US credit data firm ChoicePoint will pay $15 million to settle charges that it failed to adequately protect customers' financial information following a data breach where a gang of criminals posing as businessmen managed to gain access to around 163,000 personal records.
The US Federal Trade Commission (FTC) says Choicepoint has agreed to pay $15m - which consists of $10 million in civil penalties and $5 million to compensate customers - to settle charges that its security and record-handling procedures violated consumers' privacy rights and federal laws.
The FTC says at least 800 cases of identity theft arose from the data breach, which occured in late 2004.
In a statement, FTC says ChoicePoint did not have reasonable procedures in place to screen prospective subscribers and turned over consumers' sensitive personal information to individuals who raised obvious 'red flags'.
The FTC alleges that ChoicePoint approved individuals who lied about their credentials and used commercial mail drops as business addresses. Applicants also reportedly used fax machines at public commercial locations to send multiple applications for purportedly separate companies.
The settlement requires ChoicePoint to implement new screening procedures for subscribers, to establish and maintain a comprehensive information security programme, and to obtain audits by an independent third-party security professional every other year until 2026.
Commenting on the settlement, Deborah Platt Majoras, chairperson of the FTC, says: "The message to ChoicePoint and others should be clear: Consumers' private data must be protected from thieves."
News of the settlement coincides with an earlier announcement from brokerage firm Ameriprise Financial that a laptop containing personal financial information on around 158,000 clients was stolen from an employee's vehicle.
Ameriprise, which was spun off from American Express last year, says it has mailed notification letters to approximately 158,000 clients whose names and internal account identification numbers were stored in a data file on the laptop computer.
The laptop - which was stolen in late December - also contained the names and social security numbers of an unspecified number of current and former financial advisers, who are also being notified of the theft.
Ameriprise says client accounts could not be accessed with the information stored on the file and it believes the theft was "a random criminal act".