Data provider ChoicePoint Inc. agreed to pay $15 million and modify its business practices in a settlement over allegations of violations of the Fair Credit Reporting Act and the Federal Trade Commission Act, the FTC said yesterday.
At least 800 cases of identity theft resulted from the company's well-publicized data breach, Federal Trade Commission chairwoman Deborah Platt Majoras said during a news conference. The settlement includes $10 million in civil penalties, the largest in FTC history, and $5 million in consumer redress to be distributed by the FTC to consumers who suffered identity theft based on the breach as well as to cover other expenses.
ChoicePoint, Alpharetta, GA, initially notified 35,000 California consumers in late January 2005 that their information may have been accessed fraudulently. On Feb. 16, it said another 110,000 letters would be sent nationwide involving the breach. In November, the company notified 17,000 more consumers.
The notices stem from the October 2004 discovery that some requests for names, Social Security numbers and other information filled by ChoicePoint might have been fraudulent. Since then, the company and law enforcement have found nearly 50 bogus accounts posing as legitimate businesses.
The ChoicePoint breach as well as others revealed last year led to several bills that are still making their way through various congressional committees.
Though ChoicePoint admitted no wrongdoing, it is bound by the settlement to follow all provisions of the FCRA and employ reasonable procedures to ensure that it is not in violation of the law, including rigorous screening and monitoring of customers. The company also must put in place a comprehensive information security program and undergo audits by an independent third-party security professional every other year until 2026.
In response to the settlement, ChoicePoint said it had learned much from the data breach and that it has implemented almost all the changes mandated in the agreement.
“I firmly believe that the changes we've implemented in the past year were not only the right thing for this company to do but are equally important for the entire industry to consider,” ChoicePoint chairman/CEO Derek V. Smith said in a statement.
The settlement was reached in U.S. District Court for the Northern District of Georgia, Atlanta Division. The FTC approved it with a 4-0 vote.
The Direct Marketing Association issued a statement after the settlement was announced, reminding companies that collect and use data to ensure its security. ChoicePoint is a DMA member.
“There are many legitimate uses for information that are critical to maintaining America's economy and preserving value, safety, convenience and choice for consumers,” said Jerry Cerasale, DMA senior vice president for government affairs. “We have to strike a delicate balance that allows the appropriate collection and sharing of data while preventing unauthorized or indiscriminate access to data that can be used by identity thieves.”
Meanwhile, ChoicePoint's fourth-quarter and year-end profits suffered last year in part because of charges of $27.3 million related to the data breach. The company said that figure includes $2 million spent on consumer notification, credit reports and credit monitoring services; $17.3 million in legal expenses and professional fees and $8 million earmarked for the settlement with the FTC.
Net income for the fourth quarter ended Dec. 31, 2005, was $27.68 million, down from $39.22 million the previous year. Year-end net income was $140.66 million versus $147.96 million in 2004. The company posted Q4 revenue of $257.85 million, up from $232.46 million the previous year. Revenue for the year also was up, at more than $1.1 billion versus $918.71 million in 2004.
The company's ChoicePoint Precision Marketing division showed a 5 percent decline in revenue, posting $29.7 million in Q4 2005 as opposed to $31.3 million the prior year. For the year, the division had $119.6 million in revenue, down 6 percent from $127.7 million in 2004.
Kristen Bremner covers list news, insert media, privacy and fundraising for DM News and DMNews.com. To keep up with the latest developments in these areas, subscribe to our daily and weekly e-mail newsletters by visiting www.dmnews.com/newsletters