Slashdot Mirror
ChoicePoint Hit With Large Fine For Data Theft
Lam1969 writes "The U.S. Federal Trade Commission has fined ChoicePoint $10 million for a data breach that allowed identity thieves posing as legitimate businesses to steal social security numbers, credit reports, and other data from nearly 140,000 people. This is the largest fine ever levied by the FTC. ChoicePoint also has to set up a 'trust fund' for people victimized by identity thieves. From the article: 'As part of its agreement with the FTC, ChoicePoint will also have to submit to comprehensive security audits every two years for the next 20 years.'" BusinessWeek has some background information on this breach.
For the three months ending Dec. 31, ChoicePoint said it earned $27.68 million on revenues of over one billion dollars in 2005
Quality Hosting e3 Servers
The information of millions of citizens, including employment, financial, contact, and other personal information all in the hands of a third party corporation who has to make next to nil security checks with the government, what could possibly go wrong?
I was expecting something a little more Barad-Dur-ish. You know, heads of traitors impaled on the bridge as a warning to others.
'As part of its agreement with the FTC, ChoicePoint will also have to submit to comprehensive security audits every two years for the next 20 years.'
Every company should undergo a comprehensive security audit every two years. I mean, security in Jan 2004 is rather different from security in Jan 2002, and both are way different from security today. A system that might have been thought to be secure 2 years ago isn't so hot right now. If I ran a huge, profitable company, I would assign a few people to try to break into my company full-time.
I'm happy to see regulators stepping in. Security of other peoples' data is a big problem, and it's going to be a much bigger problem. However, I think this is the wrong approach. I think the right approach is actually much simpler than lots of regulatory oversight: Make companies liable for misuse of data that they collected and lost or misplaced. In fact, make them not only liable for direct damages, but award punitive damages as well. Also, the plaintiff should should not have a large burden of proof that it was actually company X's loss of the data that led to the damage. If company X had the data, and there is a preponderance of evidence that company X let the data escape, X should be liable for the damages even if it's possible that the bad guys actually got the data somewhere else.
That may seem unreasonable, but I have a very specific reason for that "extreme" position. We want companies who use customer data to be very, very reluctant to collect any data they don't absolutely need, and we want them to be anxious to destroy that data as quickly as possible so that there is no possibility it may be compromised.
As long as corporations see more potential gain than loss in collecting and hoarding personal details, they'll do it. Regulators may slow them down a bit, or force them to be a little more careful, but the best solution is to convince them that they do not want it.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
It is impossible not to have your ID stolen through not YOUR actions, but others now a day. I had mine compromised 3 times last year due to employers as well as corporations that have my personal information. I mean, what can you really do when a company refuses to protect your identity? You can't sue, because there are no laws on the books. Yes, I took my business elsewhere, but what happens when you lose money due to others mishaps and ignorance? I guess it is time to get "ID Loss Insurance" for another $30/month. Ugh.
That honestly made my day. I'm not kidding. That was great.
Am I missing something here? Has the FTC ever posted a vulnerability and a suggested fix on any OSS project website? Does the FTC report vulnerabilities to software developers? Has the FTC ever published books about secure procedures? How about regarding flaws in the procedures of sharing credit data?
I'm guessing the answer to all of those is, "no." The auditing is meaningless, because the FTC's business isn't computer security. But hey, I guess that justifies some department's budget for the next 20 years.
Every company should undergo a comprehensive security audit every two years
Big, public companies already have to drink a nice, big, hot cup of Sarb-Ox every year. That includes all sorts of IT/security related audits and assertions. The act is really more about disclosure, transparency, and protecting investors from Enron-ish type stuff, but lax security in IT is Not A Good Thing under this act, and the FTC/SEC troops can come in swinging when there's a screw-up.
Don't disappoint your bird dog. Go to the range.
Then $10M is about a third of a quarter's earnings. Your revenue figure is for all four quarters, and revenue ("amount of money you took in") is not the same as earnings ("amount of money you actually made").
CPS has about 90M shares outstanding. A $10M fine is about $0.09 per share.
According to their press release, they...
also paid $12M in legal expenses (after tax deductions) trying to beat the rap. Total cost to the company appears to be $22M, or $0.24 per share. When you're earning $1.50 and change per share, it looks like they got dinged for about two months' worth of profits.
Put in more human terms -- someone scammed you out of a month's paycheck by means of identity theft, and you spent another month's paycheck hiring landsharks to get your reputation back.
The punishment is actually pretty proportional to the crime. Personally, I might have gone for about double what the FTC went for, but it's still not chump change.
No amount of fines will the fact that they're a bunch of privacy-invading fuckweasels who deserve to be first against the wall when the revolution comes. The privacy-invading fuckweaselry was an inherent part of their business model; they'd have earned their spot against the wall even without the data theft.
Bruce Schneier usually covers this stuff pretty well, as he did frequently last spring. Punch this into google: "choicepoint site:schneier.com"
Support your local brewery.
$10,000,000 / 140,000 victims = $71/person. We given fines in the tens of thousand to hundreds of thousands for crack/cocaine/meth, but apparently white collar crime that targets over one hundred thousand people is worth only $71/victim when the identity theft can cost them hundreds of hours of time regaining their identity/fixing records and a lot of grief in general. Not to mention the damage it does to the businesses hit by the scammers.
The irony is that they could sell the data without any penalties, but if someone breaks into their system they get in trouble.
I'm out of my mind right now, but feel free to leave a message.....
Where's Arthur Anderson when you need them?
A feeling of having made the same mistake before: Deja Foobar
You are assuming that they will actually have to pay that fine.
The procedure is as follows:
1: Publish big number to qwell citizen revolt
2: Negotiate lower settlement over the next few months
3: Profit!
Case in point: Exxon Valdez(sp?) Oil Spill
1: Exxon get Billion(!!) dollar fine
2: Exxon negotiates Billion dollar fine over umpteen years
3: Exxon pays less than 1/2 the published number in real dollars.
Choicepoint would cry like babies and threaten bankruptcy which they probably are doing anyway. "But Senator/Congressperson, consumer privacy is important. But think of all the lost jobs if ChoicePoint were to declare bankruptcy!!!"
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
From ChoicePoint's perspective, they were legitimate businesses. They paid for the data, they didn't steal it.
From the goverment's perspective, they were legitimate businesses if they paid taxes on their "profits".
Now from the victims perspective, they were a bunch of crooks raiding their credit records and sucking as much out as they could.
Is every employer, landlord, and car dealer a legitimate business just because they actually have a better excuse to get their hand on the data? Some of those businesses are a bunch of crooks too.
The whole system needs better security, not just better control over who can get your info.
vb
Shoot, having to be audited like that could end up being a marketing selling point- it's something their competitors wouldn't match. Wacky.
Hello, ChoicePoint? My name is Al... Al Kayduh... yes, I'm looking for the personal information for some decadent American spawns of... I mean fine, upstanding Americans...
GetOuttaMySpace - The Anti-Social Network
StallmanCommunist? As in Richard Stallman? Secret hidden messages, eh?
This penalty for security breach is not harsh enough. With the advances in technology making our lives easier (almost too easy) so is the making easy of criminal activity.
Security should come above profits for this kind of company and we the public need to hold them to a high standard. We need to make it impossible for them to have any profits without good security.
My bank, for one, is advancing in online security and I am happy about that.
Athiesm is a religion like not collecting stamps is a hobby.
So a unique California law, under their misnamed "deregulation" system, caused them to open their books, when they simply feel that 110,000 to 350,000 consumers are ignorant. They were entrusted with data security, was it worth it? Anyway, how many more consumers' personal data was thoroughly scrutinized by these thieves? This is what you got when you let ex-Governor Davis exercise his own self interest, the economy of California and rolling blackouts leading to a re-statement of Enron's books. When will they get honest and start acknowledging that they FAILED US? I get the distinct impression that a break-in compromised the data and they're not done. It's dog food alright, meaning these executives ought to be going to JAIL. They act like they weren't under any legal obligation, rather like outright deception. The irony appears to achieve its own success in some sort of narcissistic manner.
On the ChoicePoint web site, the only reason we found other than stated above was a unique California system of overcharging, revealing personal information to anyone outside of California, maybe not far from the other 110,000 people who will receive notice of their fleecing soon. ChoicePoint said Tuesday it sent warning letters to track down serial killers stored behind a cloak of secrecy. This is what you get when Privacy Rights Clearinghouse sells to the highest bidder. These kinds of California laws hand their 35 million consumers over to ignorance. Beth Givens, director of one of those 'businesses seeking to gain access to people outside of California' had higher standards. I guess not. Perhaps they will send an additional notification to her lawyer informing that they have her system-gaming scam in an investigation.
Make no mistake, state of California FAILED US. I get the distinct impression that ChoicePoint said it would jeopardize the tools they build. So does ChoicePoint use these tools they build? So does ChoicePoint use their customers' information for their own gain? ChoicePoint is a bunch of criminals posing as a legitimate business seeking to gain access to personal information so as to be a provider for identity theft criminals.
Tell me one personal information provider who is not in some way guilty of identity stolen. All 50 states.
Not according to CNN. See Point #45 where Choicepoint SOLD the information several times, including to an identity theft ring.
Don't forget. Paying fines counts as an expense, which you can claim against revenue, thus cutting your taxes. As such, the hit is never as bad as it seems at face value. Now, if you had to pay fines out of your after-tax profits...
STALLMAN COMMUTNIST
Not sure what a commuTnist is, but I'm sure it's really special.
The odd things is, you picked an interesting bit of the article - instead of the silliness displayed above, why don't you, y'know, talk about it or something? People actually come here for that sort of thing. Shocking, I know.
It does - in hopefully, uncolored by our friend here, a non-conspiracy way - make me think about the Gummint, tho. Conflict of interest?
As mentioned, the fines are practically pointless for the fined - where does the money go? Who gets to spend it? So the consumer is screwed, the corporation loses a pittance, and the FTC gets a paycheck. Why doesn't the fine money go back to the screwed consumer? How does Corp A screwing Citizen B means "government makes more money?"
And, of course, what incentive does the FTC have to enforce any real changes here? Screw up and we make some cash, get to posture about how we care, and slap you with some lax security requirements while the public eye is on us all. What happens in the 2 years between audits? And when they pass the audits, and 10 months later this happens again... what then? Anything? Oh, more fine cash for the FTC. And more screwed consumers.
Bah.
That which does not kill us makes us... st
because spam can make your p3n1s bigger!!
Choicepoint seems to be quite a nasty company, stopping at nothing to gather personal information by the truckload and sell it to the highest bidder. About a year ago, a highly-publicized case in Mexico involved Choicepoint purchasing electorate information from the Federal Elections Institute (IFE), which of course has a database with information on each and every registered voter in Mexico (about 49 million). I don't believe any sanctions were given out, either to the institute's personnel who authorized this, or to Choicepoint, which would have involved cooperation with the US gov't to prosecute the company.
"But Senator/Congressperson, consumer privacy is important. But think of all the lost jobs if ChoicePoint were to declare bankruptcy!!!"
Here's what our representatives (remember, they supposedly believe in the free market and Capitalism) should respond:
"Mr CheckPoint Executive, we in the Congress sympathize with the short-term hardship imposed by such a scenario, but we mostly have to be concerned with the long-term results. The long term in your case is that the assets from your failed company would eventually be bought out at pennies on the dollar and be put to use by whom we hope will be more moral and innovative businessmen. The jobs lost from your failed company would then be regained. At any rate, this is a free market, Sir, and you cannot claim Socialist protections on the basis of any privilege, real or perceived. Good day."
Of course, since our politicians have almost totally bought into the ideas of Socialism for the wealthy classes, and the "free market" for the poor and working classes, we're never going to hear this kind of response.
[You have a stable society when some nut guns down a schoolyard and the law doesn't change.]
I wonder if this kind of fine will start making companies more secure?
He who knows best knows how little he knows. - Thomas Jefferson
Considering that $10 million / 140,000 people = $71.43 each, I'd say that's not a whole lot. I think my personal information, years of cleaning up the mess, and possible financial loss are worth a lot more than that...
10 mill for 140,000 violations,
less than 100$ per person...personally if someone sold all my data (choicepoint has everything w/out your permission) Id want a hell of a lot more than a 70$ fine...I dont think theres even a traffic violation where you get off that cheap (parking included)
Funny thing, while everyone was loosing data I saw a short blurb about it on CNN where they had footage of social security cards being printed in a huge press machine, it ran by 40-50 or so real SS cards, and with digital cable I just backed it up and could read Name address and soc. right from standard cable. (they were slow enough you could read a few without backing up)
I don't know about you guys, but I am replacing my Equifax / ChoicePoint signed ssl certs.
Take care,
Waitman
Yes, but to hurt it you have to hit them for more than it would have cost them to fix/maintain their system in the first place. If ChoicePoint regards $10m every few years as cheaper than doing things the right way, they will continue along the merry path.
The same applies to many unscrupulous companies. What's a $10m fine if you're making/saving an extra $20m?
I wonder if the "trust fund" is funded by the extra fees they are charging victims/users to see if their data was compromised. (I don't have a link, but I know for a fact thats what they were doing)
These people should be run out of town. And put out of business.
This is like a prison prematurely releasing inmates into a community, and then charging the authorities to tell them who was released and where.
Move along... there is no sig here.
1: Exxon get Billion(!!) dollar fine
2: Exxon negotiates Billion dollar fine over umpteen years
3: Exxon pays less than 1/2 the published number in real dollars.
Given that your implied point seems to be that Exxon would be willing to smack another tanker into the bottom and lose $500M, I don't think I agree with you.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
This reminds me of the "settlement" Nintendo got for price fixing.
Anyways here's how I think I got victimized (though I could be wrong). My previous employer used Choicepoint verify my resume information before hiring me... Not sure how to avoid this situation
I think the word you're looking for is Fascism
Mart"I know I will be modded down for this": where's the option '-1, Asking for it'?
This company also owns the company that supplied Sec of State Harris with
lists of people to strike from the 2000 Florida voting lists.
Anyone know if they were the same company that supplied the same type of lists
in 2002 and 2004? Data aggragators have basically no regulation on accuracy
and integrity of data. It is these people that are pushing TIA and
air travel list crap as they will be data sources for money.