Data broker ChoicePoint Inc. agreed to expanded data security reporting requirements and pay $275,000 to settle Federal Trade Commission charges that it failed to follow a court order to protect consumers' personal data.
According to the FTC, the failure led to a data security breach last year that compromised the personal information, including Social Security numbers, of 13,750 people.
The breach occurred while Alpharetta, Ga.-based ChoicePoint, now a subsidiary of Reed Elsevier Inc., was under a court order stemming from a previous breach in 2005 that compromised the personal information of more than 163,000 consumers and resulted in at least 800 cases of identity theft, the FTC said Monday. The FTC's 2006 settlement with Choice Point required the company to maintain a comprehensive data security program and pay $10 million in penalties and $5 million in consumer redress.
The FTC said that in April 2008, ChoicePoint turned off a software tool that monitored access to one of its databases and left it off for four months. For 30 days while the monitoring tool was turned off, an intruder searched a company database containing sensitive consumer data. If the tool had been working, ChoicePoint would have detected the intrusions earlier, the FTC contends.
According to ChoicePoint, the data security breach occurred when a former government customer failed to properly safeguard one of its user IDs, which led to unauthorized access to one of ChoicePoint's databases through its AutoTrackXP product from Aug. 8, 2008 to Sept. 8, 2008. The database didn't contain personal information subject to the Fair Credit Reporting Act and no data provided by its customers was compromised, ChoicePoint said in a statement. The former government customer issued notices last September and October to people who may have had their personal information accessed, the company said.
The company denies the FTC's charge that not detecting the unauthorized access violated its obligations with the 2006 court order. ChoicePoint also noted that the breach occurred before its acquisition by Reed Elsevier.
The new settlement requires ChoicePoint to send detailed reports every two months for the next two years to the FTC about how it's protecting the breached database and other databases containing personal data. It also extends the monitoring requirements of the 2006 order and allows the FTC to ask for up to two more biennial assessments of the company's data security program.
In its statement, ChoicePoint took issue with the wording of the FTC's announcement on Monday, contending that the strengthened data security requirements referenced in the FTC release were not a result of the new court order but rather new security policies the company adopted on its own after last year's breach.
The $275,000 fine ChoicePoint agreed to pay will go into an FTC-administered fund for general consumer redress.
Thom VanHorn, vice president of global marketing at Application Security Inc., a New York-based database security company, said in an email that the FTC is "clearly sending a message that privacy is critical and compliance is absolutely mandatory in today's business environment."
He added, "It's important to point out that ChoicePoint is in the business of selling consumer information - even if they had a different business model, they still compromised that information not only by disclosing information to unauthorized parties, but also by not implementing appropriate safeguards."
A recent survey Application Security conducted with Enterprise Strategy Group showed that organizations suffer from a false sense of security, he said. Over 80% of the respondents said they had adequate security in place but more than half experienced a data breach within the past year.
Database attacks come from both inside and outside of organizations, VanHorn said.
"Inside, the issue is typically linked to inappropriate database access or excessive privileges," he said. "Externally, the issue is often linked to a compromised web app that an attacker penetrates to get to the database."