ChoicePoint Inc., a consumer data broker, will pay $15 million to settle federal complaints it carelessly allowed thieves to see the personal financial information of 163,000 people, including 2,340 Minnesotans.
It was the first time federal regulators assessed a monetary penalty for a security breach that could lead to identity theft or fraud. Advocates for victims and consumer rights hailed Thursday's settlement with the Federal Trade Commission as a small step that will make companies more careful about collecting everything from credit card numbers to medical histories.
But the settlement arrived on the heels of two Minnesota-based data breaches that demonstrated how difficult it can be to keep sensitive information under lock and key in the digital age.
Ameriprise Financial Inc. of Minneapolis said Wednesday that about 225,000 customers and financial advisers were exposed to possible fraud after an employee's laptop computer was stolen from the employee's car last month.
In a separate incident, a laptop computer stolen earlier this month from a locked cabinet in the Roseville office of the Minnesota Department of Employment and Economic Development contained the names and Social Security numbers of 3,000 workers.
In both cases, the people affected were notified. Ameriprise fired the employee for not protecting the information with encryption. The DEED information also was unencrypted but protected by a password, and DEED will add encryption to its laptops from now on, Commissioner Matt Kramer said.
"I won't say we've solved the problem, but up until the break-in, we thought we had a pretty thorough security system," Kramer said.
Ameriprise notified numerous state regulators of the breach and the U.S. Securities and Exchange Commission, the National Association of Securities Dealers and the U.S. Office of Thrift Supervision, spokesman Andy MacMillan said.
FTC Chairwoman Deborah Platt Majoras said ChoicePoint will pay a $10 million fine, the FTC's largest civil penalty ever, and $5 million to consumers.
"It's certainly going to cause the industry to sit up and take notice," said Beth Givens, director of the Privacy Rights Clearinghouse, a non-profit group concerned with how consumer information is used.
ChoicePoint, based in suburban Atlanta, sold consumer information to subscribers who lied about their credentials to gain access to the sensitive data. The FTC said the company did not have reasonable procedures to screen its customers.
ChoicePoint CEO Derek Smith said the company has made changes that will ensure the breaches never occur again.
The FTC is getting tougher because a string of highly publicized data break-ins has consumers demanding protection, said Sue Houk, acting head of the Identity Theft Resource Center, a resource for fraud victims.
"We've all reconciled ourselves to the fact that our information is out there but we expect people to act responsibly with it," Houk said.
The Consumers Union called on Congress to write laws that would allow Americans to see the personal data that has been collected on them and correct it.
To see a list of publicly disclosed data breaches since ChoicePoint, visit the Privacy Rights Clearinghouse Web site: http://www.privacyrights.org/ar/ChronDataBreaches.htm.
