May 31, 2007
Jefferson City, Mo. — Attorney General Jay Nixon, along with the attorneys general of 43 other states, has reached a settlement with Georgia-based ChoicePoint to resolve allegations that the company failed to adequately maintain the privacy and security of consumers’ personally identifiable information that was in its control. The assurance of voluntary compliance was filed today in Cole County Circuit Court.
ChoicePoint is a provider of identification and credential verification services to businesses, government and non-profit organizations, as it collects, maintains and distributes the personally identifiable information of consumers. Nixon says that in February 2005, ChoicePoint announced that criminals posing as legitimate businesses gained access to this personal information. After these crimes, ChoicePoint mailed more than 145,000 notices to consumers across the country whose information may have been viewed or acquired by the criminals.
In January 2006, ChoicePoint settled its case with the Federal Trade Commission, and paid $5 million into a pool to be used for consumer redress. The company also reached this separate settlement with the states, through which it is paying $500,000 to the states. Missouri will receive $5,500 of this payment for use to fund consumer education and enforcement of consumer protection laws.
“It’s important that as part of this agreement, ChoicePoint will make significant, ongoing changes in the way the company credentials new customers who have access to consumers’ personal information,” Nixon said. “Considering the threat that identity theft poses in this day and age, we expect that this or any other business that handles such sensitive information will vigilantly protect it.”
As part of the settlement, ChoicePoint is required to implement a program for developing a credentialing checklist designed to protect its reports from unauthorized or fraudulent use or access. The program includes verification of the business identity of the applicant seeking the report, that the applicant is engaged in the business they claim to be performing, and that the business has a permissible purpose for obtaining the information. ChoicePoint is also required to develop a red-flag system that will alert the company that an application may be fraudulent, and follow up with an investigation. The company is also required to perform yearly random audits to determine if its credentialing program is working, and submit to independent, third-party compliance assessments in 2008, 2010 and 2012.