TMCnet News
ChoicePoint's 15 Million Dollar 'Whoops'Editorial Director, CUSTOMER INTER@CTION Solutions
With a little luck, the companies that sell data security products should have a booming first quarter. In fact, their phones should be ringing off the hook right now.
The Federal Trade Commission announced today that consumer data broker ChoicePoint, Inc., which last year acknowledged the breach of 163,000 personal data records, will pay $10 million in civil penalties and $5 million in consumer redress to settle FTC charges that its security and record-handling procedures violated consumers’ privacy rights and federal laws. ChoicePoint obtains and sells to more than 50,000 businesses the personal information of consumers, including names, Social Security numbers, birth dates, employment information, and credit histories.
Fifteen million dollars…that's a big "whoops." ChoicePoint was a participant in last year's Top 50 Teleservices Agencies Ranking, which is conducted annually by Customer Interaction Solutions magazine. The company was ranked number 18 on the domestic U.S. outbound list, and number 35 on the inbound list. The Top 50 companies are ranked by size according to the number of billable minutes racked up with their long-distance carriers in a 12-month period.
The settlement with the FTC was not only about money. It dictates that ChoicePoint must implement new procedures to make sure it provides consumer reports only to legitimate businesses for lawful purposes, to establish and maintain a comprehensive information security program, and to obtain audits by an independent third-party security professional every other year until 2026.
"The message to ChoicePoint and others should be clear: Consumers’ private data must be protected from thieves,” said Deborah Platt Majoras, Chairman of the FTC. “Data security is critical to consumers, and protecting it is a priority for the FTC, as it should be to every business in America.”
To be fair to ChoicePoint, it's not the only company in the data breach hot seat. ChoicePoint was one of several companies to make up the first great wave of publicized data security breaches. A piece of California legislation that went into effect in July 2003, SB 1386, was the reason the general public even found out about the breaches. The law requires that companies that lose personal data notify those consumers whose data have been compromised. (Since these early breaches, several other states have passed similar laws.) What's disconcerting is that it's likely that any personal data lost before this law went into effect in 2003, or any breaches that did not affect any consumers in California, have very probably been swept under the rug, never to be heard about by the masses, until the day that John Q. Public started receiving calls from collections agencies for the $30,000 he supposedly owes on a credit card he never opened.
It's important to note that ChoicePoint's data were not hacked or otherwise stolen. The information was sold, in a very "above board" way, to scammers posing as a legitimate business interest (albeit one using an anonymous mail drop as an address rather than a legitimate business address; perhaps that what detectives call "a clue"). The FTC alleges that ChoicePoint did not have reasonable procedures to screen prospective subscribers, and turned over consumers’ sensitive personal information to subscribers whose applications should have raised red flags.
According to the FTC, this was not ChoicePoint's first mistake. The agency maintains that ChoicePoint failed to tighten its application approval procedures or monitor subscribers even after receiving subpoenas from law enforcement authorities alerting it to fraudulent activity going back to 2001.
As people and business owners, we're very good at deluding ourselves. Issues (and the subsequent fines) such as those experienced by ChoicePoint are always "someone else's problem." Too many companies today assume that because they've spent some money on data security procedures, they're safe. Not so, according to experts.
For a data security article in the October 2005 issue of Customer Interaction Solutions magazine, I spoke with security guru Bruce Schneier (www.schneier.com). He said that the best defense a company can invest in is continual security monitoring. "There's no other way to deal with unknown threats, dedicated attackers or employee error," he said. "If you don't know what's happening on your network, you don't have a chance of stopping the bad guys."
But what the ChoicePoint moral fable tells us is…it's crucial that you at least try.
Tracey Schelmetic is editorial director for CUSTOMER INTER@CTION Solutions. For more articles please visit Tracey Schelmetic’s columnist page.
|