Slashdot Mirror
ChoicePoint Hit With Large Fine For Data Theft
Lam1969 writes "The U.S. Federal Trade Commission has fined ChoicePoint $10 million for a data breach that allowed identity thieves posing as legitimate businesses to steal social security numbers, credit reports, and other data from nearly 140,000 people. This is the largest fine ever levied by the FTC. ChoicePoint also has to set up a 'trust fund' for people victimized by identity thieves. From the article: 'As part of its agreement with the FTC, ChoicePoint will also have to submit to comprehensive security audits every two years for the next 20 years.'" BusinessWeek has some background information on this breach.
'As part of its agreement with the FTC, ChoicePoint will also have to submit to comprehensive security audits every two years for the next 20 years.'
Every company should undergo a comprehensive security audit every two years. I mean, security in Jan 2004 is rather different from security in Jan 2002, and both are way different from security today. A system that might have been thought to be secure 2 years ago isn't so hot right now. If I ran a huge, profitable company, I would assign a few people to try to break into my company full-time.
When you take that $10 million out of the $27.68 million, I'd say that's a pretty big percentage of your profits gone. The idea is to punish the company, not kill it.
OTOH, considering what happened, maybe that wouldn't be such a bad idea...
It's the earnings, not the revenues. Earnings are revenues minus expenses. You could have revenues of a trillion dollars, but if your expenses are $999,999,999 then you've only earned a dollar in profit. If your expenses are $1,000,000,000,001, then you're in the red. Either way, it would mean that $10 million isn't something you have lying around.
Stock prices should be based on earnings rather than revenue. People looked heavily at revenue of tech startups because they were assumed to have high one-time building expenses (new server farms, new offices, etc), so the idea was that next year those high revenues wouldn't be offset by high expenses, and earnings would be high. Sometimes that was true; sometimes it wasn't. Investors who invested solely based on revenue lost it all when the bubble burst.
Still, in this case $10 million is a 1/3 of one year's revenues. That'll sting much more than bring up the number "$1 billion" implies, though ultimately it's still not all that much. I'd have liked to have seen them hit harder; several years' profits at least. That hammers the stock price without immediately putting the company out of business (and the workers out of work.)
If company X had the data, and there is a preponderance of evidence that company X let the data escape, X should be liable for the damages even if it's possible that the bad guys actually got the data somewhere else.
Oh, one more thing: disclosure of security breaches should be mandatory (with some latitude for delaying until the problem can be fixed, but not much). Failure to disclose security breaches should be a felony. If some manager decides to try to hide it, that person should be charged with a crime and sent to prison, along with anyone who agreed with him or her (i.e. his or her co-conspirators).
Corporations should be terrified of the effects of security breaches involving other peoples' data, and employees need to be terrified of doing anything but blowing the whistle when those breaches occur.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
$10,000,000 / 140,000 victims = $71/person. We given fines in the tens of thousand to hundreds of thousands for crack/cocaine/meth, but apparently white collar crime that targets over one hundred thousand people is worth only $71/victim when the identity theft can cost them hundreds of hours of time regaining their identity/fixing records and a lot of grief in general. Not to mention the damage it does to the businesses hit by the scammers.
The irony is that they could sell the data without any penalties, but if someone breaks into their system they get in trouble.
I'm out of my mind right now, but feel free to leave a message.....
I'm a lawyer - although tort is not my area of specialization. It's not really necessary for there to be a specific law on the books to sue someone who has caused you damage. In this case you could sue under a general negligence theory. The basic elements of negligence are 1) Did the company have a duty 2) was that duty breached 3) Was the breach a cause in fact of the damage & 4) Did actual damage occur. If you analyze this case under general negligence theory - 1) Choice Point clearly had a duty to safeguard sensitive personal information 2) That duty was clearly breached 3) The breach would be a cause in fact if you identify is stolen 4) so- if you suffer actual damage as a result of this theft - you should have a negligence action against Choice Point. Now - it is possible that they are in some way immunized from suit by some statute - but I don't recall anything of the sort.
Absolutely. There is a general unwillingness to deal with privacy as a major issue here. I would claim that privacy is a basic right that citizens should demand, and it should be legislated into government. There is a privacy commissioner in Canada and associated legislation that can be enforced; similar governmental structures exist in Europe. For all of the free-market talk and general wish for lack of interference in personal life, wouldn't it make sense for American government to serve the people in a manner that everyone can agree with, by creating safeguards and services that protect our privacy?