FTC Sues ChoicePoint for Sale of Consumer Data to Identity Thieves

January 26, 2006. The Federal Trade Commission (FTC) filed a four count civil complaint [14 pages in PDF] in U.S. District Court (NDGa) against ChoicePoint alleging violation of the Federal Trade Commission Act (FTCA) and the Fair Credit Reporting Act (FCRA) in connection with its sale of personal data to identity thieves.

The FTC and ChoicePoint simultaneously filed a joint proposed stipulated final judgment [29 pages in PDF]. It provides that "Defendant makes no admissions to, and denies, the allegations in the Complaint, other than the jurisdictional facts", but that it is enjoined from violating the FTCA and the FCRA, that it will pay a "civil penalty" of $10 Million, and pay $5 Million in consumer redress.

See also, FTC release. Deborah Majoras, the Chairman of the FTC, stated in this release that "The message to ChoicePoint and others should be clear: Consumers’ private data must be protected from thieves ... Data security is critical to consumers, and protecting it is a priority for the FTC, as it should be to every business in America."

ChoicePoint is a data aggregator and broker. It sells consumers' personal information to government agencies, law enforcement entities, and private sector entities, for, among other purposes, identification, tenant screening, and credential verification. It also sold consumer data to identity thieves.

The FTC complaint states that "In February 2005, pursuant to a California state law requirement, ChoicePoint notified approximately 35,000 California consumers that it may have disclosed their personal information to persons who did not have a lawful purpose to obtain the information. Subsequently, ChoicePoint notified approximately 111,000 consumers outside of California that their information may have been compromised. More recently, it notified an additional 17,000 consumers, bringing the total to 163,000. In all cases, the information disclosed by ChoicePoint included unique identifying information that facilitates identity theft, such as dates of birth and Social Security numbers, as well as nearly 10,000 credit reports. At least 800 cases of identity theft arose out of these incidents."

The complaint further states that "The persons who obtained this consumer information submitted applications to ChoicePoint and were approved by the company to be subscribers authorized to purchase ChoicePoint products and services. The applications contained false credentials and other misrepresentations, which ChoicePoint failed to detect because it had not implemented reasonable procedures to verify or authenticate the identities and qualifications of prospective subscribers."

For example, ChoicePoint accepted "facially contradictory or illogical application information".

Count I of the complaint alleges violation of Section 604 of the FCRA, which is codified at 15 U.S.C. § 1681b. This section prohibits a consumer reporting agency (CRA) from furnishing a consumer report except for specified permissible purposes. The complaint alleges that ChoicePoint violated this section by selling consumer reports for non-permissible purposes.

Count II of the complaint alleges violation of Section 607(a) of the FCRA, which is codified at 15 U.S.C. § 1681e(a). This section requires CRAs to maintain reasonable procedures to limit the furnishing of consumer reports to the purposes listed under Section 604 of the FCRA, including making reasonable efforts to verify the identity of each new prospective user of consumer report information and the uses certified by each prospective user prior to furnishing such user a consumer report.

Count III of the complaint alleges violation of Section 5 of the FTCA, which is codified at 15 U.S.C. § 45(a). It provides, in part, that "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful."

The complaint alleges that ChoicePoint's failure to "employ reasonable and appropriate security measures to protect consumers' personal information" is an unfair act or practice in violation of Section 5 of the FTCA.

Count IV of the complaint also alleges violation of Section 5 of the FTCA. This count alleges that ChoicePoint violated Section 5 by violating the privacy policy published in its web site, which asserts that it has implemented reasonable and appropriate measures under the circumstances to maintain and protect the confidentiality and security of consumers' personal information.

The complaint names only one defendant, ChoicePoint, Inc.

Also, the complaint does not allege that ChoicePoint has sold data products, without complying with the FCRA, as non-FCRA regulated products, that are in fact products that fall within the scope of the FCRA. Nor does the complaint allege any violation of the FTCA for sale of products that fall outside of the scope of the FCRA, but that nevertheless circumvent the policy that underlies the FCRA.

For example, on December 16, 2004, the Electronic Privacy Information Center (EPIC) wrote a letter to the FTC in which it urged the FTC to investigate this topic. The EPIC asserted that data aggregation companies are now structuring their electronic databases, and data products, to fall outside of the scope of the FCRA, thereby threatening individual privacy, and the policy goals underlying the FCRA.

The EPIC wrote that "Americans face a return to the pre-FCRA era if companies like ChoicePoint can amass dossiers on Americans without compliance with any regime of Fair Information Practices. That era was marked by unaccountable data companies that reported inaccurate, falsified, and irrelevant information on Americans, sometimes deliberately to drive up the prices of insurance or credit. To some extent, this pre-FCRA area has returned." (Footnote omitted.)

See, story titled "EPIC Urges FTC to Open Investigation on Data Products and FCRA" in TLJ Daily E-Mail Alert No. 1,042, December 22, 2004.

FTC action on this issue could impact sales of data to government and law enforcement agencies.

ChoicePoint is represented in this action by Robert Belair, Karla Letsche and Kevin Coy of the law firm of Oldaker Biden & Belair, and by Joel Jankowsky and Daniel McInnis of the law firm of Akin Gump Strauss Hauer & Feld.

ChoicePoint issued a release on January 26, 2006, regarding its revenues. It reported "record total revenue of $1.1 billion for 2005, a 15 percent increase over total revenue in 2004."

It continued that "Full year 2005 Earnings Per Share ("EPS") from continuing operations was $1.53, which included a $0.24 per share dilutive effect of specific expenses related to the previously disclosed fraudulent data access, a probable settlement with the Federal Trade Commission ("FTC"), and the abandonment of certain leases."

It also stated that it "expects to finalize a settlement with the FTC regarding its investigation into the Company's compliance with federal laws governing consumer information security and related issues, including the fraudulent data access which occurred last year. The Company expects the terms of the settlement to call for a civil penalty, establishment of a fund to be administered by the FTC for consumer redress initiatives, completion of certain one-time and on-going customer credentialing activities such as additional site visits, and undertaking additional obligations relating to information security. As part of this settlement, the Company does not admit to the truth of, or liability for, any of the matters alleged by the FTC."

And, it stated that "On-going legal expenses related to the fraudulent data access are currently estimated at $4 to $6 million for 2006, exclusive of any potential settlements, with the majority of these expenses incurred during the first two quarters."

See also, stories titled "EPIC Seeks Congressional Hearing and FTC Workshop on Data Products and FCRA" in TLJ Daily E-Mail Alert No. 1,052, January 10, 2005; "ChoicePoint Describes Its Sale of Data to Identity Thieves" in TLJ Daily E-Mail Alert No. 1,081, February 23, 2005; "Senate Banking Committee Holds Hearing on Data Security" in TLJ Daily E-Mail Alert No. 1,093, March 11, 2005; "House Subcommittee Holds Hearing on Data Aggregators" in TLJ Daily E-Mail Alert No. 1,096, March 16, 2005; and "Senate Judiciary Committee Holds Hearing on Data Security" in TLJ Daily E-Mail Alert No. 1,115, April 14, 2005.

Also, on January 26, 2006, the Department of the Treasury (DOT) began sale of a DVD, for $2, titled "Identity Theft: Outsmarting the Crooks". See, DOT release.