U.S. data aggregator ChoicePoint has reached an agreement with the Federal Trade Commission (FTC) to pay a fine of $10 million for Р В° massive data security breach involving consumer records. The FTC has also asked ChoicePoint to pay $5 million into a compensation fund for those affected by the leak. The direct losses incurred by the firm as a result of the leak have now reached $26.4 million.
The fine imposed on ChoicePoint by the FTC, agreed on Jan. 26, 2006, was the result of a leak of the private details of 163,000 Americans (according to figures released by the FTC) in October 2004, though the incident was only made public in February 2005. It was the first widely-publicized data breach to prompt federal-level legislative measures in the sphere of private and confidential data. For some time the ChoicePoint leak was seldom out of the press, primarily because the criminals managed to steal 19 billion private records — information on virtually every adult American.
In an effort to reestablish its good name ChoicePoint was forced to buy Magnify, a firm specializing in computer programs to detect fraudulent activities. The purchase allowed ChoicePoint to demonstrate to its clients that the risk of falling victim to identity theft and losing their money was under control. The investment in Magnify was not included in the $26.4 million of combined losses that ChoicePoint has incurred as a result of the leak.
At the end of June 2005 ChoicePoint published its financial results for the second quarter that ended on June 30. The company announced that the measures taken to counter the ill-fated data breach cost $6 million, while expenses of $5.4 million were recorded for the same reason in the first quarter of 2005.
“The news that a leak of confidential information can actually cost millions of dollars shocked those in business circles. Statistics show that on average hundreds of thousands of dollars are spent on leaks every year, which is why official damages of $11.4 million caused such a commotion at the time," says Denis Zenkin, marketing director at InfoWatch.
The next financial blow to ChoicePoint came in the form of the legal case by the FTC, which decided not to wait for the federal law on breaches of sensitive data (likely to be adopted in the first half of 2006). The commission accused ChoicePoint of violating the procedures of storing personal records and IT security in general, resulting in citizens' rights being violated.
During the FTC investigation the company's profits gradually fell and its share prices slumped. In the final quarter of 2005 ChoicePoint recorded a 29% decrease in profits compared to the same period in 2004.
The federal agency and the company eventually agreed on a fine of $10 million, as well as a $5 million payment to compensate ChoicePoint's clients. The fact that the FTC itself is a client of the data aggregation firm may well have influenced the latter measure. Moreover, the damage done to the firm's reputation could mean the loss of some very profitable contracts.
According to the FTC, the data breach at ChoicePoint has resulted in approximately 800 people falling victim to financial fraud. Many of those people have, in turn, filed lawsuits against the company.
The size of the fine ($10 million) is relatively small when compared to the turnover at ChoicePoint (about $1 billion); by government standards, however, it is a huge fine. The amount is also a warning sign from the regulatory bodies to other commercial companies. It indicates that the FTC will punish any company for data leaks without waiting for the introduction of more severe laws.
As part of the regulatory measures taken against the company, ChoicePoint will also have to introduce new procedures to protect confidential information belonging to U.S. citizens. ChoicePoint will also have to submit to comprehensive security audits every two years for the next 20 years.
“More than $25 million for neglecting internal IT security:that sort of damage is impressive. It shouldn't be forgotten that that sum doesn't include the purchase of the firm Magnify, which, under any other circumstances, ChoicePoint would never have bought. Also, behind the scenes, there remains long-term investment in new protection measures against insiders, a comprehensive IT security policy, audits, and so on. However, the most important lesson here is that all those damages could easily have been avoided by installing the corresponding protection measures beforehand, spending about 1% of today's total losses," believes Denis Zenkin.
An official statement on the Federal Trade Commission settlement can be found at the company's official site (PDF – 20 KB).