The $10 million fine imposed today, jAnuary 26th, by the Federal Trade Commission on data aggregator ChoicePoint Inc. for a data security breach is yet another indication of the increasingly tough stance the agency is taking on companies that fail to adequately protect sensitive data, legal experts said.

And it's not just companies that suffer data breaches that should be concerned. Those companies that are unable to demonstrate due diligence when it comes to information security practices could also wind up in the FTC’s crosshairs, they added.

“There has been a definite change in the FTC’s handling and analysis of security breaches,” said Christopher Pierson, an attorney at Phoenix-based law firm Lewis and Roca LLP. “It appears that the FTC is not going to wait for federal [data security] legislation to come down the pipe and is instead going to take action using existing laws.”

“This is a seminal reaction regarding information security” by the FTC, said Christopher Ford, an attorney at Alston & Bird LLP in Washington. Future victims of identity theft are going to be able to point to this settlement and say, “Look, you owe me something,” Ford said. “I think it’s a pretty significant precedent that’s been set here.”

The FTC this morning announced that it has reached an agreement with Alpharetta, Ga.-based ChoicePoint in a data theft case that took place in the fall of 2004. At the time it made the breach public in February 2005, ChoicePoint said the theft happened when, “a small number of very-well-organized criminals posed as legitimate companies to gain access to personal information about consumers.”

The breach resulted in the compromise of the financial records of more than 163,000 consumers in its databases, over 800 of whom have since become victims of identity theft.

“This is an important victory for consumers,” FTC Chairman Deborah Platt Majoras said today in announcing the fine.

Trust fund set up
Under the settlement announced today, ChoicePoint will pay a fine of $10 million for violating the Fair Credit Reporting Act (FCRA). That law requires companies that furnish credit histories to maintain reasonable procedures for authenticating the identities of those who receive data. The FCRA also requires companies to ensure that the data is used properly.

In addition to the penalty, the largest ever levied by the FTC, ChoicePoint has been asked to set up a $5 million trust fund for individuals who might have become victims of identity theft as a result of the breach. ChoicePoint will also have to submit to comprehensive security audits every two years through to 2026.

ChoicePoint, in documents posted on its Web site today, listed a series of privacy enhancements it has implemented since news of the data breach broke last February. In an effort to restrict customer access to sensitive consumer data, the company discontinued selling products that contain personally identifiable information (PII) such as Social Security numbers and driver’s license numbers, the company said.

ChoicePoint said it no longer shares such information with customers, except in certain specific cases, such as when it provides authentication for another company’s data. ChoicePoint also established a centralized corporate credentialing center and strengthened credential procedures via multiple external verification sources. As of today, ChoicePoint has recredentialed over 80 percent of customers receiving sensitive PII, and it said it successfully completed 43 third-party security audits in 2005.

The FTC’s action continues a trend that began last year with similar settlements involving two other companies. In December 2005, the agency announced that Columbus, Ohio-based shoe retailer DSW Inc. had agreed to beef up its computer security to settle charges that it had not adequately protected sensitive customer data. As part of that agreement, DSW will have to submit to security audits every two years for the next 20 years.

In June 2005, Natick, Mass.-based BJ’s Wholesale Club Inc. reached a near identical consent decree with the FTC in a case involving the theft and fraudulent use of customers’ credit and debit cards.

FTC a willing enforcer
The FTC appears to be willing to escalate enforcement action against such companies, said Michael Overly, an attorney at Foley & Lardner LLP in Los Angeles. “We knew something big was going to happen” after the DSW and BJ’s settlements, he said. “The agreement with ChoicePoint shows [FTC officials] have every intent of continuing with even more force this year.”

The important take-away for every company that handles personally identifiable information is that it is not just breaches alone that can trigger FTC action, Overly said. In the future, a failure to demonstrate adequate data safeguards could also make a company a target for FTC action.

For instance, companies that claim to provide adequate protection for consumer information in their privacy notices could get hit by the FTC for deceptive trade practices if they are unable to demonstrate such protections, Overly said.

One such case, according to Overly, is a 2003 incident involving online book retailer Barnes & Noble and New York State Attorney General Eliot Spitzer. In that case, Barnes & Noble agreed to pay a $60,000 fine and to set up a comprehensive security program with periodic audits to settle charges that the company was not adequately protecting consumer information -- even though no actual breach ever took place.

Sun Data Management Group comment
Laurence James, EMEA marketing manager forinformation Lifecycle Management (ILM) solutions, offered a few comments on the matter. Firstly: “It astonished me that some companies have so much money to burn. How can organisations in the current climate of increasing legislation and drives towards corporate governance be so lackadaisical in protecting corporate information? Do they like fines?"

Clearly ChoicePoint is not a Sun customer. Oops; actually it is. Here is Manish Bhuptani, director, Network Services, Sun Microsystems, discussing working with partners for mobile infrastructures: "Sun works closely with partners like Aligo -- with strong mobile enterprise application expertise. Aligo understands and leverages both mobile infrastructure and enterprise applications to efficiently design, build and deploy mission-critical applications to any mobile device in record time. Aligo and Sun Microsystems provide an industry leading comprehensive solution critical for our customers such as ChoicePoint, who need to extend the boundaries of corporate data to where it is most valuable -- in the field to better serve their customers."

And here is ChoicePoint taking part in a Sun Java marketing tour with details obtained from Sun's own web site:-

2:00–3:00 PM
WHAT: Breakout session: Mobility Press/Analyst Event Join Jonathan Schwartz, EVP, Software; Alan Brenner, VP, Consumer and Mobile Systems Group and Juan Dewar, Sr. Director, Consumer, Mobility and Strategic Solutions Group, to learn about the launch of exciting mobility products and programs to unite the wireless Java community and accelerate the deployment of mobile data services. One of the highlights of this event is a panel discussion with customers using Sun's products to enable successful wireless enterprise access. These customers are: Michael Lancaster, Choicepoint; Bob Lotter,CEO, EAgency Systems; Wayne Pau, CTO, LOCATION: MOSCONE ROOM"

Perhaps ChoicePoint will welcome James' comment. Perhaps it won't appreciate one of its suppliers being quite so robust in its criticism.

What should ChoicePoint have done in James' view?

“Securely storing data is a fundamental aspect of modern business. Technologies are readily available from storage and network security vendors alike that enable organisations to protect data from malicious third parties. For instance ILM solutions are specifically designed to allow business decision makers to determine the rules for managing their information, thereby ensuring data integrity and confidentiality."

Buy an ILM product seems the logical conclusion here. Just in case ChoicePoint and other customers need the lesson ramming home, Lawrence offers this final thought: “While malicious parties will be determined to find the kinks in any organisation’s armour, and use any means possible to do so, it is unforgivable for companies to fail in the basic elements of data storage and security. This (incident) proves that it can be an expensive lesson to learn.”

Well, yes, but it's also a neat item on which to hang a product marketing pitch.