Tuesday, October 20, 2009

FTC Slaps ChoicePoint's Wrist (Again)

Information broker ChoicePoint will pay a $275,000 fine and has agreed to strengthened data security requirements as part of an FTC settlement announced Monday. The agency charged that the company failed to implement a comprehensive information security program to protect consumers' sensitive information, as required by a previous court order. The failure left the door open to a 2008 data breach that compromised the personal information of 13,750 people and put them at risk of ID theft, the Commission said.

ChoicePoint, now a subsidiary of Reed Elsevier, switched off a key electronic security tool used to monitor access to one of its databases in April 2008, and for four months failed to detect that the security tool was off, the FTC said. During that time, an unknown person conducted unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers. After discovering the breach, the firm brought the matter to the FTC's attention.

The FTC's prior action against ChoicePoint involved a data breach in 2005, which compromised information of more than 163,000 consumers and resulted in at least 800 cases of ID theft. The settlement and resulting 2006 court order required the company to pay $10 million in penalties and $5 million in consumer redress. ChoicePoint also agreed to beef up its security operations and obtain independent assessments every other year until 2026. The new court order extends those record-keeping and monitoring requirements.

Update [5:22 p.m.]: ChoicePoint argued in an e-mail that the FTC incorrectly characterized the monetary payment as a penalty and has since revised its press release. ChoicePoint also said the switching off of a monitoring tool was the result of a human error. The company went on to say that the unauthorized access occurred for a one-month period.