United States v. Choicepoint, Inc., FTC File No. 052-3069 (Jan. 26, 2006) (full-text).
Factual Background Edit
ChoicePoint is a publicly traded company based in suburban Atlanta. It obtains and sells to more than 50,000 businesses the personal information of consumers, including their names, Social Security numbers, birth dates, employment information, and credit histories.
In February 2005, ChoicePoint revealed it had sold data on at least 145,000 Americans to criminals posing as officials in legitimate businesses. Contrary to initial press reports, ChoicePoint’s computers were not hacked. Instead, the criminals opened about 50 accounts with the company and accessed the data as customers. The disclosure came as ChoicePoint complied with a California law that requires companies with corporate computer networks that do business with state residents to notify individuals if their unencrypted personal information is acquired by an unauthorized person.
According to testimony to the House Energy and Commerce subcommittee by ChoicePoint’s Chairman and CEO, Derek Smith, a ChoicePoint employee became suspicious in September 2004 during the credentialing process for a prospective small business customer in Los Angeles. According to Mr. Smith, the Los Angeles Police Department was brought in, and at least one individual was arrested and convicted.
Thereafter, ChoicePoint discovered that those involved previously had opened accounts by presenting fraudulently obtained California business licenses and fraudulent documents. After the public disclosure of this data security breach, it became known that a similar incident occurred at ChoicePoint five years earlier.
FTC Complaint Edit
On January 26, 2006, the Federal Trade Commission (FTC) filed a complaint against Choicepoint, alleging that ChoicePoint did not have reasonable procedures to screen prospective subscribers, and turned over consumers’ sensitive personal information to subscribers whose applications raised obvious “red flags.” The Commission alleged that ChoicePoint approved as customers individuals who lied about their credentials and used commercial mail drops as business addresses. In addition, ChoicePoint applicants reportedly used fax machines at public commercial locations to send multiple applications for purportedly separate companies. According to the FTC, ChoicePoint failed to tighten its application approval procedures or monitor subscribers even after receiving subpoenas from law enforcement authorities alerting it to fraudulent activity going back to 2001.
The FTC charged that ChoicePoint violated the Fair Credit Reporting Act (FCRA) by furnishing consumer reports — credit histories — to subscribers who did not have a permissible purpose to obtain them, and by failing to maintain reasonable procedures to verify both their identities and how they intended to use the information.
The agency also charged that ChoicePoint violated Section 5 of the FTC Act by making false and misleading statements about its privacy policies. Choicepoint had publicized privacy principles that address the confidentiality and security of personal information it collects and maintains with statements such as, “ChoicePoint allows access to your consumer reports only by those authorized under the FCRA . . . ” and “Every ChoicePoint customer must successfully complete a rigorous credentialing process. ChoicePoint does not distribute information to the general public and monitors the use of its public record information to ensure appropriate use.”
Final Judgment and Consent Order Edit
The stipulated final judgment and order requires ChoicePoint to pay $10 million in civil penalties — the largest civil penalty in FTC's history — and to provide $5 million for consumer redress. It bars the company from furnishing consumer reports to people who do not have a permissible purpose to receive them and requires the company to establish and maintain reasonable procedures to ensure that consumer reports are provided only to those with a permissible purpose. ChoicePoint is required to verify the identity of businesses that apply to receive consumer reports, including making site visits to certain business premises and auditing subscribers’ use of consumer reports.
The order requires ChoicePoint to establish, implement, and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of the personal information it collects from or about consumers. It also requires ChoicePoint to obtain, every two years for the next 20 years, an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order. ChoicePoint will be subject to standard record-keeping and reporting provisions to allow the FTC to monitor compliance. Finally, the settlement bars future violations of the FCRA and the FTC Act.
In a subsequent proceedings, Choicepoint entered into a second stipulated order under which it agreed to pay an additional $275,000 civil penalty.
- ↑ Evan Perez, "Identity Theft Puts Pressure on Data Sellers," Wall St. J., Feb. 18, 2005, B1. According to that article, although ChoicePoint cites 145,000 individuals, investigators on the case believe the number may be as high as 400,000.
- ↑ David Colker & Joseph Menn, "ChoicePoint Had Earlier Data Leak," L.A. Times, Mar. 2, 2005, C-1.
- ↑ Stipulated Final Judgment.
- ↑ Stipulated Order.