ChoicePoint Settles ID Theft Case, Licks Wounds

ChoicePoint is still doing damage control two years after identity thieves set up fake businesses and bought personal information on 163,000 U.S. residents from the data broker.

A settlement reached this week between ChoicePoint and attorneys general from 43 states and the District of Columbia may well be the tipping point for the company as it works to reclaim its reputation.

At face value, the damages ChoicePoint must pay under the agreement -- US$500,000 to be divided among the states and the district -- appear to be minimal. However, $5 million of the $15 million it paid the Federal Trade Commission last year was dedicated to consumer outreach and education.

"I think that money had some bearing on the AGs' decision not to prosecute further," Deborah Thoren-Peden, a partner in Pillsbury Winthrop Shaw Pittman's corporate and securities practice, told the E-Commerce Times.

Major Changes

Changes ChoicePoint has since put in place have earned accolades among some privacy advocates.

"They have definitely made major improvements," Paul Stephens, a policy analyst with the Privacy Rights Clearinghouse, told the E-Commerce Times. "They had a rude awakening with that initial breach, but then took the responsible approach to make sure it wouldn't happen again."

Thoren-Peden guesses that it is a culmination of these factors, plus the settlement agreement, which also calls for ChoicePoint to implement further protections, that the attorneys general took into account when they decided to settle.

For instance, this will be the first time a data broker has agreed to safeguard all personal information using the same credentialing methods as it uses to safeguard financial information, according to the attorney general for Massachusetts, which is receiving $7,750 in the settlement.

ChoicePoint is obligated by law to protect financial information.

This agreement builds on the one it made with the FTC when it settled in January 2006. Then, the FTC required ChoicePoint to improve its process for accepting clients who obtain information from credit reports. The settlement with the attorneys general requires ChoicePoint to improve its credentialing process for clients that obtain Social Security numbers and other forms of personally sensitive information.

"In this day and age, it is crucial that companies like ChoicePoint that house customer's personal information take the appropriate steps to ensure that this type of information is appropriately safeguarded," stated Massachusetts Attorney General Martha Coakley.

Awaking to the Dangers

2005 awoke consumers to the dangers of identity theft, thanks the sheer numbers of such incidents. ChoicePoint's breach -- in which identity thieves created bogus user IDs to infiltrate its database of consumer information -- was among the earliest high-profile events. That breach was quickly followed by other database break-ins at universities, retailers and various federal government agencies. After the smoke cleared, ChoicePoint became the poster child for all that was wrong with the way companies and agencies protected consumers' data.

This debate ultimately spawned several pieces of legislation in both Congress and state bodies. Some measures, such as the ability to place credit in a freeze, have been successfully shot down after intense lobbying efforts by retailers and other interested parties. Some of these measures will be reintroduced in the current session.

While the question of how to best protect people against fraudsters remains unresolved in legal forums, many companies have begun to quietly and not so quietly implement their own practices, Thoren-Peden said. "No one is eager to see their customers' trust erode, and that is what inevitably happens when these breaches occur," she added.

In the Vanguard

ChoicePoint has been assiduously working to establish itself as a model in data protection even before its settlement with the FTC, Matt Furman, a company spokesperson told the E-Commerce Times.

For instance, it now conducts field inspections of every customer that receives or applies to receive data that falls under the Fair Credit Reporting Act.

"We physically go to the business to make sure it is legit. That is something we have done since mid-2005 and was memorialized in our agreement with the FTC and the agreement with the AGs," Furman said.

The company has also begun random audits of its customers to make sure they have given consent for their data to be used in the manner in which they were informed it would be used.

A consumer rights ombudsman has been posted within the company to advocate for consumers, Furman continued.

"That is a new step for us, and I am not sure how many other companies have done something like that," he added.

Other measures aimed at consumer protection include ChoicePoint's offer to provide free of charge to an individual any information that it has gathered about him or her. This service can be accessed at www.ChoiceTrust.com.

"This is a great tool to see if you have been a victim of identity theft," Furman said. It goes beyond monitoring one's credit report in that it can give people a clue if their identity has been co-opted to apply for a new job, or worse, to unsuccessfully commit a crime.

"If someone with your name and identity has filed an insurance claim, bought a house or have gotten arrested, we will know about it," he added.