Choice Point Data Breach

---

ChoicePoint was a data broker that merged public records, credit reports, and demographic data to create individual consumer profiles to sell to governments and private companies.

• sold profiles to insurance companies
• used the profiles to conduct background checks
• collected personal information such as:
  • names
  • addresses
  • SSNs
• databases included credit history and DNA information

2005 Data Breach

• Had a data breach in Feb. 2005
  • California was only state with breach notification laws at the time
  • discovered after law enforcement contacted them about an identify theft ring
  • criminals pretended to be its customers
  • found over 50 fake accounts
    • submitted identical documentation
  • other states’ AGs were outraged, demanded them to notify their citizens too

FTC Investigation

• Jan. 2006 FTC investigated ChoicePoint
  • settled with FTC and paid $10m in civil fines
  • paid $5m to fund a consumer relief program for victims of identity theft resulting from the breach
  • required them to create and information security program
  • largest FTC settlement at the time
  • purchased by LexusNexus

State Lawsuit

• May 2007, settled multistate lawsuit
  • 43 states part of settlement agreement
  • ChoicePoint promised to improve process for verifying customers
  • agreed to strengthen data protection
  • pay $500K to states involved

2008 Data Breach

• 2008, another data breach
  • 13,750 people’s data disclosed due to unauthorized access
  • had to strengthen information security program
  • report to FTC every 2 months until 2011
• Illinois passed Personal Information Protection Act
  • their breach notification law
• This was the case widely considered the reason for many states creating breach notification laws