ChoicePoint has settled charges with the attorneys general of 44 states for failing to guard the privacy and security of personal consumer information, in an accord they said goes beyond the firm’s Jan. 2006 settlement with the Federal Trade Commission.
Specifically, the Alpharetta, GA firm must:
*Make significant ongoing changes in its credentialing process for clients that handle sensitive personal information.
*Not misrepresent the extent to which it maintains and protects the security and integrity of personal information.
*Maintain procedures to protect its reports from unauthorized, fraudulent or unauthorized access.
*Perform audits to make sure it properly identifies individuals and businesses requesting information.
*Pay $500,000 to all the states.
States making this agreement are: Alabama, Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Hawaii, Idaho, Illinois, Indiana, Iowa, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, South Dakota, Tennessee, Texas, Vermont, Virginia, Washington, West Virginia, Wisconsin and the District of Columbia.
In Jan. 2006, the FTC levied a $10 million fine — the largest in its history, the agency said — against ChoicePoint. The Commission also required the company to set aside $5 million for consumer redress (Direct Newsline, Jan. 26, 2006).
The fees stem from incidents in which ChoicePoint released personal records of more than 163,000 consumers to fraud artists posing as legitimate businesses, as well as to individuals within legitimate corporate clients who misused their access privileges. The breaches were first reported publicly in Feb. 2005.
That earlier judgment:
* Outlined verification and certification processes ChoicePoint is required to undertake before furnishing customer reports to either existing or prospective clients.
* Called for ChoicePoint to establish a comprehensive information security program, and to obtain security assessments from an independent security professional once every other year for the next 20 years.
* Required ChoicePoint to make its $10 million payment within seven business days and
* Required that ChoicePoint establish its $5 million consumer redress fund within 10 business days.
Network
