This week, ChoicePoint, Inc. finalized its settlement with the Federal Trade Commission (FTC) to resolve charges stemming from a 2008 breach that compromised the personal information of 13,750 consumers. According to the FTC, the breach occurred because ChoicePoint implemented a security tool designed to detect unauthorized access to its databases, but “failed to detect that the security tool was off” for a period of four months. Apparently, during this outtage, “an unknown person conducted unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers.” The unauthorized access apparently occurred between August 8, 2008 and September 8, 2008. According to ChoicePoint, the incident occurred because “a former ChoicePoint government customer failed to properly safeguard one of its user IDs.” (See ChoicePoint’s news release.) ChoicePoint voluntarily approached the FTC when it discovered the breach.
ChoicePoint, which suffered a more significant breach in 2005, was already subject to a 2006 order requiring that the company implement a comprehensive information security program. (See the FTC’s materials on the prior breach.) The FTC and ChoicePoint dispute whether the current breach was the result of failing to meet its security obligations under the 2006 order. The supplemental stipulated judgment entered this week (.pdf) provides that ChoicePoint will pay $275,000 into a fund to redress potential harm to consumers and submit to biennial security assessments.
This case is notable, even though the size of the breach and the monetary payment involved are relatively modest, because the underlying breach allegedly resulted from the ineffective implementation of security tools. In practice, many companies react to information security regulations by purchasing a suite of security products. But are these tools being utilized effectively? At least according to the FTC, companies may face sanctions if their adopted security measures are not turned on and managed appropriately.