New live MCLE seminars set. Click here for more information.
Every month the Internet For Lawyers' free Internet legal research newsletter delivers this kind of useful information to your e-mail inbox.
|
- Consumer data broker
ChoicePoint,
Inc., which last year acknowledged that the personal financial records
of more than 163,000 consumers in its database had been compromised,
will pay $10 million in civil penalties and $5 million in consumer redress
to settle Federal Trade Commission
charges that its security and record-handling procedures violated consumers’
privacy rights and federal laws. The settlement requires ChoicePoint
to implement new procedures to ensure that it provides consumer reports
only to legitimate businesses for lawful purposes, to establish and
maintain a comprehensive information security program, and to obtain
audits by an independent third-party security professional every other
year until 2026.
- “The message
to ChoicePoint and others should be clear: Consumers’ private data
must be protected from thieves,” said Deborah Platt Majoras, Chairman
of the FTC. “Data security is critical to consumers, and protecting
it is a priority for the FTC, as it should be to every business in America.”
- ChoicePoint is a publicly traded company based in suburban Atlanta. It obtains and sells to more than 50,000 businesses the personal information of consumers, including their names, Social Security numbers, birth dates, employment information, and credit histories.
- The FTC alleges
that ChoicePoint did not have reasonable procedures to screen prospective
subscribers, and turned over consumers’ sensitive personal information
to subscribers whose applications raised obvious “red flags.”
Indeed, the FTC alleges that ChoicePoint approved as customers individuals
who lied about their credentials and used commercial mail drops as business
addresses. In addition, ChoicePoint applicants reportedly used fax machines
at public commercial locations to send multiple applications for purportedly
separate companies.
- According to the
FTC, ChoicePoint failed to tighten its application approval procedures
or monitor subscribers even after receiving subpoenas from law enforcement
authorities alerting it to fraudulent activity going back to 2001.
- The FTC charged
that ChoicePoint violated the Fair Credit Reporting Act (FCRA) by furnishing
consumer reports – credit histories – to subscribers who did
not have a permissible purpose to obtain them, and by failing to maintain
reasonable procedures to verify both their identities and how they intended
to use the information.
- The agency also
charged that ChoicePoint violated the FTC Act by making false and misleading
statements about its privacy policies. Choicepoint had publicized privacy
principles that address the confidentiality and security of personal
information it collects and maintains with statements such as, “ChoicePoint
allows access to your consumer reports only by those authorized under
the FCRA . . . ” and “Every ChoicePoint customer must successfully
complete a rigorous credentialing process. ChoicePoint does not distribute
information to the general public and monitors the use of its public
record information to ensure appropriate use.”
- The stipulated
final judgment and order requires ChoicePoint to pay $10 million
in civil penalties – the largest civil penalty in FTC history –
and to provide $5 million for consumer redress. It bars the company
from furnishing consumer reports to people who do not have a permissible
purpose to receive them and requires the company to establish and maintain
reasonable procedures to ensure that consumer reports are provided only
to those with a permissible purpose. ChoicePoint is required to verify
the identity of businesses that apply to receive consumer reports, including
making site visits to certain business premises and auditing subscribers’
use of consumer reports.
- The order requires ChoicePoint to establish, implement, and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of the personal information it collects from or about consumers. It also requires ChoicePoint to obtain, every two years for the next 20 years, an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order. ChoicePoint will be subject to standard record-keeping and reporting provisions to allow the FTC to monitor compliance. Finally, the settlement bars future violations of the FCRA and the FTC Act. Choicepoint, however, does not admit any wrongdoing.
- In an interview with the Associated Press, Choicepoint Chief Executive Derek Smith has been quoted as reacting to the situation with could be described as the understatement of the decade; "Looking back, I certainly wish the situation hadn't occurred."
- For a copy of the complaint, see http://www.ftc.gov/os/caselist/choicepoint/0523069complaint.pdf.
- For a copy of the
Stipulated Final Judgment and Order for Civil Penalties, Permanent Injunction,
and Other Equitable Relief, see http://www.ftc.gov/os/caselist/choicepoint/0523069stip.pdf.
-
For more information on ChoicePoint see: