As reported here, ChoicePoint, Inc., one of the nation’s largest data brokers, has agreed to strengthened data security requirements to settle Federal Trade Commission charges that the company failed to implement a comprehensive information security program protecting consumers’ sensitive information, as required by a previous court order.
As a result of the security failure, there was a data breach last year that exposed Social Security numbers and other personal information. But whether the breach was due to the actions of a former ChoicePoint government customer failing to secure its login credentials or the failure of ChoicePoint to adequately monitor for suspicious access to the database — or both — depends on whose version you believe.
According to the FTC, ChoicePoint switched off an internal electronic monitoring system that would have alerted them to unauthorized activity. The FTC alleges that the safety system was inactive for a period of four months, during which time unauthorized individuals used stolen credentials to look up personal information on 13,750 people. ChoicePoint’s statement indicates that
…. a former ChoicePoint government customer failed to properly safeguard one of its user IDs. The former government customer’s failure to properly safeguard its user ID and password resulted in unauthorized access to a ChoicePoint database through ChoicePoint’s AutoTrack XP product from August 8, 2008 to September 8, 2008.
but the company denies the FTC’s allegation that not detecting the former government customer’s inappropriate access was inconsistent with ChoicePoint’s obligations under the original Final Order.
Under the agreed-upon modified court order, filed on the FTC’s behalf by the Department of Justice, ChoicePoint is required to report to the FTC – every two months for two years – detailed information about how it is protecting the breached database and certain other databases and records containing personal information.
The FTC’s prior action against ChoicePoint involved a data breach in 2005, which compromised the personal information of more than 163,000 consumers and resulted in at least 800 cases of identity theft. The settlement and resulting 2006 court order in that case required the company to pay $10 million in civil penalties and $5 million in consumer redress. The company also agreed to maintain procedures to ensure that sensitive consumer reports were provided only to legitimate businesses for lawful purposes; to maintain a comprehensive data security program; and to obtain independent assessments of its data security program every other year until 2026. The new court order extends the record-keeping and monitoring requirements of the 2006 order, and gives the FTC the right to request up to two additional biennial assessments of ChoicePoint’s overall data security program.