Thursday, January 26, 2006
FTC fines indicate tougher enforcement of Safeguards Rule
By Jaikumar Vijayan with ComputerWorld
The $10 million fine imposed today by the Federal Trade Commission on data aggregator ChoicePoint Inc. for a data security breach is yet another indication of the increasingly tough stance the agency is taking on companies that fail to adequately protect sensitive data, legal experts said.
And it's not just companies that suffer data breaches that should be concerned. Those companies that are unable to demonstrate due diligence when it comes to information security practices could also wind up in the FTC’s crosshairs, they added.
“There has been a definite change in the FTC’s handling and analysis of security breaches,” said Christopher Pierson, an attorney at Phoenix-based law firm Lewis and Roca LLP. “It appears that the FTC is not going to wait for federal [data security] legislation to come down the pipe and is instead going to take action using existing laws.”
“This is a seminal reaction regarding information security” by the FTC, said Christopher Ford, an attorney at Alston & Bird LLP in Washington. Future victims of identity theft are going to be able to point to this settlement and say, “Look, you owe me something,” Ford said. “I think it’s a pretty significant precedent that’s been set here.”
The FTC this morning announced that it has reached an agreement with Alpharetta, Ga.-based ChoicePoint in a data theft case that took place in the fall of 2004 (see ”FTC imposes $10M fine against ChoicePoint for data breach”). At the time it made the breach public in February 2005, ChoicePoint said the theft happened when “a small number of very-well-organized criminals posed as legitimate companies to gain access to personal information about consumers.”
The breach resulted in the compromise of the financial records of more than 163,000 consumers in its databases, over 800 of whom have since become victims of identity theft.
“This is an important victory for consumers,” FTC Chairman Deborah Platt Majoras said today in announcing the fine.
Under the settlement announced today, ChoicePoint will pay a fine of $10 million for violating the Fair Credit Reporting Act (FCRA). That law requires companies that furnish credit histories to maintain reasonable procedures for authenticating the identities of those who receive data. The FCRA also requires companies to ensure that the data is used properly.
In addition to the penalty, the largest ever levied by the FTC, ChoicePoint has been asked to set up a $5 million trust fund for individuals who might have become victims of identity theft as a result of the breach. ChoicePoint will also have to submit to comprehensive security audits every two years through 2026.
ChoicePoint, in documents posted on its Web site today, listed a series of privacy enhancements it has implemented since news of the data breach broke last February. In an effort to restrict customer access to sensitive consumer data, the company discontinued selling products that contain personally identifiable information (PII) such as Social Security numbers and driver’s license numbers, the company said (download PDF).
ChoicePoint said it no longer shares such information with customers, except in certain specific cases, such as when it provides authentication for another company’s data. ChoicePoint also established a centralized corporate credentialing center and strengthened credential procedures via multiple external verification sources. As of today, ChoicePoint has recredentialed over 80% of customers receiving sensitive PII, and it said it successfully completed 43 third-party security audits in 2005.
The FTC’s action continues a trend that began last year with similar settlements involving two other companies. In December 2005, the agency announced that Columbus, Ohio-based shoe retailer DSW Inc. had agreed to beef up its computer security to settle charges that it had not adequately protected sensitive customer data. As part of that agreement, DSW will have to submit to security audits every two years for the next 20 years.
In June 2005, Natick, Mass.-based BJ’s Wholesale Club Inc. reached a near identical consent decree with the FTC in a case involving the theft and fraudulent use of customers’ credit and debit cards.
The FTC appears to be willing to escalate enforcement action against such companies, said Michael Overly, an attorney at Foley & Lardner LLP in Los Angeles. “We knew something big was going to happen” after the DSW and BJ’s settlements, he said. “The agreement with ChoicePoint shows [FTC officials] have every intent of continuing with even more force this year.”
The important take-away for every company that handles personally identifiable information is that it is not just breaches alone that can trigger FTC action, Overly said. In the future, a failure to demonstrate adequate data safeguards could also make a company a target for FTC action.
For instance, companies that claim to provide adequate protection for consumer information in their privacy notices could get hit by the FTC for deceptive trade practices if they are unable to demonstrate such protections, Overly said.
One such case, according to Overly, is a 2003 incident involving online book retailer Barnes & Noble and New York State Attorney General Eliot Spitzer. In that case, Barnes & Noble agreed to pay a $60,000 fine and to set up a comprehensive security program with periodic audits to settle charges that the company was not adequately protecting consumer information -- even though no actual breach ever took place.
The $10 million fine imposed today by the Federal Trade Commission on data aggregator ChoicePoint Inc. for a data security breach is yet another indication of the increasingly tough stance the agency is taking on companies that fail to adequately protect sensitive data, legal experts said.
And it's not just companies that suffer data breaches that should be concerned. Those companies that are unable to demonstrate due diligence when it comes to information security practices could also wind up in the FTC’s crosshairs, they added.
“There has been a definite change in the FTC’s handling and analysis of security breaches,” said Christopher Pierson, an attorney at Phoenix-based law firm Lewis and Roca LLP. “It appears that the FTC is not going to wait for federal [data security] legislation to come down the pipe and is instead going to take action using existing laws.”
“This is a seminal reaction regarding information security” by the FTC, said Christopher Ford, an attorney at Alston & Bird LLP in Washington. Future victims of identity theft are going to be able to point to this settlement and say, “Look, you owe me something,” Ford said. “I think it’s a pretty significant precedent that’s been set here.”
The FTC this morning announced that it has reached an agreement with Alpharetta, Ga.-based ChoicePoint in a data theft case that took place in the fall of 2004 (see ”FTC imposes $10M fine against ChoicePoint for data breach”). At the time it made the breach public in February 2005, ChoicePoint said the theft happened when “a small number of very-well-organized criminals posed as legitimate companies to gain access to personal information about consumers.”
The breach resulted in the compromise of the financial records of more than 163,000 consumers in its databases, over 800 of whom have since become victims of identity theft.
“This is an important victory for consumers,” FTC Chairman Deborah Platt Majoras said today in announcing the fine.
Under the settlement announced today, ChoicePoint will pay a fine of $10 million for violating the Fair Credit Reporting Act (FCRA). That law requires companies that furnish credit histories to maintain reasonable procedures for authenticating the identities of those who receive data. The FCRA also requires companies to ensure that the data is used properly.
In addition to the penalty, the largest ever levied by the FTC, ChoicePoint has been asked to set up a $5 million trust fund for individuals who might have become victims of identity theft as a result of the breach. ChoicePoint will also have to submit to comprehensive security audits every two years through 2026.
ChoicePoint, in documents posted on its Web site today, listed a series of privacy enhancements it has implemented since news of the data breach broke last February. In an effort to restrict customer access to sensitive consumer data, the company discontinued selling products that contain personally identifiable information (PII) such as Social Security numbers and driver’s license numbers, the company said (download PDF).
ChoicePoint said it no longer shares such information with customers, except in certain specific cases, such as when it provides authentication for another company’s data. ChoicePoint also established a centralized corporate credentialing center and strengthened credential procedures via multiple external verification sources. As of today, ChoicePoint has recredentialed over 80% of customers receiving sensitive PII, and it said it successfully completed 43 third-party security audits in 2005.
The FTC’s action continues a trend that began last year with similar settlements involving two other companies. In December 2005, the agency announced that Columbus, Ohio-based shoe retailer DSW Inc. had agreed to beef up its computer security to settle charges that it had not adequately protected sensitive customer data. As part of that agreement, DSW will have to submit to security audits every two years for the next 20 years.
In June 2005, Natick, Mass.-based BJ’s Wholesale Club Inc. reached a near identical consent decree with the FTC in a case involving the theft and fraudulent use of customers’ credit and debit cards.
The FTC appears to be willing to escalate enforcement action against such companies, said Michael Overly, an attorney at Foley & Lardner LLP in Los Angeles. “We knew something big was going to happen” after the DSW and BJ’s settlements, he said. “The agreement with ChoicePoint shows [FTC officials] have every intent of continuing with even more force this year.”
The important take-away for every company that handles personally identifiable information is that it is not just breaches alone that can trigger FTC action, Overly said. In the future, a failure to demonstrate adequate data safeguards could also make a company a target for FTC action.
For instance, companies that claim to provide adequate protection for consumer information in their privacy notices could get hit by the FTC for deceptive trade practices if they are unable to demonstrate such protections, Overly said.
One such case, according to Overly, is a 2003 incident involving online book retailer Barnes & Noble and New York State Attorney General Eliot Spitzer. In that case, Barnes & Noble agreed to pay a $60,000 fine and to set up a comprehensive security program with periodic audits to settle charges that the company was not adequately protecting consumer information -- even though no actual breach ever took place.
# posted by raveneye @ 10:14 PM 
