For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Subscribe to
Computerworld 40 years of the most authoritative source of news and information for IT leaders.
FTC imposes $10M fine against ChoicePoint for data breach
or
Other Security Stories
|
|
|
|
January 26, 2006 (Computerworld) -- The U.S. Federal Trade Commission (FTC) has imposed a $10 million civil penalty against data aggregator ChoicePoint Inc. for a massive data security breach that resulted in the compromise of nearly 160,000 consumer records last year (see "ChoicePoint to tighten data access after ID theft").
In addition to the penalty, which FTC Chairman Deborah Platt Majoras described as the largest ever levied by the agency, ChoicePoint has been asked to set up a $5 million trust fund for individuals who might have become victims of identity theft as a result of the breach.
As part of its agreement with the FTC, Alpharetta, Ga.-based ChoicePoint will also have to submit to comprehensive security audits every two years for the next 20 years.
"This is an important victory for consumers," Majoras said. "This tells companies that they must protect sensitive consumer information. They must guard the front door as well as guard the back door against hackers."
ChoicePoint provides data to credit providers, government agencies, landlords and others who use personal information to process loans, leases and other contracts. In a statement today (download PDF), Derek V. Smith, the company's chairman and CEO, said the incident "provided critical lessons from which ChoicePoint, and indeed the entire industry, has learned a great deal.
"The men and women of this company take nothing more seriously than their responsibility to safeguard consumer information and, as a direct result of those lessons learned, we have for the past several months been in the process of implementing nearly all the changes reflected into today's settlement," Smith said.
ChoicePoint publicly acknowledged the data theft last February, but the incident itself took place in the fall of 2004. At the time it made the breach public, ChoicePoint said the theft happened when "a small number of very well-organized criminals posed as legitimate companies to gain access to personal information about consumers."
It also said later that it was taking steps to better protect customer data, pointing to a "rigorous re-credentialing of broad categories of customer accounts" as well as changes including masking or truncating sensitive personal identifier information such as Social Security numbers and driver's license numbers.
The $10 million penalty is being levied for violations of the Fair Credit Reporting Act (FCRA), Majoras said. Though ChoicePoint collected and maintained billions of pieces of consumer data -- including consumer names, Social Security numbers, and bank and credit card information -- the company failed to implement reasonable procedures for protecting the data, she said.
In its decision, the FTC slammed ChoicePoint, saying that it did not have reasonable procedures in place to screen prospective subscribers and that it turned over sensitive personal information to subscribers whose applications raised obvious red flags. The FTC said ChoicePoint approved customers for its service who lied about their credentials and used commercial mail drops as business addresses. In addition, the applicants reportedly used fax machines at public commercial locations to send multiple applications for separate companies.
According to the FTC, ChoicePoint also failed to tighten its application approval procedures or monitor subscribers, even after it got subpoenas from law enforcement authorities alerting it to fraudulent activity that dated to 2001.
The agency also charged that ChoicePoint violated the FCRA by making false and misleading statements about its privacy policies.
Under the agreement with the FTC, ChoicePoint is barred from providing consumer reports to individuals and companies that cannot demonstrate a legitimate need for that information, Majoras said. To ensure compliance with that requirement, ChoicePoint will be required to certify the nature of the business of each of its subscribers and how the consumer information will be used, Majoras said.
ChoicePoint is also required to do site visits to authenticate its subscribers, except in cases where the company might have already done so. The company also must implement reasonable measures to ensure that its subscribers use consumer information in the manner they attest to in their applications, she said.
Until now, the largest civil penalty imposed by the FTC against a company was in March 2003, when the agency imposed a $7 million fine against Boston Scientific for anticompetitive practices.
Read more news and commentary about data breaches:
- Bank tape lost with data on 90,000 customers
- Update: Security breach at Sam's Club exposes credit card data
- New York breach notification law goes into effect
- DSW to beef up computer security in FTC settlement
- TransUnion notifies consumers of data loss
- Lessons learned from corporate security breaches
- Are companies prepared for fallout from a security breach?
- IT Blogwatch - The best IT Blogs on the 'Net: ChoicePoint fined, but not much
- Security Blogs
|
Print this Story |
|
Send Us Feedback |
|
E-mail this Story |
|
Digg this Story |
|
Slashdot this Story |
|
|
|
|
|
|
|
 |
|
All Zones Application Performance Zone Business Continuity Zone Data Center Management Zone Enterprise-Class Security Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone Business Intelligence and Analytics Zone |
 See your link here
|
 |
||||||||
| ||||||||
| ||||||||
| ||||||||
|
Why SaaS is Vital to Email and Web Security
Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs.
Get this white paper now!
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
- Elgan: You can be Batman, too
- Study: IT jobs will drop in 2009
- RIM fixes critical BlackBerry Enterprise Server bug
- More top stories
Security Management ZoneSecurity management is the process of developing a comprehensive data protection plan. It takes into account all potential threats, the existing network environment, the future needs of the organization, and lays out a multi-tiered blueprint to integrate the security technology needed to combat these threats. CDW can help keep your network and data secure. Visit the CDW Security Management Zone now See All Zones
|
 Fired up about IT? Join Sharkbait and share your true tales of IT. SharkBait is the place for you to sound off about everything IT – the good, the bad, and the rest of the weird stuff you deal with every day.New baits 
|
"Security Directions" virtual trade show2008's Code-Red Security Issues for Protecting the EnterpriseWebcasts, white papers, demos, and more. Presented in a unique 3-d environment. Enter our show right now! Click here to enter
|
 In SecurityStripping away the trappings of applications, systems and networks, information is the core asset of most organizations. Our columnist describes how asserting the importance of information governance is crucial to making that asset tangible, addressable and protected. Click here to read the latest column by Jon Espenschied |
