Cyber Security Industry Alliance Newsletter • Volume 2, Number 6  • February 2006

FTC Choicepoint Settlement: A Turning Point for Data Integrity

The FTC's landmark ruling puts all companies on notice regarding sensitive consumer information

Consumer data broker ChoicePoint, Inc., which last year acknowledged that the personal financial records of more than 163,000 consumers in its database had been compromised, will pay $10 million in civil penalties and $5 million in consumer redress to settle Federal Trade Commission charges that its security and record-handling procedures violated consumers’ privacy rights and federal laws.

The Federal Trade Commission's (FTC) landmark settlement with ChoicePoint Inc., announced January 26th, put all companies on notice to take a more thoughtful and comprehensive approach to protecting sensitive consumer information. The settlement requires ChoicePoint to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to establish and maintain a comprehensive information security program, and to obtain audits by an independent third-party security professional every other year until 2026.

The settlement is notable for three major reasons:  its record civil monetary penalty, the relatively novel legal basis upon which the settlement is predicated, and the invasiveness of the government’s long-term compliance oversight.  Taken together, they make clear that companies failing to reasonably protect sensitive customer information will likely regret it.

The legal basis of the FTC’s complaint demonstrates the government’s newly aggressive efforts to protect consumers’ personal information, which began with the recent action against DSW. The government alleged a violation of the "unfairness prong" of Section 5 of the FTC Act, essentially accusing the company of engaging in an unfair trade practice punishable by law. Used only twice before, this tactic could be employed against any company in interstate commerce that fails to establish and implement a comprehensive information security program "reasonably designed to protect the security, confidentiality and integrity of personal information collected from or about consumers."

The ChoicePoint settlement provides the outline of a regulatory roadmap to help companies identify sound data integrity policies. The settlement stipulates that ChoicePoint must implement a privacy program containing "administrative, technical, and physical safeguards appropriate to the [company’s] size and complexity, the nature and scope of its activities, and the sensitivity of the personal information collected from or about consumers."  The program should at a minimum include:

  • The designation of an employee or employees to coordinate and be accountable for a company's information security program;
  • The identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could lead to unauthorized data disclosure or loss;
  • The design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards' key controls, systems, and procedures; and
  • The periodic evaluation and adjustment of information security programs as needed based on regular testing and monitoring as well as material changes in business operations.

In addition to implementing a security program, ChoicePoint is required to obtain initial and biennial assessments and reports regarding the implementation and maintenance of the required security program from qualified, independent auditors for the next twenty years.

These requirements use the same language as the FTC’s rules on Standards for Safeguarding Customer Information and Disposal of Consumer Report Information and Records, more commonly known as the Safeguards Rule promulgated under the Gramm-Leach-Bliley Act.

It is interesting to compare the elements of an adequate information security program as determined by the Commission and those proposed by the multiple bills introduced in Congress in 2005. The FTC’s requirements follow most closely those elements included in S.1789, introduced by Sen. Specter in the Senate Judiciary Committee, and HR 4127, introduced in the House Energy and Commerce Committee by Rep. Cliff Stearns. These two pieces of legislation both follow the requirements in the FTC’s settlement; although S.1789 is more detailed while HR 4127 omits periodic re-evaluation and adjustment of security programs. Another piece of legislation, S.1408, introduced by Senator Smith in the Senate Commerce Committee, avoids over-pronouncement and deems compliance with the Safeguards rule to be adequate.

Some may believe that this action by the FTC obviates the need for a federal breach notification law. Since the FTC does not require companies to notify consumers in the case of a breach this would leave residents of 27 states that currently do not have breach notification laws without the knowledge that their sensitive personal information has been put at risk. This alone should spur Congress to action without the need to consider that the FTC has limited resources its disposal to attempt to prosecute each organization that fails to properly protect consumer information. The lack of national notification requirement and the limited resources of the FTC make it clear that an effective national breach notification bill that requires reasonable security measures is still necessary.