Data broker ChoicePoint has agreed to pay $10 million to settle a class-action lawsuit brought against it over the 2004 theft of 163,000 personal information records by a ring of Nigerian identity thieves.
The company also said the Securities & Exchange Commission (SEC) has concluded its investigation into the sale of ChoicePoint stock by Chief Executive Officer Derek Smith, and Chief Operations Officer Doug Curling, after the discovery of the data breach in 2004, but prior to the breach being made public in 2005.
Smith and Curling made over $16 million in profit over the stock sale, but the SEC declined to recommend any enforcement action against them.
ChoicePoint said the settlement would have no impact on its financial results, as the money was to be paid from a reserve insurance fund already set aside to cover expenses and costs relating to the breach. However, the company's quarterly earnings statement registered losses for the fourth quarter of 2007, losing $32.32 million, or 47 cents a share, compared with a profit of $23.67 million, or 30 cents a share, for the previous year.
The ChoicePoint theft vaulted the mysterious world of data brokers and information selling to the forefront of the public consciousness, and made the Alpharetta, Georgia company synonymous with the phrases "data breach" and "identity theft."
While not the first or the largest of breaches of personal information, the ChoicePoint incident prompted new scrutiny and calls for greater oversight of the data sales trade.
ChoicePoint itself went on a makeover P.R. blitz in the wake of the breach, evangelizing its new transparency and openness to privacy advocates. It hired former Transportation Security Administration head Carole DiBattiste as its privacy officer, and legal counsel Katherine Bryan as its "consumer advocate."
The company earlier paid $15 million in civil and consumer penalties to the Federal Trade Commission and agreed to tighten its security procedures and submit to random audits to ensure it was properly protecting personal information.
It coughed up another $500,000 to settle lawsuits brought by the Attorneys General of 44 states for its lax handling of personal data that led to the breach.
