Complaint resolution service publishes case studies, recall information and consumer news.

After a serious data breach last year that prompted U.S. Senate scrutiny and international media attention, data broker ChoicePoint has settled charges with the U.S. Federal Trade Commision, resulting in a hit to earnings for the publicly traded company.

According to the FTC, ChoicePoint acknowledged that the personal financial records of more than 163,000 consumers in its database had been compromised and will pay $10 million in civil penalties and $5 million in consumer redress to settle Federal Trade Commission charges that its security and record-handling procedures violated consumers’ privacy rights and federal laws. The settlement requires ChoicePoint to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to establish and maintain a comprehensive information security program, and to obtain audits by an independent third-party security professional every other year until 2026.

“The message to ChoicePoint and others should be clear: Consumers’ private data must be protected from thieves,” said Deborah Platt Majoras, Chairman of the FTC. “Data security is critical to consumers, and protecting it is a priority for the FTC, as it should be to every business in America.”

ChoicePoint is a publicly traded company based in suburban Atlanta. It obtains and sells to more than 50,000 businesses the personal information of consumers, including their names, Social Security numbers, birth dates, employment information, and credit histories.

The FTC alleges that ChoicePoint did not have reasonable procedures to screen prospective subscribers, and turned over consumers’ sensitive personal information to subscribers whose applications raised obvious “red flags.” Indeed, the FTC alleges that ChoicePoint approved as customers individuals who lied about their credentials and used commercial mail drops as business addresses. In addition, ChoicePoint applicants reportedly used fax machines at public commercial locations to send multiple applications for purportedly separate companies.
According to the FTC, ChoicePoint failed to tighten its application approval procedures or monitor subscribers even after receiving subpoenas from law enforcement authorities alerting it to fraudulent activity going back to 2001.

The FTC charged that ChoicePoint violated the Fair Credit Reporting Act (FCRA) by furnishing consumer reports – credit histories – to subscribers who did not have a permissible purpose to obtain them, and by failing to maintain reasonable procedures to verify both their identities and how they intended to use the information.

The agency also charged that ChoicePoint violated the FTC Act by making false and misleading statements about its privacy policies. Choicepoint had publicized privacy principles that address the confidentiality and security of personal information it collects and maintains with statements such as, “ChoicePoint allows access to your consumer reports only by those authorized under the FCRA . . . ” and “Every ChoicePoint customer must successfully complete a rigorous credentialing process. ChoicePoint does not distribute information to the general public and monitors the use of its public record information to ensure appropriate use.”

The stipulated final judgment and order requires ChoicePoint to pay $10 million in civil penalties – the largest civil penalty in FTC history – and to provide $5 million for consumer redress. It bars the company from furnishing consumer reports to people who do not have a permissible purpose to receive them and requires the company to establish and maintain reasonable procedures to ensure that consumer reports are provided only to those with a permissible purpose. ChoicePoint is required to verify the identity of businesses that apply to receive consumer reports, including making site visits to certain business premises and auditing subscribers’ use of consumer reports.

The order requires ChoicePoint to establish, implement, and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of the personal information it collects from or about consumers. It also requires ChoicePoint to obtain, every two years for the next 20 years, an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order. ChoicePoint will be subject to standard record-keeping and reporting provisions to allow the FTC to monitor compliance. Finally, the settlement bars future violations of the FCRA and the FTC Act.

Posted under Privacy

The United States Senate Committe on the Judiciary, chaired by Arlen Specter (R-Pa), is considering holding hearings in response to ChoicePoint, Inc’s release of 140,000 consumer records including consumer information. That hearing has not been scheduled yet although the Committee does have an Executive Business Meeting scheduled for Thursday, March 3 at 9:30 a.m.

The hearing was requested by Sen. Patrick J. Leahy (D-Vt.), who along with Sen. Charles Schumer (D-NY), yesterday criticized the information services industry and its safeguards. Senator Schumer’s officer reportedly was able to obtain social security numbers and other private information used by identity thieves without undergoing scrutiny. Schumer’s office used Westlaw.com, another well known information services company.

In a statement released this afternoon, the Direct Marketing Association reiterated its member guidelines, which require, “…that organizations — both marketers and legitimate organizations that use such data — develop staff policies, procedures, training, and responsiveness measures to protect personally identifiable information.”

A related story reported by MSNBC has questioned the timing of a series of stock sales by ChoicePoint’s CEO Derek Smith and President Douglas Curling. MSNBC reports that a ChoicePoint spokesperson denied any connection between the stock sales and the first arrest case last fall.

Posted under Privacy

ChoicePoint, the information services company that admitted selling personal data about 140,000 consumers, has announced the timeline of this matter.

According to a company statement, they were first aware of the potential for improper release of information in October 2004 and notified local law enforcement, the Los Angeles County Sheriff’s Department. ChoicePoint states that they were asked to not disclose any information regarding this matter because of a criminal investigation. The company was allowed to begin contacting customers in January 2005. By then, law enforcement had identified 750 consumer victims of identity theft that were linked to this release of information.

The price of ChoicePoint stock has dropped 10% since the company announced the information’s release. Since then, ChoicePoint has released a table showing that the release impacted consumers in every state. The company has also pledged to increase its investigation of companies attempting to purchase consumer data.

On Friday, Consumer Help Web published a list of tips for consumers who become the victim of identity theft.

Posted under Customer Service, Privacy

Information services company ChoicePoint admitted this week that they sold data to various entitities posing as legitimate businesses. More than 140,000 records containing “consumers’ names, addresses, Social Security numbers and credit reports” may have been improperly released, putting those consumers at risk for identity theft.

California is the only state that currently requires companies notify consumers if Social Security numbers or similar information is impropely released, but a group of state Attorney Generals have written ChoicePoint and urged the company to do the same for consumers in their states. Officials from the following states signed that letter: Alaska, Arizona, Connecticut, Florida, Idaho, Illinois, Indiana, Iowa, Maryland, Massachusetts, Michigan, Ohio, Oregon, New York, North Carolina, North Dakota, South Dakota, Vermont and Washington. The company has agreed to notify all impacted consumers and cites law enforcement requests for the delay in releasing the information.

If you are a victim of identity theft, the federal government advises taking the following steps:

• Contact the fraud departments of the three major credit bureaus.
  Request that a “fraud alert” be placed on your file and include a statement that creditors must get your permission before any new accounts are opened in your name. Get a copy of your credit report from each credit bureau so that you can dispute any inaccurate information. Check your reports at least every six months.

  The three major credit bureaus are:

  Equifax
  Order Credit Report: 800-685-1111
  Report Fraud: 800-525-6285
  www.equifax.com

  Experian
  Order Credit Report: 888-397-3742
  Report Fraud: 888-397-3742
  www.experian.com

  Trans Union
  Order Credit Report: 800-888-4213
  Report Fraud: 800-680-7289
  www.tuc.com

• Contact all the creditors involved.
  Let them know that your accounts may have been used without your permission, or that new accounts have been opened in your name. If your accounts have been used fraudulently, ask that new cards and account numbers be issued to you. Check your billing statements carefully and report any fraudulent activity immediately. Many banks and creditors will accept the “ID Theft Affidavit” available at www.consumer.gov/idtheft, to dispute the fraudulent charges.
  
• File a police report.
  Get a copy of the report to submit to your creditors and others that may require proof of a crime.
  
• Contact the Federal Trade Commission.
  The FTC provides useful information to identity theft victims and maintains a database of identity theft cases for use by law enforcement agencies. File a report with the FTC by calling the FTC’s Identity Theft Hotline: 1-877-IDTHEFT (438-4338); by mail, Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue, N.W., Washington DC 20580; or online at www.consumer.gov/idtheft. Also request a copy of the publication, ID Theft, When Bad Things Happen to Your Good Name.
  
• Keep a record of your contacts.
  Start a file with copies of your credit reports, the police report, any correspondence, and copies of disputed bills. It is also useful to keep a log of your conversations with creditors, law enforcement officials, and other relevant parties. Follow up all phone calls in writing and send all correspondence certified, return receipt requested.

Posted under Customer Service, Privacy