Choicepoint has agreed to pay $275,000 to the FTC, and to conduct bi-annual assessments of their information security program and provide these assessments to the FTC for 20 years, in a modified settlement order issued by the Northern District of Georgia stemming from charges brought by the FTC related to Choicepoint's violations of a previous court order requiring implementation of a comprehensive information security program. The modified settlement order also imposes additional reporting obligations on Choicepoint regarding changes in corporate structure that may impact compliance, bi-monthly reporting on security incidents and the responses to them for the next two years, and other detailed reporting and record-keeping requirements.
In 2005, Choicepoint suffered a data breach that resulted in at least 800 cases of identity theft, imposition of more than $15 million in fines and damages, and a court order to maintain a comprehensive data security program. In 2008, this security program was significantly weakened when a key electronic security tool was turned off for four months resulting in additional data breaches. Choicepoint self-reported the breach, which resulted in the modified settlement order.
This order illustrates the point that the FTC is becoming more active in enforcing information security requirements -- and once they start looking into your business, it may be hard to get them out.