ChoicePoint to Pay $15M for Privacy Violations

[David Farber <dave () farber net>]

Begin forwarded message:

From: Evan Korth <korth () cs nyu edu>
Date: January 26, 2006 2:52:06 PM EST
To: Dave Farber <dave () farber net>
Subject: ChoicePoint to Pay $15M for Privacy Violations


http://blogs.washingtonpost.com/securityfix/

Atlanta-based data aggregator ChoicePoint today agreed to pay $15  
million to settle charges that it violated federal consumer  
protection laws when it allowed criminals to purchase sensitive  
financial and personal data on at least 163,000 Americans.

The settlement addresses a pair of lawsuits filed against ChoicePoint  
by the Federal Trade Commission and represents the largest civil  
penalty ever obtained by the agency.

Last February, ChoicePoint acknowledged that crooks had gained access  
to thousand of consumer records by posing as legitimate businesses.  
The FTC said the company violated the Federal Trade Commission Act,  
which prohibits unfair and deceptive business practices, as well as  
the Fair Credit Reporting Act, which requires companies that sell  
consumer credit reports to verify that those buying the information  
have a "permissible reason" for doing so.

Under the agreement, ChoicePoint will pay a $10 million civil fine  
and contribute $5 million to a fund that will be distributed to  
consumers directly affected by the incident. FTC Chairman Deborah  
Platt Majoras said the agency has identified at least 800 consumers  
who experienced identity fraud as a direct result of the ChoicePoint  
breach.

"Companies like ChoicePoint are realizing that it is a bad business  
practice to ignore the security of consumer data," Majoras said. The  
settlement, she said sends the message that companies that deal in  
consumer data "must guard the front door -- through procedures for  
verifying and identifying customers -- as well as guard the backdoor  
against hackers."

The settlement requires ChoicePoint to conduct physical site visits  
of new and existing customers; to conduct security risk assessments  
and audits with a designated third party every two years until 2026.

For background on the ChoicePoint case, read: "ChoicePoint Data Cache  
Became a Powder Keg: Identity Thief's Ability To Get Information Puts  
Heat on Firm" (Post, March 5, 2005), and "ChoicePoint Victims Have  
Work Ahead: Eternal Vigilance Is Price of Credit" (Post, Feb. 23, 2005).

See also ChoicePoint's consumer privacy Web site.

By Brian Krebs | Permalink* | Comments (0) | TrackBack (0)
Posted at 09:52 AM ET, 01/25/2006


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/