FTC Modifies ChoicePoint Consent Order and Imposes Stricter Compliance
The Federal Trade Commission announced today that it had entered into a modified consent agreement with ChoicePoint due to ChoicePoint’s inability to live up to the original consent agreement entered into in 2006.
The FTC entered into a consent agreement with ChoicePoint was due to compromise of 163,000 financial records and at least 800 cases of identity theft. The breach was possibly a watershed moment in data breaches and brought attention to data aggregators. ChoicePoint paid $10 million in civil fines, $5 million in consumer redress, and countless millions of dollars in forwent business opportunities, attorneys’ fees, and settlement fees for lawsuits. ChoicePoint also agreed to “establish, implement, and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of the personal information it collects from or about consumers” which would be subject to an audit every two years.
The FTC press release for the most recent consent order notes that ChoicePoint “turned off a key electronic security tool used to monitor access to one of its databases, and for four months failed to detect that the security tool was off.” As a result, ChoicePoint, since acquired by Reed Elsevier, compromised the personal information of approximately 13,750 individuals. ChoicePoint must now pay a fine of $275,000 and report to the FTC every two months for two years. The FTC also increased the final data by which ChoicePoint would be subject to biennial audits by two years to 2028. The new consent order may be found here.
The FTC enforcement reiterates FTC's attitudes about privacy promises. Such scrutiny by the FTC will certainly be burdensome for ChoicePoint and require it to step up its information security operation or face even more fines and enforcement from the FTC.