ChoicePoint Hit with Largest Civil Penalty in FTC History

ChoicePoint must apply new procedures to ensure only legitimate businesses get such records and use them for lawful purposes. The settlement also requires the firm to put together an information security program to protect data and get audits from a 3rd-party professional every 2 years through 2026. It must make site visits to “most” businesses applying for consumer information, with exceptions for audited and established businesses that have a record of responsible use of purchased information. The Justice Dept. and SEC assisted in the investigation but haven’t filed criminal charges against ChoicePoint, Majoras said.

The settlement is the end to a long pattern of negligence by ChoicePoint that started in 2001, Majoras said. The firm failed to tighten application approval procedures or monitor subscribers to personal data even after subpoenas that alerted ChoicePoint to fraudulent activity, the FTC complaint said. ChoicePoint missed “red flags” like businesses providing postal drop-off points as addresses and faxing applications from multiple companies from a single Kinko’s, Majoras said. The firm’s privacy policies -- saying ChoicePoint only gives access to consumer records to those authorized by the Fair Credit Reporting Act (FCRA) and its customers go through “rigorous credentialing” -- were misleading given its actual screening practices, and violated the FTC Act, the complaint said.

The Electronic Privacy Information Center (EPIC) asked the FTC to investigate ChoicePoint shortly before the firm publicly said -- complying with Cal.’s data security law -- it was breached (WID Jan 10 p4). Majoras said the Commission didn’t receive complaints about ChoicePoint until the EPIC complaint, but at that point was looking into the data-brokerage industry generally.

Majoras took heat from reporters over the size of the civil penalty, which one called “a drop in the bucket” for a large company like ChoicePoint. “We think this is quite substantial,” she said, reiterating it was the largest civil penalty the FTC has ever imposed; the previous high was $7 million. It’s based on a maximum $2,500 penalty per violation of FCRA and the FTC Act, the severity of the negligence, and whether the offender is a repeat violator. The Commission has verified about 800 victims of actual identity (ID) theft from the breach, but more are expected and they will be paid through the $5 million fund, Majoras said. The agency will choose a contractor to handle payments, she added.

Majoras emphasized the “very strong injunction” placed on the firm: “We need this [data] protection on a going-forward basis,” and for similar firms to “have an incentive, in fact, to implement security programs.” Asked why consumers can’t always have access to sensitive records, Majoras said they can get credit reports under FCRA, but “it’s a complicated issue as we see it” for records of use to law enforcement. The FTC is in “continuing discussion” about whether it should ask Congress for expanded consumer access to records, she added.

Asked what the Commission thinks of Capitol Hill legislation on breaches and what “gaps we need to fill in” between federal laws, Majoras fretted there’s “no one statute that requires companies in a general way to safeguard information.” She recalled 18 bills introduced to that end, but didn’t state a Commission preference for any. “It’s hard to justify” adding more regulations for banks, for example, and leave retailers unburdened, she said. The FTC settled with retailers DSW and BJ’s Wholesale Club for breaches last year but didn’t apply civil penalties (WID June 17 p9).

The govt.’s relationship with ChoicePoint also came up. “I don’t see the inconsistency” in the govt. purchasing data from ChoicePoint to go after “deadbeats” skipping out on child support and other law-enforcement needs, Majoras said.

Already in Compliance, ChoicePoint Says

ChoicePoint defended itself to reporters after the news conference. Carol DiBattiste, chief credentialing, compliance & privacy officer, said the firm was “pleased with the agreement” with FTC and happy to “put it behind us.” She urged the public to focus on “what ChoicePoint has become” -- having changed its business model by limiting access to the most sensitive information, truncating or masking such information when provided, improving technical security and auditing, and tightening credentialing.

“We are sorry for what has happened” to affected consumers, DiBattiste said, but put the lapse in the context of 150 breaches across business, govt. and universities in 2005. “The fraudsters beat the process. We learned how” and changed the process, she said: “I stay up at night thinking of ways to beat the fraudsters… Our job is to stay one step ahead of them.” The firm is already doing much of the settlement provisions, such as site visits for most applying businesses and a 16-page credentialing checklist to ensure data is provided only for permissible purposes, she said.

The settlement is “not a drop in the bucket,” DiBattiste said: Beyond the penalty and consumer fund, “it is going to cost us millions of dollars to put these procedures in place.”

Rosy Revenue Growth Predicted for 2006

Despite its trouble, ChoicePoint reported record revenue of $1.1 billion for 2005 Thurs., a 15% increase from the previous year. Full year earnings per share (EPS) was $1.53, which included a 24 cents a share dilutive impact from expenses related to the company’s data breach scandal, the FTC settlement and the abandonment of certain leases, officials said. ChoicePoint reported revenue of $257.9 million for the 4th quarter, up 11% from $232.5 million from the same quarter in 2004. EPS for the quarter was 30 cents.

ChoicePoint expects 2006 revenue growth to be 7-9%. Legal expenses related to the data breach are estimated at $4-6 million for the year, excluding any settlements including today’s, with most of the costs incurred during the first 2 quarters, the company said. ChoicePoint also said it would change its business model by centralizing certain functions and consolidating some technology platforms. The operating charges and accelerated depreciation related to the efforts are estimated at $8-10 million, most of the expenses expected to affect Q1 results.

In its post-breach cleanup, the information broker “not only followed the law but built upon it,” ChoicePoint COO Doug Curling said during an investor call. The company’s response became the “de facto standard that shaped responses to more than 150 other corporations, colleges and universities, nonprofits and government entities that also reported data exposure,” he said.

CEO Derek Smith said his company “stepped up to the challenges” it encountered last year and he’s proud of his colleagues’ efforts. ChoicePoint is now better positioned to benefit shareholders by helping customers manage economic and physical risks, he said. Smith said the FTC settlement was “the right thing to do for ChoicePoint, our shareholders and consumers.” ChoicePoint’s shares sank 2.74% to $43.56 in Thurs. morning trading.

Room for Congressional Action After Settlement

Congress members and consumer groups said the deal doesn’t eliminate the need for Hill action. Senate Judiciary Ranking Member Leahy (D-Vt.) called a settlement “a step forward for accountability,” but flayed ChoicePoint for giving consumer information to subscribers “whose applications clearly raised red flags” and for ignoring law-enforcement warnings of fraudulent activity. He and Chmn. Specter (R-Pa.) will keep pushing their compilation bill (S-1789) “to raise the bar for the safeguards that are needed” to protect consumer information, Leahy said.

Sen. Schumer (D-N.Y.) credited ChoicePoint with “cleaning up its act… but it should not have even come to this.” Congress should pass ID theft legislation to ensure all firms, “not just companies that are caught red handed,” maintain privacy protections, he said. Schumer and Sen. Nelson (D-Fla.) last year introduced a bill (S- 768) that would set up an ID theft office at the FTC (WID April 14 p1), but it was left out of the Senate Judiciary compilation bill because there was “really no clamor for that,” Specter and Leahy said at the time (WID July 1 p3).

The deal shows “a patchwork of regulations and state laws” is insufficient to stop breaches, said Rep. Castle (R-Del.), who introduced a bill that would provide a national standard for breach notification with Reps. Pryce (R-O.) and Moore (D-Kan.) (WID July 22 p1).

The lesson of the ChoicePoint settlement isn’t that consumers can “expect personally identifiable data to be kept to ourselves, not if we want instant credit and all the other benefits” of modern society, said Progress & Freedom Foundation Senior Fellow Patrick Ross. ChoicePoint, which “chose not to prioritize the protection of consumer data” and misled consumers and govt. officials in its privacy and security policies, now pays the price, he said. He warned against Congress “rushing a new law out the door,” saying it should let the FTC continue its investigations under existing law.

Consumers Union hailed the settlement but said citizens need help from Congress. People at least should be able to review and correct information compiled on them, get notice of every security breach and have the right to freeze access to personal information, analyst Susanna Montezemolo said.

The ChoicePoint breach’s “front door” nature -- it was done through deceitful requests, not hacking -- is a “powerful reminder that information security must be a priority at every stage of a business’s operations,” Cyber Security Industry Alliance Exec. Dir. Paul Kurtz said. The “required 3rd-party audits and close FTC compliance monitoring for the next 2 decades” should scare firms into improving certification and data security procedures, he added.