US data broker ChoicePoint has agreed to pay $10m to settle the last remaining class-action lawsuit filed against the company in connection with a data breach disclosed in early 2005 in which the personal information of more than 160,000 people was exposed.
ChoicePoint announced the settlement last week, along with its financial results for last year's fourth quarter. ChoicePoint said it didn't admit to any liability for the breach as part of the settlement, which is still subject to court approval.
Separately last week, ChoicePoint disclosed that the US Securities and Exchange Commission has concluded an investigation that included a probe of stock trades by the company's top two executives in the aftermath of the data loss.
The SEC did not recommend any enforcement actions against either of the executives or ChoicePoint itself.
The SEC's investigation involved the sale of nearly $18m worth of ChoicePoint stock by Chairman and CEO Derek Smith and Douglas Curling, the company's president and chief operating officer, in the months between the initial discovery of the breach in October 2004 and its public disclosure the following February.
In contrast to the SEC another US regulator, the Federal Trade Commission, last year assessed a $10 million civil penalty against the company for violations of the Fair Credit Reporting Act. The FTC said that ChoicePoint had failed to implement reasonable procedures for protecting the billions of personal records - including the names, Social Security numbers, and bank and credit card information of consumers – that it collected and maintained.
At the time, FTC Chairman Deborah Platt Majoras described the fine as the largest ever levied by the commission. In addition to the penalty, the FT ordered ChoicePoint to set up a $5 million trust fund for individuals who might have become identity-theft victims as a result of the breach. ChoicePoint also was required to submit to comprehensive security audits every two years for the next 20 years.