ChoicePoint, Inc. Agrees to Supplemental Provisions with Federal Trade Commission
ALPHARETTA, GA – ChoicePoint, Inc. ("ChoicePoint") today announced that it agreed with the Federal Trade Commission ("FTC") to supplement the Stipulated Final Judgment and Order ("Final Order"), originally entered on February 15, 2006, with certain additional reporting and assessment provisions. The agreement follows concerns expressed by the FTC arising from an incident in which a former ChoicePoint government customer failed to properly safeguard one of its user IDs. The former government customer's failure to properly safeguard its user ID and password resulted in unauthorized access to a ChoicePoint database through ChoicePoint's AutoTrack XP product from August 8, 2008 to September 8, 2008. The database did not contain personal information subject to the Fair Credit Reporting Act and no information provided by ChoicePoint's customers was compromised. The unauthorized access occurred prior to the acquisition of ChoicePoint by Reed Elsevier on September 19, 2008. In September and October 2008, the former ChoicePoint government customer issued notices to individuals who may have had their personal information viewed inappropriately.
ChoicePoint notified the FTC and other regulatory entities of the former government customer's failure to properly safeguard one of its user IDs. The FTC expressed concerns that not detecting the former government customer's inappropriate access was inconsistent with ChoicePoint's obligations under the Final Order, which ChoicePoint denies. Notably, the Supplemental Order does not allege any current or ongoing violations of ChoicePoint's Final Order. Following the incident and acquisition by Reed Elsevier, new policies and practices were put into place to enhance the strength and quality of ChoicePoint's security. As part of that effort, certain security enhancements were made to the ChoicePoint product at issue including providing additional information and steps customers could take to further safeguard their IDs and passwords. The "strengthened data security requirements" referenced in the FTC news release of October 19, 2009 pre-dated and were not a result of the Supplemental Order and were adopted by ChoicePoint on its own. The Supplemental Order does not impose a strengthening of substantive data security requirements. In addition, a version of the FTC news release states that there were "thousands" of unauthorized searches. In fact, there were 818.
As part of the Supplemental Order, ChoicePoint will contribute $275,000 into a fund administered by the FTC for general consumer redress and other consumer relief and adhere to additional reporting and assessment requirements.
ChoicePoint strives to protect the personal information that it maintains and disseminates so it is not accessed impermissibly. This includes the use of appropriate administrative, physical, and technical safeguards. Over the past several years, ChoicePoint has devoted substantial resources to enhancing the strength and quality of its security policies and practices. ChoicePoint's dedication to the security of personal data has been acknowledged by multiple experts in data privacy and security.
For additional information, please contact: 1.800.227.9597, ext. 56044