The penalties imposed on ChoicePoint are "a seminal reaction regarding information security" on the part of the FTC, said Christopher Ford, an attorney at Alston & Bird LLP in Washington. Future victims of identity theft will be able to point to last week's settlement and say to a company whose data was breached, "Look, you owe me something," Ford said.

The FTC charged that ChoicePoint failed to comply with its data protection obligations under the Fair Credit Reporting Act and made false and misleading statements about its data privacy policies.

In addition to paying the $10 million civil penalty, the Alpharetta, Ga.-based company will set up a $5 million trust fund that will be administered by the FTC for consumers who may have been victimized as a result of the security breach. The financial records of about 162,000 people were potentially compromised.

ChoicePoint also has to establish and maintain a comprehensive information-security program and submit to third-party audits of its data security procedures every two years for the next 20 years, according to the FTC.

Guarding both doors