ChoicePoint, the international poster child for data breaches, has agreed to a settlement with 43 states and the District of Columbia as a result of the incident in 2004 in which 145,000 consumer records were stolen. The settlement requires the company to install more stringent measures to control its data, and pay a fine of…wait for it…$500,000. No, there aren’t any zeros missing from that number. Nor is it $500,000 per state. That’s $500,000 total, or about $3.45 per stolen record. And that money is going to the states themselves and not the consumers who were actually affected by the breach.
Granted, ChoicePoint also has agreed to pay a $10 million fine to the FTC, but consumers won’t see any of that money either. Nor will the banks and credit unions and other institutions who bore much of the cost of the incident. What will go to consumers is $5 million in redress the company agreed to pay last year. But the idea that a $500,000 settlement is a just outcome from this mess doesn’t add up. That’s not much of a deterrent for a company that pulled in more than $1 billion in revenue last year.
Before the news of the data breach broke in early 2005, most consumers had no idea that ChoicePoint even existed, never mind what kind of data the company was collecting and reselling. There are plenty of other companies out there doing much the same thing, and it’s difficult to know what they’re doing to protect that data. But maybe they’d be better off in another line of business. Demand for stolen credit card numbers, Social Security numbers and bank account info is high right now, but so is the supply. If that supply should somehow begin to dry up, it may make more financial sense for companies to sell their records directly to the identity thieves, and then pay the fines on the back end if they ever get caught.