States settle with ChoicePoint over 2004 breach

Data broker ChoicePoint Inc. will pay US$500,000 and has agreed to change the way it screens new customers under a multistate settlement for a 2004 data breach.

The settlement, announced Thursday, covers complaints from 43 states and the District of Columbia following the 2004 data breach affecting 163,000 U.S. residents. The company announced in early 2005 that identity thieves had set up fake businesses as a way to buy personal information from ChoicePoint.

States will likely use the $500,000 for attorney’s fees and court costs, Washington state Attorney General Rob McKenna said in a news release. Consumers affected by the ChoicePoint breach can seek redress under a separate settlement with the U.S. Federal Trade Commission, announced in January 2006. In the settlement with the FTC, ChoicePoint agreed to pay a $10 million fine and another $5 million for consumer redress.

Consumers affected by the breach have until June 22 to file claims with the FTC. The FTC has identified about 1,400 consumers who had out-of-pocket expenses due to the breach.

The settlement with the states represents the first time a data broker has agreed to safeguard publicly available information in the same way that financial information is protected by law, McKenna said.

“As part of the settlement, ChoicePoint will make significant changes to the way the company screens new customers,” McKenna said in a statement. “New credentialing methods … will help ensure that sensitive data is better protected and shared with only legitimate businesses, not identity thieves.”

ChoicePoint has made significant improvements in its privacy protection efforts, the company said in a statement.

“In the eyes of many of our harshest critics … ChoicePoint has become a ‘model’ of privacy protection,” Matt Furman, ChoicePoint vice president for corporate communications, said in a statement. The company expects that the changes it is making as part of its agreement with the states “will ultimately be where the entire industry finds itself” as far as protecting data, he said.

The settlement also calls on ChoicePoint to work with state attorneys general to fund consumer education programs on identity theft, the company said.

The Washington Attorney General’s Office sent the settlement agreement to Thurston County Superior Court Thursday. A judge must approve the agreement before it becomes final.

ChoicePoint collects and sells personal information about consumers, including names, Social Security numbers, and birth dates, employment information and credit histories. The company provides credential verification services to more than 50,000 businesses, government agencies and nonprofit organizations.