ChoicePoint Inc., a seller of information about most households and their inhabitants, became an overnight household name last month.
The Alpharetta, Ga., company disclosed that criminals posing as legitimate business operators had acquired 145,000 consumer records in October 2004. This announcement was followed by a report that the company experienced a similar breach in 2000. The U.S. Securities and Exchange Commission has launched an investigation into stock sales made just before news of the October breach came out, and the Federal Trade Commission is looking into the firm’s credentialing of data buyers.
The scandal — together with the revelation yesterday that criminals stole private information on as many as 32,000 Americans from a database owned by Reed Elsevier — may prompt changes in the way data is guarded. “The ChoicePoint sale of information to criminals is going to highlight the need not only to verify the legitimacy of data users but also the need to ensure that personal information is being used for certain, legitimate purposes,” said Chris Hoofnagle, legislative counsel of the Electronic Privacy Information Center.
Legislative Power
Currently no single law or government body regulates the collection and sale of the type of data ChoicePoint hawks, such as driver’s license numbers, fingerprints, names, addresses, Social Security numbers and credit card account numbers.
Many observers expect tougher laws to emerge from this scandal. The attorney general of Rhode Island has called for greater consumer protection in that state, and the governor and attorney general of Illinois have taken similar steps. Eleven states are considering legislation that would allow consumers to freeze their credit reports, preventing access to them.
Jonathan Penn, analyst at Forrester Research, predicted that three consumer privacy bills introduced in January by Democratic Senator Dianne Feinstein of California have taken on a higher priority since the ChoicePoint scandal. There will be special attention paid to her proposed legislation that would extend nationwide California’s requirement that data vendors notify consumers whose records have been infiltrated.
“The issue here is one of accountability,” Penn said. “I have yet to see any effective self-regulation in any industry, so there’s absolutely going to be broader data-privacy legislation. That train has been leaving for a while now, and it’s been leaving from California for all points East.”
While not required by law to notify affected citizens who live outside of California, ChoicePoint did agree to contact everyone affected, but only after pressure from politicians and the press. The company entered into an agreement with the attorneys general of the 19 states that are home to the consumers left exposed by the fraud to notify those consumers.
“Specific regulation of data brokers is a hot issue, and it’s going to be jumped on just like we got Sarbanes-Oxley after Enron,” Penn said. “Congress tends to wait for a huge public cry before they act,” and they just heard it.
Confirming Credentials
Legislation, however, will not solve the problem ChoicePoint experienced. In fact, analysts say, had it taken more responsibility in checking out the credentials of its customers and watching their activity, legislation and consumer notification and governmental inquiries would not be necessary.
“Security is one of those things where people will exploit the weakest link,” Penn told CRM Buyer. In the October fraud, the criminals set up accounts as legitimate ChoicePoint customers. “They didn’t crack a password or anything. They just set up accounts as customers,” he said. “The problem should have been caught. [ChoicePoint] missed out on some serious stuff,” probably because they never paid proper attention to profiling their buyers or monitoring their activity.
And the data vendor had plenty of warning to improve security. At least 7,000 and perhaps as many as 10,000 consumer records were fraudulently obtained in 2000. Two people had set up ChoicePoint accounts with fake identification and used the data they obtained to commit at least $1 million in fraud.
“Public policy approaches should limit collection and use of personal information, so we need to get beyond legitimate and illegitimate businesses,” Hoofnagle commented. “Even legitimate businesses can abuse data. We need to focus on the uses for which data are employed.”
Glass Half Full
“The beauty of the situation is that the California security breach notice law has caused a great awareness of how personal information can be employed for illegal and harmful purposes,” Hoofnagle said.
“The incident has caused a great leap forward in the understanding of the problems involved with commercial data brokers,” he continued. “We’re no longer talking about solutions that just involve privacy notices. Legislative approaches are going to go to the heart of the matter: Is it appropriate for obscure companies to sell individuals’ private bits without a framework of privacy protection following fair information practices?”
According to Penn, it’s not about appropriate or fair business practices as much as it’s about money. “Other than class-action suits, the average victim has little recourse against ChoicePoint,” he said.
The California approach is the only way, short of class action law suits, to PROTECT against identity theft. Each CA citizen can choose to lockdown their access to any new financial transactions such as new credit card applications, loans, checking accounts, etc. This is done by registering yourself, with proper ID and in person, to a new state agency that assigns a password which is then required for any new financial transactions in your name. SSN, birthdate, mother’s maiden name, and any other previous information fragment used to establish identity is no longer adequate in CA to open new financial accounts. Why haven’t other states adopted this? Banks, credit agencies, and establishments that provide credit histories like Equifax and the offending Choice Point all lobby against it as they would have less opportunities to sell their products.
Some states like NJ have legislation in the talking phases, but I doubt there will be any change until either citizens complain about the lack of protection or the politicians themselves become victims themselves of ID theft. Get active and contact your state legislators to protect us.