ChoicePoint Hit With Large Fine For Data Theft

Lam1969 writes "The U.S. Federal Trade Commission has fined ChoicePoint $10 million for a data breach that allowed identity thieves posing as legitimate businesses to steal social security numbers, credit reports, and other data from nearly 140,000 people. This is the largest fine ever levied by the FTC. ChoicePoint also has to set up a 'trust fund' for people victimized by identity thieves. From the article: 'As part of its agreement with the FTC, ChoicePoint will also have to submit to comprehensive security audits every two years for the next 20 years.'" BusinessWeek has some background information on this breach.

Chump Change with their Revenues

[WebHostingGuy]

For the three months ending Dec. 31, ChoicePoint said it earned $27.68 million on revenues of over one billion dollars in 2005

Re:Chump Change with their Revenues

[Alex+P+Keaton+in+da]

Not just that, but the fact that financial institutions really don't help you once you get your ID stolen...
http://moneycentral.msn.com/content/Banking/Better banking/P142361.asp
Banks hang fraud victims high and dry
If a thief uses a stolen ATM card or checks to pilfer your accounts, you may not get much sympathy from your bank -- or any of your money back.
By Liz Pulliam Weston
Lesa Henderson of San Diego was shocked when her husband's paycheck suddenly disappeared from their checking account. But their troubles were just beginning.
An acquaintance who stole both Henderson's debit card and checks from her checkbook had drained every penny from the account. The Henderson's bank initially restored some of the lost money, which the thief promptly stole. The bank then decided the thefts were Lesa's fault because she had allowed the thief into her home. The bank demanded the Hendersons pay back the restored funds, plus all the fees from bounced checks. Furthermore, it refused to let the Hendersons close the compromised account because it was overdrawn.
http://moneycentral.msn.com/content/Banking/Better banking/P142361.asp

Re:Chump Change with their Revenues

[shotfeel]

When you take that $10 million out of the $27.68 million, I'd say that's a pretty big percentage of your profits gone. The idea is to punish the company, not kill it.

OTOH, considering what happened, maybe that wouldn't be such a bad idea...

Re:Chump Change with their Revenues

[WebHostingGuy]

Not quite. The profit is after expenses. However, if you have taken accounting you will know you get to take expenses out for which you did not actually pay any money for (think depreciation, it is a non-cash outlay expense for which you get to take over time.) To actually look at the impact of the fine you have to look at what their actual cash flow is. From their statement:

Net free cash flow (net cash provided by operations less capital
              expenditures) was $180.2 million for the twelve months ended December
              31, 2005, which compares to net free cash flow of $182.1 million for
              the same period in 2004. Excluding the cash paid during 2005 related
              to the fraudulent data access discussed above, net free cash flow would
              have been $193.8 million for 2005.
          - During 2005, approximately 2.9 million shares were repurchased for
              $125.6 million at an average price of $42.59, leaving $124.4 million
              authorized in the Company's buyback program.

If you see the end number they had cash coming in in 2005 of $180.2 million dollars. It would have been $193.8 million but they had to pay the lawyers fighting this fine. And if you add in what they spent buying back their own stock their cash coming in from revenues is $180.2 + $125.6 = $305.8 million dollars. And if you add in what they spent on legal fees fighting this equals $319.4 million dollars. Subtract $10 million from this number and you get chump change.

Not enough

[voice_of_all_reason]

I was expecting something a little more Barad-Dur-ish. You know, heads of traitors impaled on the bridge as a warning to others.

What it should be for everyone

[ZachPruckowski]

'As part of its agreement with the FTC, ChoicePoint will also have to submit to comprehensive security audits every two years for the next 20 years.'

Every company should undergo a comprehensive security audit every two years. I mean, security in Jan 2004 is rather different from security in Jan 2002, and both are way different from security today. A system that might have been thought to be secure 2 years ago isn't so hot right now. If I ran a huge, profitable company, I would assign a few people to try to break into my company full-time.

Good, but not good enough

[swillden]

I'm happy to see regulators stepping in. Security of other peoples' data is a big problem, and it's going to be a much bigger problem. However, I think this is the wrong approach. I think the right approach is actually much simpler than lots of regulatory oversight: Make companies liable for misuse of data that they collected and lost or misplaced. In fact, make them not only liable for direct damages, but award punitive damages as well. Also, the plaintiff should should not have a large burden of proof that it was actually company X's loss of the data that led to the damage. If company X had the data, and there is a preponderance of evidence that company X let the data escape, X should be liable for the damages even if it's possible that the bad guys actually got the data somewhere else.

That may seem unreasonable, but I have a very specific reason for that "extreme" position. We want companies who use customer data to be very, very reluctant to collect any data they don't absolutely need, and we want them to be anxious to destroy that data as quickly as possible so that there is no possibility it may be compromised.

As long as corporations see more potential gain than loss in collecting and hoarding personal details, they'll do it. Regulators may slow them down a bit, or force them to be a little more careful, but the best solution is to convince them that they do not want it.

Re:Good, but not good enough

[swillden]

If company X had the data, and there is a preponderance of evidence that company X let the data escape, X should be liable for the damages even if it's possible that the bad guys actually got the data somewhere else.

Oh, one more thing: disclosure of security breaches should be mandatory (with some latitude for delaying until the problem can be fixed, but not much). Failure to disclose security breaches should be a felony. If some manager decides to try to hide it, that person should be charged with a crime and sent to prison, along with anyone who agreed with him or her (i.e. his or her co-conspirators).

Corporations should be terrified of the effects of security breaches involving other peoples' data, and employees need to be terrified of doing anything but blowing the whistle when those breaches occur.

The sad thing is

[hsmith]

It is impossible not to have your ID stolen through not YOUR actions, but others now a day. I had mine compromised 3 times last year due to employers as well as corporations that have my personal information. I mean, what can you really do when a company refuses to protect your identity? You can't sue, because there are no laws on the books. Yes, I took my business elsewhere, but what happens when you lose money due to others mishaps and ignorance? I guess it is time to get "ID Loss Insurance" for another $30/month. Ugh.

Re:The sad thing is

[nickname225]

I'm a lawyer - although tort is not my area of specialization. It's not really necessary for there to be a specific law on the books to sue someone who has caused you damage. In this case you could sue under a general negligence theory. The basic elements of negligence are 1) Did the company have a duty 2) was that duty breached 3) Was the breach a cause in fact of the damage & 4) Did actual damage occur. If you analyze this case under general negligence theory - 1) Choice Point clearly had a duty to safeguard sensitive personal information 2) That duty was clearly breached 3) The breach would be a cause in fact if you identify is stolen 4) so- if you suffer actual damage as a result of this theft - you should have a negligence action against Choice Point. Now - it is possible that they are in some way immunized from suit by some statute - but I don't recall anything of the sort.

More Material (B. Schneier)

[alfalfro]

Bruce Schneier usually covers this stuff pretty well, as he did frequently last spring. Punch this into google: "choicepoint site:schneier.com"

Your identity is worthless to the feds

[MikeRT]

$10,000,000 / 140,000 victims = $71/person. We given fines in the tens of thousand to hundreds of thousands for crack/cocaine/meth, but apparently white collar crime that targets over one hundred thousand people is worth only $71/victim when the identity theft can cost them hundreds of hours of time regaining their identity/fixing records and a lot of grief in general. Not to mention the damage it does to the businesses hit by the scammers.

Re:Fatal Assumptions

[mpapet]

You are assuming that they will actually have to pay that fine.

The procedure is as follows:

1: Publish big number to qwell citizen revolt
2: Negotiate lower settlement over the next few months
3: Profit!

Case in point: Exxon Valdez(sp?) Oil Spill
1: Exxon get Billion(!!) dollar fine
2: Exxon negotiates Billion dollar fine over umpteen years
3: Exxon pays less than 1/2 the published number in real dollars.

Choicepoint would cry like babies and threaten bankruptcy which they probably are doing anyway. "But Senator/Congressperson, consumer privacy is important. But think of all the lost jobs if ChoicePoint were to declare bankruptcy!!!"

Who defines a "legitimate businesses"

[vinn01]

... allowed identity thieves posing as legitimate businesses ...

From ChoicePoint's perspective, they were legitimate businesses. They paid for the data, they didn't steal it.

From the goverment's perspective, they were legitimate businesses if they paid taxes on their "profits".

Now from the victims perspective, they were a bunch of crooks raiding their credit records and sucking as much out as they could.

Is every employer, landlord, and car dealer a legitimate business just because they actually have a better excuse to get their hand on the data? Some of those businesses are a bunch of crooks too.

The whole system needs better security, not just better control over who can get your info.

vb

Red Flags

[Billosaur]

In its decision, the FTC slammed ChoicePoint, saying that it did not have reasonable procedures in place to screen prospective subscribers and that it turned over sensitive personal information to subscribers whose applications raised obvious red flags.

Hello, ChoicePoint? My name is Al... Al Kayduh... yes, I'm looking for the personal information for some decadent American spawns of... I mean fine, upstanding Americans...

"Accidentally" leaked info?

[RandoX]

Not according to CNN. See Point #45 where Choicepoint SOLD the information several times, including to an identity theft ring.