Have you ever heard of the company ChoicePoint, Inc.? If you have ever done business with an insurance carrier, chances are that ChoicePoint has collected personal and private information about you including your name, address, date of birth and social security number. According to the ChoicePoint, Inc. web site,
Since 1997 ChoicePoint has been a leading provider of decision-making information and technology that helps reduce fraud and mitigate risk.
ChoicePoint has grown from the nation’s premier source of data to the insurance industry into the premier provider of decision-making insight to businesses and government. Through the identification, retrieval, storage, analysis and delivery of data, ChoicePoint serves the informational needs of businesses of all sizes, as well as federal, state and local government agencies.
A complaint filed on January 30, 2006 by the Federal Trade Commission, alleges that ChoicePoint obtains consumer information from a variety of sources such as insurance applications, insurance claims files, public records, motor vehicle records, and the nation’s three leading consumer reporting agencies. According to the FTC, ChoicePoint collects this information without contacting consumers nor can consumers remove this information from ChoicePoint information databases.
Ironically, although ChoicePoint holds itself out as “a leading provider of decision-making information and technology that helps reduce fraud and mitigate risk,” it allowed identity thieves to fraudulently access company records and obtain personal sensitive information for about 163,000 consumers. According to a consultant report about the company, in late 2004, ChoicePoint found that it had “mistakenly issued user accounts to Nigerians posing as legitimate small business.” A complaint filed by the Federal Trade Commission describes the conduct differently and in more detail. According to the FTC, the alleged mistakes involved failure by ChoicePoint to verify the authenticity of obviously fake business user accounts. For example, the FTC lawsuit alleges that ChoicePoint accepted user account applications containing inconsistent business identification information, false business licensing or registration materials, contradictory application responses, and other glaring information which should have alerted ChoicePoint to the possibility of fraud and identity theft. Instead, the FTC alleged that ChoicePoint regularly released confidential information to fraudulent account subscribers who then used confidential personal records for the sole purpose of committing identity theft.
The allegations against ChoicePoint appeared in late January, 2006. The FTC alleged that ChoicePoint violated the Fair Credit Reporting Act by not having in place adequate procedures to prevent impermissible users and criminals from accessing confidential data. Apparently ChoicePoint modified its fraud prevention procedures pursuant to an agreement with the Federal Trade Commission and ChoicePoint’s consent to continued monitoring oversight to ensure the validity of its business information subscribers. The company also agreed to pay a $10 million dollar penalty to the FTC and an additional $5 million dollars for “consumer redress.” Just within the the last few days, it appears that the Federal Trade Commission has set up a procedure for consumers to seek redress if they have been victimized as a result of the fraudulent conduct by ChoicePoint’s fraudulent subscribers.
In my opinion, the Federal Trade Commission vastly undervalues consumer redress claims involving 163,000 consumer victims. Thieves clearly stole confidential information belonging to 163,000 victims and as a result, all of these victims require special attention including long term credit monitoring, a new social security identification number, or other protections. By collecting $5 million dollars for consumer redress, it appears that the Federal Trade Commission values each consumer claim at no more than $30 per person. General credit monitoring costs alone for each consumer easily can exceed this threshhold amount for the amount of time reasonably required to protect the consumer. Additionally, consumer victims have been forced to spend a great deal of personal time and effort sorting out identity theft issues, reviewing recommendations, placing fraud alerts or credit freezes on their credit reports, examining credit reports, presenting information to the Social Security Administration, and filing police reports. These complicated and detailed tasks require substantial investment of time and effort. To suggest that a consumer’s damages amount to $30 per claim completely understates the harm to consumer victims. Perhaps the FTC has attempted to narrow the number and scope of victims in its calculations of consumers who have been victimized. For example, notwithstanding the theft of 163,000 victims’ confidential information such as social security numbers, dates of birth and the like, the FTC apparently estimated that only approximately 800 people have actually been victimized by identity theft. However, for all consumer victims, I firmly believe that the actual harm occurred once the data theft occurred irrespective of whether criminals have used the stolen data yet. Thus, any consumer redress order should take into account all 163,000 victims of data theft. This is true because savy criminals will likely wait a long time until after expiration of ninety day credit fraud alerts or after the fraud stories drop off the news wire before actually committing identity theft. Actual identity theft may not occur for years requiring consumers to incur tremendous time and expense of taking precautions costing more than the “consumer redress” offer of thirty-dollars.
By the way, I do not believe that any part of the $10 million dollar penalty paid directly to the FTC provides any remedies or consumer assistance. Therefore, it appears that the FTC has actually gained more than individual consumers as a result of CheckPoint’s faulty fraud-protection procedures. If you need additional information about this consumer redress program, the FTC has set up a separate web site to assist consumer victims of the fraud which occurred at CheckPoint.
If you have been victimized as a result of the ChoicePoint data theft, I suggest reviewing this FTC web site very carefully before submitting claims. The FTC may provide a good example of why private litigation attorneys working on a contingent fee could better serve certain consumers whose confidential information has been stolen but whose identities have not yet been used. The FTC recovered approximately 2/3 of the total sum paid by CheckPoint for itself leaving 1/3 of the total for consumers. Private litigation attorneys taking risks and expending costs make substantially less than the percentage taken by the FTC. I highlght this CheckPoint case only as an example of the difference between FTC and private litigation goals to show that plaintiff consumer attorneys serve a useful purpose. I do not suggest, however, that private litigation is appropriate in this case concerning the actions of ChoicePoint around late 2004 and Febraury, 2005. An analysis of the amount of time a consumer has available to file suit against ChoicePoint or forever lose the right to pursue compensation must be considered in detail before pursuing any private remedies. Based upon the applicable statute of limitations, consumers may not have any other remedy available to them at this time. However, such an analsysis requires an evaluation of numerous factors and is beyond the scope of this posting. If you have been victimized and have received notification from ChoicePoint that your personal information has been compromised, you should consider seeking legal assistance to evaluate your options.