FTC uses kid gloves on ChoicePoint's 2nd data breach

At least 340 million personal records held by corporations, government agencies, and other entities have been compromised by security breaches since January 2005, according to the Privacy Rights Clearinghouse, a non-profit consumer organization that keeps a running tally that isn't even a complete listing.

Why are corporations so reckless in handling other people's personal and financial data, when you rarely hear that a corporation accidentally gave away records revealing its own secret financial information?
 
My theory is that, because the authorities are very polite and socially graceful with corporations that lose your data, and because offenders can pass the cost of penalties on to their customers or insurers, this leads the data-losers to believe they've really done nothing wrong. A recent settlement between ChoicePoint and the Federal Trade Commission makes the point.
 
After ChoicePoint, one of the largest U.S. data brokers, got caught carelessly handling the personal information of 163,000 consumers in 2005—resulting in 800 cases of identity theft—the Reed Elsevier subsidiary got sloppy again three years later, at least allegedly, according to an October FTC press release. 

The 2005 data breach was serious enough for ChoicePoint to get tagged by the FTC, which filed a 2006 complaint that resulted in a settlement and a court order.

Following the standard etiquette of government settlements, the FTC agreed to resolve the matter, "without Defendant admitting the truth of, or liability for, any of the matters alleged in the Complaint."

I don't know about you, but when I got caught doing something wrong as a kid, earning back my parents' trust required an admission of guilt. ChoicePoint had to do no such thing, which allowed it to assure its stockholders in a subsequent annual report, that the company "does not admit to the truth of, or liability for, any of the matters alleged by the FTC."

The order also required ChoicePoint, with a billion dollars in revenues, to pay $10 million in civil penalties and $5 million in consumer redress. The FTC says ChoicePoint also agreed to follow procedures to ensure that sensitive consumer reports are provided only to legitimate businesses for lawful purposes, and to maintain a comprehensive data security program that is independently assessed every two years until 2026. ChoicePoint says these additional obligations cost it another $4 million, bringing the total penalty cost of the breach to $19 million.

But the cost of those penalties to ChoicePoint was actually only 46 cents on the dollar. That's because the company got awarded $11 million in insurance proceeds from the incident, resulting in a net after-tax cost of only $8.8 million.

Another breach
In April 2008, the FTC alleges, the company turned off a key electronic security tool used to monitor access to one of its databases and didn't find the error for four months. As a result, an unknown crook waltzed through ChoicePoint's consumer information database for 30 days, conducting unauthorized searches among Social Security numbers and other sensitive data.

The breach exposed 13,750 people to the risk of identify theft.

But in a press release, the FTC instead played up the positive that ChoicePoint "has agreed to strengthen data security requirements" to settle FTC claims that ChoicePoint violated the 2006 court order. The FTC alleged that the intrusion would have been detected much earlier and damage would have been minimized "if the security software had been working."

So a new, supplemental stipulated judgment and order has been issued, requiring ChoicePoint to comply with the 2006 order—something it was supposed to be doing already. The new order contains some additional requirements. For the next two years, ChoicePoint must now also report details every two months to the FTC about how it is protecting the breached database as well as other specific databases and records. The order stipulates that "Defendant makes no admissions to, and denies, the Commission's allegations other than the jurisdictional facts."

And, in case readers get the wrong idea, the FTC press release noted that "This modified stipulated judgment and order…does not constitute an admission by the defendant of a law violation."

ChoicePoint also agreed to pay $275,000. That's a bargain, considering this was the second time it admitted to doing nothing wrong. The penalty this time around works out to only $20 per consumer exposed to ID theft versus $92 per consumer in 2006.—Jeff Blyskal