain security assessments from an independent security professional once every other year for the next 20 years;
* Required ChoicePoint to make its $10 million payment within seven business days; and
* Required that ChoicePoint establish its $5 million consumer redress fund within 10 business days.
Despite the size of the fine, ChoicePoint should be able to absorb it: According to its fiscal 2005 results, the company netted $162.3 million in income, up from $148 million in 2004. Its revenue jumped from $919 million a year ago to $1.06 billion in 2005. But in the fourth quarter, the company’s net income was $39.7 million, up only slightly $39.2 million, while its revenue jumped from $224.9 million to $250.4 million.
The company released its year-end financial results shortly before the FTC settlement was announced Wednesday morning.
As for the other requirements, even before the settlement was announced, ChoicePoint offered free credit reports and one year of free credit monitoring to affected consumers. To date, fewer than 10,000 of the potentially affected individuals had taken advantage of the free credit monitoring service ChoicePoint offered, according to Chuck Jones, ChoicePoint’s director of external affairs.
“The events of early 2005 provided critical lessons from which ChoicePoint and, indeed the entire industry, has learned a great deal,” said Derek V. Smith, chairman and chief executive officer, in a statement commenting on the settlement.
Smith noted that subsequent to the breaches ChoicePoint hired Carol DiBattiste to serve as an independent chief credentialing, compliance and privacy officer.
But DiBattiste was hired in March 2005, long after the breaches had been announced. Before then, the FTC alleges, ChoicePoint ignored signs from prospective clients that should have raised red flags. These include approved customers who used mail drops as business addresses, and who faxed in orders from public commercial locations.
The FTC also said “ChoicePoint failed to tighten its [client] application approval procedures or monitor subscribers even after receiving subpoenas from law enforcement authorities alerting it to fraudulent activity going back to 2001.”
The two entities take different views on the extent of the damage the breaches caused. In a fact sheet distributed by ChoicePoint, the company said only “the [Los Angeles] County District Attorney has indicted a perpetrator on 22 counts involving 16 victims” and did not mention any other cases. But the FTC claimed “at least 800 cases of identity theft arose from company’s [sic] data breach.”
In response to this, Jones said “ChoicePoint is only aware of 16 individuals who were named as victims by the Los Angeles County District Attorney's Office in the recent prosecution and resulting guilty plea of Oluwatunji Oluwatosin. We have no direct knowledge of any additional ‘victims.’”
Apart from the FTC settlement, Smith and COO Doug Curling are the subject of an inquiry by the Securities and Exchange Commission regarding trades of company stock made by the two company executives. Smith and Curling realized a profit of $16.6 million on stock sold during the time between the internal disclosure that scam artists had received ChoicePoint Data and the company’s public disclosure of the sale. ChoicePoint maintains that the stock sale had been arranged and approved before it was alerted to the information breach.
