In January, the Federal Trade Commission levied a $15 million penalty against data broker ChoicePoint because the company allowed criminals posing as customers to access the personal data of 163,000 consumers. Of that sum, $5 million is being used to create a fund for victims of fraud or identity theft due to the data breach. Now, the FTC is trying to figure out how to find victims and quantify their losses.\u201cWe really don\u2019t have anything to compare it to,\u201d says Beth Givens, founder of the Privacy Rights Clearinghouse. \u201cVictims are protected by federal law from having to pay fraudulent charges, so the loss is primarily of time.\u201dBut Chris Keller, an attorney with the FTC\u2019s Division of Privacy and Identity Protection, says that the fund is unlikely to be used to reimburse victims for lost time or other intangibles (with the exception of unpaid time the victims had to take off work). The FTC is still working out exactly which losses will be covered. One qualified expense: the cost of credit monitoring for victims who discovered the fraud before ChoicePoint notified them and offered credit monitoring for free. Still a question mark: legal fees.Meanwhile, the FTC is working with law enforcement and creditors to determine whose information has been misused. The FTC says there have been at least 800 cases of identity theft so far (a number that ChoicePoint disputes). Of particular concern are the 10,000 consumers for whom ChoicePoint gave out full credit reports, \u201cthe richest source of data for identity theft,\u201d Keller notes.