Slashdot Mirror

← Back to Stories (view on slashdot.org)

ChoicePoint Hit With Large Fine For Data Theft

Posted by Zonk on from the that's-gotta-hurt dept.

Lam1969 writes "The U.S. Federal Trade Commission has fined ChoicePoint $10 million for a data breach that allowed identity thieves posing as legitimate businesses to steal social security numbers, credit reports, and other data from nearly 140,000 people. This is the largest fine ever levied by the FTC. ChoicePoint also has to set up a 'trust fund' for people victimized by identity thieves. From the article: 'As part of its agreement with the FTC, ChoicePoint will also have to submit to comprehensive security audits every two years for the next 20 years.'" BusinessWeek has some background information on this breach.

8 of 85 comments (clear)

  1. Chump Change with their Revenues by WebHostingGuy · · Score: 4, Informative

    For the three months ending Dec. 31, ChoicePoint said it earned $27.68 million on revenues of over one billion dollars in 2005

    --
    Quality Hosting e3 Servers
    1. Re:Chump Change with their Revenues by shotfeel · · Score: 4, Insightful

      When you take that $10 million out of the $27.68 million, I'd say that's a pretty big percentage of your profits gone. The idea is to punish the company, not kill it.

      OTOH, considering what happened, maybe that wouldn't be such a bad idea...

  2. Not enough by voice_of_all_reason · · Score: 4, Funny

    I was expecting something a little more Barad-Dur-ish. You know, heads of traitors impaled on the bridge as a warning to others.

  3. What it should be for everyone by ZachPruckowski · · Score: 5, Insightful

    'As part of its agreement with the FTC, ChoicePoint will also have to submit to comprehensive security audits every two years for the next 20 years.'

    Every company should undergo a comprehensive security audit every two years. I mean, security in Jan 2004 is rather different from security in Jan 2002, and both are way different from security today. A system that might have been thought to be secure 2 years ago isn't so hot right now. If I ran a huge, profitable company, I would assign a few people to try to break into my company full-time.

  4. Re:Good, but not good enough by swillden · · Score: 4, Insightful

    If company X had the data, and there is a preponderance of evidence that company X let the data escape, X should be liable for the damages even if it's possible that the bad guys actually got the data somewhere else.

    Oh, one more thing: disclosure of security breaches should be mandatory (with some latitude for delaying until the problem can be fixed, but not much). Failure to disclose security breaches should be a felony. If some manager decides to try to hide it, that person should be charged with a crime and sent to prison, along with anyone who agreed with him or her (i.e. his or her co-conspirators).

    Corporations should be terrified of the effects of security breaches involving other peoples' data, and employees need to be terrified of doing anything but blowing the whistle when those breaches occur.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  5. Your identity is worthless to the feds by MikeRT · · Score: 5, Insightful

    $10,000,000 / 140,000 victims = $71/person. We given fines in the tens of thousand to hundreds of thousands for crack/cocaine/meth, but apparently white collar crime that targets over one hundred thousand people is worth only $71/victim when the identity theft can cost them hundreds of hours of time regaining their identity/fixing records and a lot of grief in general. Not to mention the damage it does to the businesses hit by the scammers.

  6. Who defines a "legitimate businesses" by vinn01 · · Score: 4, Interesting

    ... allowed identity thieves posing as legitimate businesses ...

    From ChoicePoint's perspective, they were legitimate businesses. They paid for the data, they didn't steal it.

    From the goverment's perspective, they were legitimate businesses if they paid taxes on their "profits".

    Now from the victims perspective, they were a bunch of crooks raiding their credit records and sucking as much out as they could.

    Is every employer, landlord, and car dealer a legitimate business just because they actually have a better excuse to get their hand on the data? Some of those businesses are a bunch of crooks too.

    The whole system needs better security, not just better control over who can get your info.

    vb

  7. Re:The sad thing is by nickname225 · · Score: 4, Insightful

    I'm a lawyer - although tort is not my area of specialization. It's not really necessary for there to be a specific law on the books to sue someone who has caused you damage. In this case you could sue under a general negligence theory. The basic elements of negligence are 1) Did the company have a duty 2) was that duty breached 3) Was the breach a cause in fact of the damage & 4) Did actual damage occur. If you analyze this case under general negligence theory - 1) Choice Point clearly had a duty to safeguard sensitive personal information 2) That duty was clearly breached 3) The breach would be a cause in fact if you identify is stolen 4) so- if you suffer actual damage as a result of this theft - you should have a negligence action against Choice Point. Now - it is possible that they are in some way immunized from suit by some statute - but I don't recall anything of the sort.