FTC uses kid gloves on ChoicePoint's 2nd data breach
At least 340 million
personal records held by corporations, government agencies, and other entities
have been compromised by security breaches since January 2005, according to
the Privacy Rights Clearinghouse, a non-profit consumer organization that keeps
a running tally that isn’t even a complete listing.
Why are corporations so reckless in handling other people’s personal and financial data, when you rarely hear
that a corporation accidentally gave away records revealing its own secret financial information?
My theory is that, because the authorities are very polite and socially
graceful with corporations that lose your data, and because offenders can pass the cost of penalties on to their customers or insurers, this leads the data-losers to
believe they’ve really done nothing wrong. A recent settlement between
ChoicePoint and the Federal Trade Commission makes the point.
After ChoicePoint, one of the largest U.S. data brokers, got caught carelessly
handling the personal information of 163,000 consumers in 2005—resulting in
800 cases of identity theft—the Reed Elsevier subsidiary got sloppy again
three years later, at least allegedly, according to an October FTC press release.
The 2005 data breach was serious enough
for ChoicePoint to get tagged by the FTC, which filed a 2006
complaint that resulted in a settlement and a court order.
Following the standard etiquette of
government settlements, the FTC agreed to resolve the matter, “without Defendant
admitting the truth of, or liability for, any of the matters alleged in the
Complaint.”
I don’t know about you, but when I got caught doing something wrong as a kid,
earning back my parents' trust required an admission of guilt. ChoicePoint had
to do no such thing, which allowed it to assure its stockholders in a
subsequent annual report, that the company “does not admit to the truth of, or
liability for, any of the matters alleged by the FTC.”
The order also required ChoicePoint, with a billion dollars in revenues, to pay
$10 million in civil penalties and $5 million in consumer redress. The FTC says
ChoicePoint also agreed to follow procedures to ensure that sensitive consumer
reports are provided only to legitimate businesses for lawful purposes, and to
maintain a comprehensive data security program that is independently assessed
every two years until 2026. ChoicePoint says these additional obligations cost
it another $4 million, bringing the total penalty cost of the breach to $19
million.
But the cost of those penalties to
ChoicePoint was actually only 46 cents on the dollar. That’s because the
company got awarded $11 million in insurance proceeds from the incident,
resulting in a net after-tax cost of only $8.8 million.
Another breach
In April 2008, the FTC alleges, the company turned off a key electronic security
tool used to monitor access to one of its databases and didn’t find the error
for four months. As a result, an unknown crook waltzed through ChoicePoint’s
consumer information database for 30 days, conducting unauthorized searches
among Social Security numbers and other sensitive data.
The breach exposed 13,750 people to the
risk of identify theft.
But in a press release, the FTC instead played up the positive that
ChoicePoint “has agreed to strengthen data security requirements” to settle FTC
claims that ChoicePoint violated the 2006 court order. The FTC alleged that the intrusion would have been detected much
earlier and damage would have been minimized “if the security software had been
working.”
So a new, supplemental stipulated judgment and order has been issued, requiring ChoicePoint
to comply with the 2006 order—something it was supposed to be doing already. The new order contains some additional requirements. For the next two years,
ChoicePoint must now also report details every two months to the FTC about how
it is protecting the breached database as well as other specific databases and
records. The order stipulates that “Defendant makes no admissions
to, and denies, the Commission’s allegations other than the jurisdictional
facts.”
And, in case readers get the wrong idea, the FTC press release noted that “This
modified stipulated judgment and order…does not constitute an admission by the
defendant of a law violation.”
ChoicePoint also agreed to pay $275,000. That’s a bargain, considering this was the second time it admitted to doing nothing wrong. The penalty this time around
works out to only $20 per consumer exposed to ID theft versus $92 per consumer in 2006.—Jeff Blyskal
Previous
Posted by: Terry in Nashville | Nov 11, 2009 2:03:28 PM
Our own government is the biggest cause of Identity theft and this article is just an example.
Posted by: E. Nowak | Nov 12, 2009 4:27:56 PM
This is another example of the pro-business bent of the Bush administration. Unfortunately, Obama's administration hasn't really proven to be much different -- so far. They have tended to put in industry insiders into cabinet posts. We can only hold our breath and hope things are different in the administration. However, it's frustrating that politics dictates whether officials enforce laws in a way that protects the American people, and doesn't reflect a president's political ideology or rewards political campaign contributors' wishes.
Posted by: steve | Nov 17, 2009 9:02:31 AM
You blame this on the Bush admin? This has nothing to do with Bush and everything to do with corporate law and expediency.
Posted by: Dave Owen | Nov 23, 2009 2:03:48 PM
The article implies that Choicepoint was a subsidiary of Reed Elsevier at the time of the breach, but in fact, the company was not acquired until later in the year. The breach occurred in April, but the merger was not even cleared by the FTC until September. A deal was formally signed in Novemeber, and the merger itself is still underway.
Be careful about imputing blame on Reed Elsevier, when they could not have had anything to do with this breach.