ChoicePoint Inc., a seller of information about most households and their inhabitants, became an overnight household name last month.
The Alpharetta, Ga., company disclosed that criminals posing as legitimate business operators had acquired 145,000 consumer records in October 2004. This announcement was followed by a report that the company experienced a similar breach in 2000. The U.S. Securities and Exchange Commission has launched an investigation into stock sales made just before news of the October breach came out, and the Federal Trade Commission is looking into the firm’s credentialing of data buyers.
The scandal — together with the revelation yesterday that criminals stole private information on as many as 32,000 Americans from a database owned by Reed Elsevier — may prompt changes in the way data is guarded. “The ChoicePoint sale of information to criminals is going to highlight the need not only to verify the legitimacy of data users but also the need to ensure that personal information is being used for certain, legitimate purposes,” said Chris Hoofnagle, legislative counsel of the Electronic Privacy Information Center.
Currently no single law or government body regulates the collection and sale of the type of data ChoicePoint hawks, such as driver’s license numbers, fingerprints, names, addresses, Social Security numbers and credit card account numbers.
Many observers expect tougher laws to emerge from this scandal. The attorney general of Rhode Island has called for greater consumer protection in that state, and the governor and attorney general of Illinois have taken similar steps. Eleven states are considering legislation that would allow consumers to freeze their credit reports, preventing access to them.
Jonathan Penn, analyst at Forrester Research, predicted that three consumer privacy bills introduced in January by Democratic Senator Dianne Feinstein of California have taken on a higher priority since the ChoicePoint scandal. There will be special attention paid to her proposed legislation that would extend nationwide California’s requirement that data vendors notify consumers whose records have been infiltrated.
“The issue here is one of accountability,” Penn said. “I have yet to see any effective self-regulation in any industry, so there’s absolutely going to be broader data-privacy legislation. That train has been leaving for a while now, and it’s been leaving from California for all points East.”
While not required by law to notify affected citizens who live outside of California, ChoicePoint did agree to contact everyone affected, but only after pressure from politicians and the press. The company entered into an agreement with the attorneys general of the 19 states that are home to the consumers left exposed by the fraud to notify those consumers.
“Specific regulation of data brokers is a hot issue, and it’s going to be jumped on just like we got Sarbanes-Oxley after Enron,” Penn said. “Congress tends to wait for a huge public cry before they act,” and they just heard it.
Legislation, however, will not solve the problem ChoicePoint experienced. In fact, analysts say, had it taken more responsibility in checking out the credentials of its customers and watching their activity, legislation and consumer notification and governmental inquiries would not be necessary.
“Security is one of those things where people will exploit the weakest link,” Penn told CRM Buyer. In the October fraud, the criminals set up accounts as legitimate ChoicePoint customers. “They didn’t crack a password or anything. They just set up accounts as customers,” he said. “The problem should have been caught. [ChoicePoint] missed out on some serious stuff,” probably because they never paid proper attention to profiling their buyers or monitoring their activity.
And the data vendor had plenty of warning to improve security. At least 7,000 and perhaps as many as 10,000 consumer records were fraudulently obtained in 2000. Two people had set up ChoicePoint accounts with fake identification and used the data they obtained to commit at least $1 million in fraud.
“Public policy approaches should limit collection and use of personal information, so we need to get beyond legitimate and illegitimate businesses,” Hoofnagle commented. “Even legitimate businesses can abuse data. We need to focus on the uses for which data are employed.”
Glass Half Full
“The beauty of the situation is that the California security breach notice law has caused a great awareness of how personal information can be employed for illegal and harmful purposes,” Hoofnagle said.
“The incident has caused a great leap forward in the understanding of the problems involved with commercial data brokers,” he continued. “We’re no longer talking about solutions that just involve privacy notices. Legislative approaches are going to go to the heart of the matter: Is it appropriate for obscure companies to sell individuals’ private bits without a framework of privacy protection following fair information practices?”
According to Penn, it’s not about appropriate or fair business practices as much as it’s about money. “Other than class-action suits, the average victim has little recourse against ChoicePoint,” he said.