In the Matter of ChoicePoint Inc. (2006) — FTC Data Security and Consumer Redress¶
Table of contents¶
- Executive Summary
- Regulatory and Legal Outcomes
- Security Technical Summary
- Understanding Regulatory and Court Orders
- Case Pack Documents
- Facts and Timeline
- References
Executive Summary¶
ChoicePoint disclosed that fraudsters obtained consumer records by exploiting weaknesses in customer credentialing and access approval controls. The FTC pursued enforcement and in 2006 announced a stipulated settlement requiring a comprehensive security program, independent assessments, and consumer redress obligations.
Regulatory and Legal Outcomes¶
- Regulator: Federal Trade Commission (Section 5 / FCRA-related consumer protection context).
- Resolution: Stipulated final judgment and order (settlement), including civil penalties and injunctive security requirements.
- Core obligations: Security program governance, stronger credentialing and access controls, monitoring, independent assessment, and compliance reporting.
Security Technical Summary¶
Summary¶
The incident pattern reflected verification and access governance failure: fraudulent account/customer onboarding pathways enabled unauthorized data access to high-value consumer records.
Attack Chain¶
- Fraudulent actors submitted/used customer identities to obtain access through weak vetting gates.
- Access enablement controls were insufficiently strict for high-risk data access.
- Consumer records were retrieved through approved-but-fraudulent pathways.
- Detection and escalation controls were not sufficient to prevent broad exposure early.
Engineering Takeaways¶
- Enforce risk-based applicant/customer verification controls.
- Apply least-privilege access design and periodic entitlement recertification.
- Deploy fraud/anomaly monitoring with tested escalation playbooks.
- Maintain control-to-evidence mapping and regulator-ready artifact packaging.
Understanding Regulatory and Court Orders¶
Use Understanding regulatory and court orders for the official document interpretation and requirement mapping.
Case Pack Documents¶
| Case Document | Summary | Writing Scenario |
|---|---|---|
| Executive and board | ||
| Board Pack | High-level security status and top risks for the board. | CISO delivers a board security brief to the Board Audit Committee. |
| Executive Security Risk Summary | Consolidated security risks and mitigation for executives. | Security Director prepares executive risk summary for CEO and leadership. |
| Security Program Status Report | Program health, metrics, and progress for leadership. | Lead Security Engineer submits status report to Security Director and CISO. |
| Strategic Security Initiative Justification | Business case for a major security initiative. | CISO presents business case for program investment and remediation. |
| Regulatory and compliance | ||
| Regulatory Security Explanation | Explain security posture and controls to a regulator. | Security lead submits explanation of program and compliance posture. |
| Compliance Justification Document | Justify how controls meet a requirement or framework. | Lead Security Engineer maps controls to legal or regulatory requirements. |
| Controls -> Evidence Map | How controls are implemented and evidenced. | Security or control owner maps controls to evidence for regulator or auditor. |
| Governance Response Memo | Respond to an audit or regulatory request on governance. | CISO submits governance response memo for oversight review. |
| Legal-technical | ||
| Detailed Narrative of Events | Chronological factual narrative for legal or regulatory use. | Security or legal prepares chronology for counsel or regulator. |
| Security Architecture Explanation for Legal Review | Explain architecture and controls for counsel. | Lead Security Engineer produces architecture memo for General Counsel. |
| Risk Register | Justify risk acceptance or mitigation for legal or audit. | Security Director maintains risk register for leadership and audit. |
| Security Decision Documentation | Record a significant security decision and rationale. | Security Director documents decision record for board and counsel. |
| Policy and governance | ||
| Security Policy Draft | Draft or update an enterprise security policy. | Security Director drafts policy for CISO, Legal, and board review. |
| Security Governance Memo | Define or clarify governance roles and escalation. | CISO issues internal governance memo to leadership. |
| Security Program Justification | Justify program scope, resourcing, or structure. | CISO presents program justification to CEO and board. |
| Internal Security Directive | Directive or mandate from leadership on security. | CISO issues internal directive on priority control requirements. |
| Public communication | ||
| Security Public Statement | Draft for press or public breach or incident statement. | CISO drafts public statement for consumers and partners. |
| Customer Security Explanation | Explain a security topic or incident to customers. | CISO drafts formal customer explanation for affected users. |
| Security Transparency Report Section | Section for an annual or ad-hoc transparency report. | CISO drafts security section of transparency report for external audiences. |
| Operational (case-pack specific) | ||
| Audit Packet Checklist | What to produce within 48 hours for evidence readiness. | Checklist for audit or regulator request. |
| Implementation Checklist | 0-30 / 30-60 / 60-90 day execution plan. | Security or program owner executes plan for leadership or board. |
Facts and Timeline¶
- 2005: Unauthorized access to consumer records discovered.
- 2005: Public disclosures and customer notification processes begin.
- Jan 2006: FTC announces settlement with penalties and security program requirements.
- 2006 onward: Program remediation, governance reporting, and independent assessment execution.
References¶
Primary (official documents)
- FTC case page: ChoicePoint, Inc. matter
- FTC press release: ChoicePoint settles data security breach charges