ChoicePoint Settles With 43 States in Massive ID Breach

ChoicePoint Inc. (CPS) settled with 43 states and the District of Columbia over allegations that it failed to adequately secure consumers' personal information related to a breach of its database it disclosed in 2005.

The Alpharetta, Ga.-based consumer data provider has agreed to adopt significantly stronger security measures, including written certification for access to consumer reports and, in some cases, onsite visits by ChoicePoint to ensure the legitimacy of companies before they are allowed access to personally identifiable information.

The breach involved thieves posing as small business customers who gained access to ChoicePoint's database, possibly compromising the personal information of 163,000 people, according to the Federal Trade Commission.

ChoicePoint will now conduct periodic audits to ensure that companies are using consumer data for legitimate purposes, according to the settlement announced Thursday.

There is no fine, though ChoicePoint will pay $500,000 for state public education campaigns about identity theft.

"This step marks a historic first -- the first time a data broker has agreed to safeguard certain sensitive publicly available information, including Social Security numbers, using the same credentialing methods as it uses to safeguard private financial information that is protected by law," Connecticut Attorney General Richard Blumenthal said in a statement.

There was no admission of wrongdoing by the company in the settlement, ChoicePoint spokesman Matt Furman said. Seven states, including Georgia, are not part of the settlement, ChoicePoint said. The other states not involved in the settlement are Kansas, New Hampshire, Rhode Island, South Carolina, Utah and Wyoming.

"The changes we are making as a result of our conversations with the states are clearly good for our business and, we expect, will ultimately be where the entire industry finds itself," Furman said in a statement. "In fact, we will be watching with interest as the attorneys general expand their focus on these critical issues across every sector of our economy."

In January 2006, ChoicePoint agreed to pay $15 million to settle FTC charges that the data warehouser's security and record-handling procedures violated consumers' privacy rights when thieves infiltrated the company's massive database.

The FTC fined the company $10 million -- the biggest fine the agency had ever imposed -- and said that ChoicePoint would pay an additional $5 million to compensate consumers.

The federal government is among ChoicePoint's biggest customers.

ChoicePoint collects data on individuals, including Social Security numbers, real estate holdings and current and former addresses. It has about 19 billion records, and its customers include insurance companies, financial institutions and federal, state and local agencies.