The Federal Trade Commission announced that consumer databroker ChoicePoint will pay a $275,000 and has agreed to stronger data security protections “to settle Federal Trade Commission charges that the company failed to implement a comprehensive information security program protecting consumers’ sensitive information, as required by a previous court order. This failure left the door open to a data breach in 2008 that compromised the personal information of 13,750 people and put them at risk of identify theft.”
The previous court order had to do with a security breach four years ago. In February 2005, ChoicePoint sold the records of more than 163,000 Americans to a criminal ring engaged in identity theft. The public learned of ChoicePoint’s sale of sensitive data to criminals because California’s security breach law (pdf) demanded it; federal law did not.
ChoicePoint had to pay $15 million to settle the FTC investigation ($10 million in civil penalties and $5 million in consumer redress) in 2006. The settlement also required “ChoicePoint to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to establish and maintain a comprehensive information security program, and to obtain audits by an independent third-party security professional every other year until 2026.”
Under the new settlement, “ChoicePoint is required to report to the FTC – every two months for two years – detailed information about how it is protecting the breached database and certain other databases and records containing personal information,” the FTC said.