Security Bytes

Jun 1 2007   11:05AM GMT

ChoicePoint to pay $500,000 to settle with 43 states and D.C.

David Schneier David Schneier Profile: David Schneier

ChoicePoint, the international poster child for data breaches, has agreed to a settlement with 43 states and the District of Columbia as a result of the incident in 2004 in which 145,000 consumer records were stolen. The settlement requires the company to install more stringent measures to control its data, and pay a fine of…wait for it…$500,000. No, there aren’t any zeros missing from that number. Nor is it $500,000 per state. That’s $500,000 total, or about $3.45 per stolen record. And that money is going to the states themselves and not the consumers who were actually affected by the breach.

Granted, ChoicePoint also has agreed to pay a $10 million fine to the FTC, but consumers won’t see any of that money either. Nor will the banks and credit unions and other institutions who bore much of the cost of the incident. What will go to consumers is $5 million in redress the company agreed to pay last year. But the idea that a $500,000 settlement is a just outcome from this mess doesn’t add up. That’s not much of a deterrent for a company that pulled in more than $1 billion in revenue last year.

Before the news of the data breach broke in early 2005, most consumers had no idea that ChoicePoint even existed, never mind what kind of data the company was collecting and reselling. There are plenty of other companies out there doing much the same thing, and it’s difficult to know what they’re doing to protect that data. But maybe they’d be better off in another line of business. Demand for stolen credit card numbers, Social Security numbers and bank account info is high right now, but so is the supply. If that supply should somehow begin to dry up, it may make more financial sense for companies to sell their records directly to the identity thieves, and then pay the fines on the back end if they ever get caught.

Technorati Tags: , , , ,

2  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Michael Durnack
    I find it hard to fathom why everyone calls this a "data breach". There was no breach here, they handed the information over to the thieves. This gives people the impression they were hacked into or had a laptop stolen etc. This company was guilty of poor controls, lack of adequate procedures, and mismanagement. This was really a breach of trust.
    0 pointsBadges:
  • Dennis Fisher
    An excellent point, Michael. I'm not sure what the right phrase is, but maybe security lapse or breakdown is closer to the truth.
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: