Attorney General Hardy Myers today filed a settlement agreement with ChoicePoint, a national provider of identification and credential verification services to businesses, government and non-profit organizations, resolving allegations that the company failed to adequately maintain the privacy and security of consumers' personally identifiable information that was in its control. The Alpharetta, Georgia company was named in an Assurance of Voluntary Compliance (AVC) filed in Marion County Circuit Court. The AVC admits no law violation.
"For the second time in nine months, we have had to deal with a major data breach without a specific law to help us insure that adequate protections are in place when consumers' information is breached," Myers said. "I am heartened by the Legislature's efforts to strengthen Oregon's law regarding security breaches by its work on SB 583; I encourage the Assembly to make it law."
ChoicePoint, among other things, collects, maintains, and distributes consumers' personally identifiable information. In February 2005, ChoicePoint announced that criminals posing as legitimate businesses gained access to consumers' personally identifiable information. In the wake of these crimes, ChoicePoint, using the California breach notification law as a guide, mailed more than 145,000 notices to consumers across the country whose information may have been viewed or acquired by the criminals.
As part of this 44 multi-state settlement, ChoicePoint will make significant, ongoing changes in the way that the company credentials new customers who have access to personally identifiable information. For the first time, a data broker has agreed to safeguard publicly available information using the same credentialing methods as it uses to safeguard financial information that is protected by law. Certain sensitive publicly available information, including Social Security numbers, will now receive greater protection.
Also as part of this settlement, ChoicePoint will pay $500,000 to the states.
In January 2006, ChoicePoint settled its case with the Federal Trade Commission (FTC) and paid $5 million into a pool to be used for consumer redress. The FTC settlement requires ChoicePoint to improve its process for accepting clients that obtain information from credit reports. The settlement entered into today by Oregon and 43 other states goes beyond the FTC settlement and requires ChoicePoint to improve its credentialing process for clients that obtain Social Security numbers and other forms of personally sensitive information.
Consumers, who suffered out of pocket expenses relating to identity theft that resulted from the ChoicePoint breach, may obtain redress under the FTC Order. The deadline to submit a redress claim form to the FTC is June 22, 2007. If consumers meet the eligibility requirements for redress, they can complete the redress form and submit that for consideration. More information is available at: http://www.ftc.gov/choicepoint or by calling the Attorney General's consumer hotline at (503) 378-4320 (Salem area only), (503) 229-5576 (Portland area only) or toll-free at 1-877-877-9392. The Department of Justice website is www.doj.state.or.us.
Examples of expenses for which consumers may be reimbursed:
Unauthorized charges on existing accounts NOT covered by bank or credit card company
Money paid on new accounts opened in consumer's name
Money paid to a debt collector on new accounts opened in consumer's name
Cost of ordering new checks
Cost to file or receive copy of police report
Costs associated with correcting unauthorized charges and/or disputing incorrect information – telephone calls; mail, fax, photocopy charges; hourly fees for internet access; travel expenses.
Jan Margosian, (503) 947-4333 (media line only) firstname.lastname@example.org