Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Privacy The Almighty Buck Government The Courts News

ChoicePoint Hit With Large Fine For Data Theft 85

Lam1969 writes "The U.S. Federal Trade Commission has fined ChoicePoint $10 million for a data breach that allowed identity thieves posing as legitimate businesses to steal social security numbers, credit reports, and other data from nearly 140,000 people. This is the largest fine ever levied by the FTC. ChoicePoint also has to set up a 'trust fund' for people victimized by identity thieves. From the article: 'As part of its agreement with the FTC, ChoicePoint will also have to submit to comprehensive security audits every two years for the next 20 years.'" BusinessWeek has some background information on this breach.
This discussion has been archived. No new comments can be posted.

ChoicePoint Hit With Large Fine For Data Theft

Comments Filter:
  • by WebHostingGuy ( 825421 ) * on Thursday January 26, 2006 @12:52PM (#14569773) Homepage Journal
    For the three months ending Dec. 31, ChoicePoint said it earned $27.68 million on revenues of over one billion dollars in 2005 [choicepoint.com]
    • by Alex P Keaton in da ( 882660 ) on Thursday January 26, 2006 @12:59PM (#14569854) Homepage
      Not just that, but the fact that financial institutions really don't help you once you get your ID stolen...
      http://moneycentral.msn.com/content/Banking/Better banking/P142361.asp [msn.com]
      Banks hang fraud victims high and dry
      If a thief uses a stolen ATM card or checks to pilfer your accounts, you may not get much sympathy from your bank -- or any of your money back.
      By Liz Pulliam Weston
      Lesa Henderson of San Diego was shocked when her husband's paycheck suddenly disappeared from their checking account. But their troubles were just beginning.
      An acquaintance who stole both Henderson's debit card and checks from her checkbook had drained every penny from the account. The Henderson's bank initially restored some of the lost money, which the thief promptly stole. The bank then decided the thefts were Lesa's fault because she had allowed the thief into her home. The bank demanded the Hendersons pay back the restored funds, plus all the fees from bounced checks. Furthermore, it refused to let the Hendersons close the compromised account because it was overdrawn.
      http://moneycentral.msn.com/content/Banking/Better banking/P142361.asp [msn.com]
      • Your just wrong. I'm the Systems Admin for a bank and 99.9% of the time when there is fraud/theft the bank has to eat the loss. We constantly get people calling and complaining about mysterious $19.95 charges on their debit cards to online serives. It's usually their husband or sons signing up for porn, but all they have to do is say they didn't do it and we have to refund their money. The laws are monumentally skewed in favor of the customer.
        • I think you're both right. In the case of $20, it's easier for the bank to refund it and go after the merchant. In the case of $10,000 getting taken out of an account, they are a lot less likely to be as helpful.
        • Do you mean debit or check card? The rules are different for the two.
        • Riiiiiiiiiiiiiiiight. A sysadmin who works at a company knows more about a private life that was ruined by said company than the journalist who chronicled it, and the person who lived it. You must be republican, a douchebag, or probably both.

          Furthermore, I've read these stories for years. A guy had to sue his bank to get $90,000 that was wired away to other countries fraudulently. If I were him, I would have done worse than sue.

    • It's also only $70 a head. It may take me several years and a few thousand dollars to repair my credit, but at least ChoicePoint has to pay the cost a half hour with my lawyer.
      • And it's also only accounting for the fine, none of which I imagine is going to your lawyer. It's not clear to me whether your lawyer's costs will come out of the fund being established for victims, but I'm thinking that fund is potentially much larger than the fine.
    • by shotfeel ( 235240 ) on Thursday January 26, 2006 @01:06PM (#14569960)
      When you take that $10 million out of the $27.68 million, I'd say that's a pretty big percentage of your profits gone. The idea is to punish the company, not kill it.

      OTOH, considering what happened, maybe that wouldn't be such a bad idea...
      • Re:Fatal Assumptions (Score:4, Interesting)

        by mpapet ( 761907 ) on Thursday January 26, 2006 @01:16PM (#14570096) Homepage
        You are assuming that they will actually have to pay that fine.

        The procedure is as follows:

        1: Publish big number to qwell citizen revolt
        2: Negotiate lower settlement over the next few months
        3: Profit!

        Case in point: Exxon Valdez(sp?) Oil Spill
        1: Exxon get Billion(!!) dollar fine
        2: Exxon negotiates Billion dollar fine over umpteen years
        3: Exxon pays less than 1/2 the published number in real dollars.

        Choicepoint would cry like babies and threaten bankruptcy which they probably are doing anyway. "But Senator/Congressperson, consumer privacy is important. But think of all the lost jobs if ChoicePoint were to declare bankruptcy!!!"
        • Don't forget. Paying fines counts as an expense, which you can claim against revenue, thus cutting your taxes. As such, the hit is never as bad as it seems at face value. Now, if you had to pay fines out of your after-tax profits...
        • "But Senator/Congressperson, consumer privacy is important. But think of all the lost jobs if ChoicePoint were to declare bankruptcy!!!"

          Here's what our representatives (remember, they supposedly believe in the free market and Capitalism) should respond:

          "Mr CheckPoint Executive, we in the Congress sympathize with the short-term hardship imposed by such a scenario, but we mostly have to be concerned with the long-term results. The long term in your case is that the assets from your failed company wou
          • [...] since our politicians have almost totally bought into the ideas of Socialism for the wealthy classes, and the "free market" for the poor and working classes [...]

            I think the word you're looking for is Fascism

            Mart
        • 1: Exxon get Billion(!!) dollar fine
          2: Exxon negotiates Billion dollar fine over umpteen years
          3: Exxon pays less than 1/2 the published number in real dollars.


          Given that your implied point seems to be that Exxon would be willing to smack another tanker into the bottom and lose $500M, I don't think I agree with you.
      • For the year they earned $140mm after tax. Another way to look at it is that the penalty is $71.43 per identity stolen. I'm sure the inconvenience to the affected parties can be valued much higher than that.

        On either basis I just don't think this is enough of a bitchslap.
      • How is appox one month pay punishment enough to deter? If you stole money from a 7-11 you would be put in jail how come these guys get to go free? Wouldn't jail be more of a deterrent while sparing the shareholders?

        I say throw the entire board in jail. The buck stops with them and they get paid the big bucks. I bet the CEO can find 10 million between the cushions of his couch.
      • Wrong. The $27-odd million in profit for the quarter is AFTER the charge for the fine.
      • "When you take that $10 million out of the $27.68 million, I'd say that's a pretty big percentage of your profits gone. The idea is to punish the company, not kill it.
        OTOH, considering what happened, maybe that wouldn't be such a bad idea..."

        Let's see you say that to the people who were working for departments of the company in no way related to this. A company is not just the board/owners/stockholders, it is also the employees. This would be similar to saying your brother screwed and accidentally killed so
        • You make a good point. Its tough to know though, what level of fine is enough to induce the changes needed to help prevent this from happening again? On one hand many people who make up the company and did no wrong may be hurt. OTOH many individuals who didn't do anything wrong are in some serious pain and this fine won't really help them.
          • Well, Choicepoint has already made changes to more strictly screen their clients. However, I still see it as punishing Choicepoint for someone else comitting a crime. Similar to if a car dealer sold a car to someone who falsely identified themselves and comitted a crime.
      • Yes, but to hurt it you have to hit them for more than it would have cost them to fix/maintain their system in the first place. If ChoicePoint regards $10m every few years as cheaper than doing things the right way, they will continue along the merry path.

        The same applies to many unscrupulous companies. What's a $10m fine if you're making/saving an extra $20m?
    • It's the earnings, not the revenues. Earnings are revenues minus expenses. You could have revenues of a trillion dollars, but if your expenses are $999,999,999 then you've only earned a dollar in profit. If your expenses are $1,000,000,000,001, then you're in the red. Either way, it would mean that $10 million isn't something you have lying around.

      Stock prices should be based on earnings rather than revenue. People looked heavily at revenue of tech startups because they were assumed to have high one-ti
      • Still, in this case $10 million is a 1/3 of one year's revenues.

        Actually...

        For the three months ending Dec. 31, ChoicePoint said it earned $27.68 million

        So that is a little more than 1/3 of one QUARTER'S revenue.
      • by WebHostingGuy ( 825421 ) * on Thursday January 26, 2006 @01:19PM (#14570147) Homepage Journal
        Not quite. The profit is after expenses. However, if you have taken accounting you will know you get to take expenses out for which you did not actually pay any money for (think depreciation, it is a non-cash outlay expense for which you get to take over time.) To actually look at the impact of the fine you have to look at what their actual cash flow is. From their statement:

        Net free cash flow (net cash provided by operations less capital
                      expenditures) was $180.2 million for the twelve months ended December
                      31, 2005, which compares to net free cash flow of $182.1 million for
                      the same period in 2004. Excluding the cash paid during 2005 related
                      to the fraudulent data access discussed above, net free cash flow would
                      have been $193.8 million for 2005.
                  - During 2005, approximately 2.9 million shares were repurchased for
                      $125.6 million at an average price of $42.59, leaving $124.4 million
                      authorized in the Company's buyback program.

        If you see the end number they had cash coming in in 2005 of $180.2 million dollars. It would have been $193.8 million but they had to pay the lawyers fighting this fine. And if you add in what they spent buying back their own stock their cash coming in from revenues is $180.2 + $125.6 = $305.8 million dollars. And if you add in what they spent on legal fees fighting this equals $319.4 million dollars. Subtract $10 million from this number and you get chump change.
        • You're absolutely right; I didn't want to get into a full balance-sheet analysis. I'm sure there's some creative accounting going on underneath it, to, though that could be either inflating or deflating their numbers, depending on what management needs.

          A sibling post to yours also noted that the $27 million was quarterly, not yearly.

          So yeah: chump change. My goal was merely to try to fight the dot-com notion that revenue by itself was a good valuation of the company.
    • > For the three months ending Dec. 31, ChoicePoint said it earned $27.68 million on revenues of over one billion dollars in 2005

      Then $10M is about a third of a quarter's earnings. Your revenue figure is for all four quarters, and revenue ("amount of money you took in") is not the same as earnings ("amount of money you actually made").

      CPS [yahoo.com] has about 90M shares outstanding. A $10M fine is about $0.09 per share.

      According to their press release [yahoo.com], they...

      For the year ended December 31, 2005, the Com

    • For the three months ending Dec. 31, ChoicePoint said it earned $27.68 million on revenues of over one billion dollars in 2005

      Chump Change with their Revenues

      Um, I'm familiar with legitimate accounting (GAAP) and $27.68m on revenues over $1b is a very, very tight margin of profit. I can't see how $10m is chump change on that, unless, by some incredibly humourous twist you can deduct a $10m fine from your gross, as a business expense, thus increasing your net.

      Where's Arthur Anderson when you need the

    • I wonder if this kind of fine will start making companies more secure?
  • The information of millions of citizens, including employment, financial, contact, and other personal information all in the hands of a third party corporation who has to make next to nil security checks with the government, what could possibly go wrong?
  • Not enough (Score:5, Funny)

    by voice_of_all_reason ( 926702 ) on Thursday January 26, 2006 @12:56PM (#14569830)
    I was expecting something a little more Barad-Dur-ish. You know, heads of traitors impaled on the bridge as a warning to others.
    • I was expecting something a little more Barad-Dur-ish. You know, heads of traitors impaled on the bridge as a warning to others.

      You mean as a punishment/warning to those who fail in 'due dilligence' of securing sensitive information and validating their clients? Doesn't anyone use Dunn & Bradstreet anymore?

      probably not, it would have probably cost $9m for their services

    • Maybe if Jonathon the Impaler [jonathonforgovernor.us] were in charge of the FTC...
  • by ZachPruckowski ( 918562 ) <zachary.pruckowski@gmail.com> on Thursday January 26, 2006 @01:00PM (#14569875)
    'As part of its agreement with the FTC, ChoicePoint will also have to submit to comprehensive security audits every two years for the next 20 years.'

    Every company should undergo a comprehensive security audit every two years. I mean, security in Jan 2004 is rather different from security in Jan 2002, and both are way different from security today. A system that might have been thought to be secure 2 years ago isn't so hot right now. If I ran a huge, profitable company, I would assign a few people to try to break into my company full-time.
    • Every company should undergo a comprehensive security audit every two years

      Big, public companies already have to drink a nice, big, hot cup of Sarb-Ox [wikipedia.org] every year. That includes all sorts of IT/security related audits and assertions. The act is really more about disclosure, transparency, and protecting investors from Enron-ish type stuff, but lax security in IT is Not A Good Thing under this act, and the FTC/SEC troops can come in swinging when there's a screw-up.
      • What we need is something dedicated solely to security. I would love to see the government hire people to try to break various corporate securities, like for a job. It'd help us identify vulnerabilities in Linux and Windows, it'd let us nail lazy companies that can put on a good 5-minute show for the Sarb-Ox guys, and it'd be training CIA/NSA people.
  • by swillden ( 191260 ) <shawn-ds@willden.org> on Thursday January 26, 2006 @01:03PM (#14569920) Journal

    I'm happy to see regulators stepping in. Security of other peoples' data is a big problem, and it's going to be a much bigger problem. However, I think this is the wrong approach. I think the right approach is actually much simpler than lots of regulatory oversight: Make companies liable for misuse of data that they collected and lost or misplaced. In fact, make them not only liable for direct damages, but award punitive damages as well. Also, the plaintiff should should not have a large burden of proof that it was actually company X's loss of the data that led to the damage. If company X had the data, and there is a preponderance of evidence that company X let the data escape, X should be liable for the damages even if it's possible that the bad guys actually got the data somewhere else.

    That may seem unreasonable, but I have a very specific reason for that "extreme" position. We want companies who use customer data to be very, very reluctant to collect any data they don't absolutely need, and we want them to be anxious to destroy that data as quickly as possible so that there is no possibility it may be compromised.

    As long as corporations see more potential gain than loss in collecting and hoarding personal details, they'll do it. Regulators may slow them down a bit, or force them to be a little more careful, but the best solution is to convince them that they do not want it.

    • by swillden ( 191260 ) <shawn-ds@willden.org> on Thursday January 26, 2006 @01:09PM (#14569999) Journal

      If company X had the data, and there is a preponderance of evidence that company X let the data escape, X should be liable for the damages even if it's possible that the bad guys actually got the data somewhere else.

      Oh, one more thing: disclosure of security breaches should be mandatory (with some latitude for delaying until the problem can be fixed, but not much). Failure to disclose security breaches should be a felony. If some manager decides to try to hide it, that person should be charged with a crime and sent to prison, along with anyone who agreed with him or her (i.e. his or her co-conspirators).

      Corporations should be terrified of the effects of security breaches involving other peoples' data, and employees need to be terrified of doing anything but blowing the whistle when those breaches occur.

      • Oh, one more thing: disclosure of security breaches should be mandatory (with some latitude for delaying until the problem can be fixed, but not much). Failure to disclose security breaches should be a felony.

        Hmm. My initial response was going to be "but then they have lots of incentive to hide it"...this is an interesting idea.

        I dunno, though. You have to ask exactly what constitutes a security breech, and what is reasonable to not defend against. For example, I don't expect my bank to be proof against
        • You have to ask exactly what constitutes a security breech, and what is reasonable to not defend against.

          That's what judges are for. Lots of laws say things similar to "take reasonable and appropriate precautions", and it's up to judges to figure out what's reasonable. By and large they do an excellent job.

  • The sad thing is (Score:4, Informative)

    by hsmith ( 818216 ) on Thursday January 26, 2006 @01:06PM (#14569965)
    It is impossible not to have your ID stolen through not YOUR actions, but others now a day. I had mine compromised 3 times last year due to employers as well as corporations that have my personal information. I mean, what can you really do when a company refuses to protect your identity? You can't sue, because there are no laws on the books. Yes, I took my business elsewhere, but what happens when you lose money due to others mishaps and ignorance? I guess it is time to get "ID Loss Insurance" for another $30/month. Ugh.
    • by nickname225 ( 840560 ) on Thursday January 26, 2006 @01:17PM (#14570112)
      I'm a lawyer - although tort is not my area of specialization. It's not really necessary for there to be a specific law on the books to sue someone who has caused you damage. In this case you could sue under a general negligence theory. The basic elements of negligence are 1) Did the company have a duty 2) was that duty breached 3) Was the breach a cause in fact of the damage & 4) Did actual damage occur. If you analyze this case under general negligence theory - 1) Choice Point clearly had a duty to safeguard sensitive personal information 2) That duty was clearly breached 3) The breach would be a cause in fact if you identify is stolen 4) so- if you suffer actual damage as a result of this theft - you should have a negligence action against Choice Point. Now - it is possible that they are in some way immunized from suit by some statute - but I don't recall anything of the sort.
    • Absolutely. There is a general unwillingness to deal with privacy as a major issue here. I would claim that privacy is a basic right that citizens should demand, and it should be legislated into government. There is a privacy commissioner in Canada [privcom.gc.ca] and associated legislation that can be enforced; similar governmental structures [eu.int] exist in Europe. For all of the free-market talk and general wish for lack of interference in personal life, wouldn't it make sense for American government to serve the people in a m
  • by alfalfro ( 120490 ) on Thursday January 26, 2006 @01:13PM (#14570056)
    Bruce Schneier usually covers this stuff pretty well, as he did frequently last spring. Punch this into google: "choicepoint site:schneier.com" [google.com]
  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Thursday January 26, 2006 @01:15PM (#14570076)
    Comment removed based on user account deletion
  • The irony... (Score:3, Insightful)

    by Dynedain ( 141758 ) <slashdot2&anthonymclin,com> on Thursday January 26, 2006 @01:15PM (#14570079) Homepage
    The irony is that they could sell the data without any penalties, but if someone breaks into their system they get in trouble.
  • by vinn01 ( 178295 ) on Thursday January 26, 2006 @01:16PM (#14570105)
    ... allowed identity thieves posing as legitimate businesses ...

    From ChoicePoint's perspective, they were legitimate businesses. They paid for the data, they didn't steal it.

    From the goverment's perspective, they were legitimate businesses if they paid taxes on their "profits".

    Now from the victims perspective, they were a bunch of crooks raiding their credit records and sucking as much out as they could.

    Is every employer, landlord, and car dealer a legitimate business just because they actually have a better excuse to get their hand on the data? Some of those businesses are a bunch of crooks too.

    The whole system needs better security, not just better control over who can get your info.

    vb

  • Considering the nature of the information being processed, why aren't there mandatory security audits of all of these companies on a regular basis anyway ? Like, once a year, or once after any major system/software upgrade would seem reasonable, really.

    Shoot, having to be audited like that could end up being a marketing selling point- it's something their competitors wouldn't match. Wacky.

    • The people who would care about them being audited are NOT their customers. Their customers don't care how secure your data is, they like things just the way they are.
      • The people who would care about them being audited are NOT their customers. Their customers don't care how secure your data is, they like things just the way they are.

        Right, of course, it's their customer's customers whose data is at risk. Which is why this is a classic case of the free market failing to protect consumers. When I say mandatory, I'm talking good-old-fashioned evil government interference in shoddy business practices is what's called for here.

        In short, there oughta be a law...

  • Red Flags (Score:4, Funny)

    by Billosaur ( 927319 ) * <wgrother AT optonline DOT net> on Thursday January 26, 2006 @01:18PM (#14570120) Journal
    In its decision, the FTC slammed ChoicePoint, saying that it did not have reasonable procedures in place to screen prospective subscribers and that it turned over sensitive personal information to subscribers whose applications raised obvious red flags.

    Hello, ChoicePoint? My name is Al... Al Kayduh... yes, I'm looking for the personal information for some decadent American spawns of... I mean fine, upstanding Americans...

  • So a unique California law, under their misnamed "deregulation" system, caused them to open their books, when they simply feel that 110,000 to 350,000 consumers are ignorant. They were entrusted with data security, was it worth it? Anyway, how many more consumers' personal data was thoroughly scrutinized by these thieves? This is what you got when you let ex-Governor Davis exercise his own self interest, the economy of California and rolling blackouts leading to a re-statement of Enron's books. When will th
  • by RandoX ( 828285 ) on Thursday January 26, 2006 @01:35PM (#14570364)
    Not according to CNN [cnn.com]. See Point #45 where Choicepoint SOLD the information several times, including to an identity theft ring.
  • Choicepoint seems to be quite a nasty company, stopping at nothing to gather personal information by the truckload and sell it to the highest bidder. About a year ago, a highly-publicized case in Mexico involved Choicepoint purchasing electorate information from the Federal Elections Institute (IFE), which of course has a database with information on each and every registered voter in Mexico (about 49 million). I don't believe any sanctions were given out, either to the institute's personnel who authorized
  • I don't know about you guys, but I am replacing my Equifax / ChoicePoint signed ssl certs.

    Take care,

    Waitman

  • I wonder if the "trust fund" is funded by the extra fees they are charging victims/users to see if their data was compromised. (I don't have a link, but I know for a fact thats what they were doing)

    These people should be run out of town. And put out of business.

    This is like a prison prematurely releasing inmates into a community, and then charging the authorities to tell them who was released and where.
  • by gtshafted ( 580114 ) on Friday January 27, 2006 @12:08AM (#14576233)
    I couldn't find a lawyer for justice... I just didnt' have the finances for making Choicepoint pay... All I got from them was a year membership in Equifax's credit changes alert.

    This reminds me of the "settlement" Nintendo got for price fixing.

    Anyways here's how I think I got victimized (though I could be wrong). My previous employer used Choicepoint verify my resume information before hiring me... Not sure how to avoid this situation

"The great question... which I have not been able to answer... is, `What does woman want?'" -- Sigmund Freud

Working...