In addition to the penalty, which FTC Chairman Deborah Platt Majoras described as the largest ever levied by the agency, ChoicePoint has been asked to set up a $5 million trust fund for individuals who might have become victims of identity theft as a result of the breach.
As part of its agreement with the FTC, Alpharetta, Ga.-based ChoicePoint will also have to submit to comprehensive security audits every two years for the next 20 years.
"This is an important victory for consumers," Majoras said. "This tells companies that they must protect sensitive consumer information. They must guard the front door as well as guard the back door against hackers."
ChoicePoint provides data to credit providers, government agencies, landlords and others who use personal information to grant loans, leases and other contracts.
It publicly acknowledged the data theft last February, but the incident itself took place in the fall of 2004. At the time it made the breach public, ChoicePoint said the theft happened when "a small number of very well-organized criminals posed as legitimate companies to gain access to personal information about consumers."
It also said later that was taking steps to better protect customer data, pointing to a "rigorous re-credentialing of broad categories of customer accounts," as well as changes that included masking or truncating sensitive personal identifier information, such as Social Security numbers and driver's license numbers.
The $10 million penalty is being levied for violations of the Fair Credit Reporting Act (FCRA), Majoras said. Though ChoicePoint collected and maintained billions of pieces of consumer data -- including consumer names, Social Security numbers as well as bank and credit card details -- the company failed to implement reasonable procedures for protecting the data, she said.
In its decision, the FTC slammed ChoicePoint, saying it did not have reasonable procedures in place to screen prospective subscribers, and turned over sensitive personal information to subscribers whose applications raised obvious 'red flags.' The FTC said ChoicePoint approved customers to its service who lied about their credentials and used commercial mail drops as business addresses. In addition, the applicants reportedly used fax machines at public commercial locations to send multiple applications for separate companies.
According to the FTC, ChoicePoint also failed to tighten its application approval procedures or monitor subscribers, even after it got subpoenas from law enforcement authorities alerting it to fraudulent activity that dated back to 2001.
The agency also charged that ChoicePoint violated the FTC Act by making false and misleading statements about its privacy policies.
Under the agreement with the FTC, ChoicePoint is barred from providing consumer reports to individuals and companies who cannot demonstrate a legitimate need for that information, Majoras said. To ensure complianace with that requirement, ChoicePoint will be required to certify the nature of the business of each of its subscribers and how they use consumer information, Majoras said.
ChoicePoint is also required to do site visits to authenticate its subscribers, except in cases where the company might have already done so. The company also must implement reasonable measures to ensure that its subscribers are using consumer information in the manner attested to in their applications, she said.
Until now, the largest civil penalty imposed by the FTC against a company was in March 2003, when the agency imposed a $7 million fine against Boston Scientific for anti-competitive practices.