ChoicePoint's Error Sparks Talk of ID Theft Law

WASHINGTON -- The revelation last week that data collector ChoicePoint mistakenly gave private information on up to 145,000 U.S. residents to identity thieves has led to renewed calls here for a national data privacy law.

ChoicePoint, based in Alpharetta, Georgia, reached an agreement on February 16 with 19 state attorneys general to tell the 145,000 potential victims that ID thieves may have gained access to personal information such as Social Security numbers and credit reports. Potential victims live in all 50 U.S. states, the District of Columbia, Puerto Rico, Guam and the U.S. Virgin Islands.

The ChoicePoint problem points to the need for a national privacy law, according to representatives of the Electronic Privacy Information Center (EPIC) and the Center for Democracy and Technology (CDT), two privacy advocacy groups. For most U.S. companies, the only notification of ID theft that's required by law is the one mandated by a California ID theft statute, which obligates companies doing business in the state to notify customers if their personal information has been accessed by an unauthorized person. The California law went into effect in July 2003.

"There certainly is agreement that we need better notification, exactly because of cases like this," said Ari Schwartz, associate director at CDT. "We're seeing [data companies] selling it to a lot of different people."

ChoicePoint has access to about 19 billion public records, and the company reportedly has information on virtually every adult living in the United States.

Related Legislation

In addition to calls by privacy advocates for legislation, U.S. Senator Dianne Feinstein, a California Democrat, has called for congressional hearings on a piece of privacy legislation she introduced this year. Feinstein's Notification of Risk to Personal Data Act, introduced on January 24, would require businesses and government agencies to notify likely victims when there is a "reasonable basis to conclude" that a criminal has obtained unencrypted personal data.

Feinstein's bill lacks co-sponsors, however, and a similar bill of hers went nowhere in Congress in 2004. Asked about the bill's chances in 2005, a Feinstein spokesman said that the ChoicePoint problems have shown the need for legislation.

"Moving any bill is always a difficult prospect, but now more people are coming to an understanding of the issue of identity theft," the spokesman said.

Feinstein, in a statement, called upon the Senate Judiciary Committee to hold hearings on her bill as soon as possible. "I strongly believe individuals have a right to be notified when their most sensitive information is compromised--because it is truly their information," her statement said. "And they have the right to decide what actions they want to take once a breach has been discovered. Unfortunately, data breaches are becoming all too common and current federal law does not require notification to consumers when these breaches occur."

Schwartz and Marc Rotenberg, EPIC's president, questioned whether ChoicePoint would have notified potential victims at all were it not for the California ID theft law. "They've been reckless with people's information," Rotenberg said of ChoicePoint. "We'd like Congress to look into what's happening in this [data collection] industry."

David Bernknopf, a ChoicePoint spokesman, disagreed that the California law was the only reason potential victims learned of the problems. The company first notified the sheriff's office in Los Angeles County in October of the possible data leak because ChoicePoint believed the problem started there, he said.

In November, California law enforcement authorities asked the company not to publicize the problems because of an investigation, and not until January did investigators identify potential victims in California, Bernknopf said. This month, California authorities notified the company that additional victims outside California existed, and the company then began notifying those people, he added.

How It Happened

It's still not entirely clear how the ID thieves gained access to ChoicePoint's data, Bernknopf said. Authorities believe it was the work of a group of people who used IDs stolen from legitimate businesspeople to set up phony businesses that contracted with ChoicePoint for ID checks, Bernknopf said. Among other services that ChoicePoint provides are background check documents for businesses and government agencies hiring workers.

"They didn't use their own names as chief executive officers of these companies," Bernknopf said of the fake company scam.

The ID theft "fraudsters," as ChoicePoint calls them, sought names, addresses, Social Security numbers, driver's license numbers, credit reports, and public information such as bankruptcies, liens, and professional licenses, according to the company.

ChoicePoint remains unsure of how many people will be affected by the scam because the company doesn't know the extent of the thieves' ability to use the personal data, Bernknopf said.

EPIC has long criticized ChoicePoint for its massive collection of information on innocent people. In December, EPIC called for a U.S. Federal Trade Commission investigation of ChoicePoint, saying the company had skirted Fair Credit Reporting Act rules designed to ensure that credit reports are accurate. EPIC contends that many of the records ChoicePoint sells to law enforcement agencies and financial services companies should fall under the fair-credit rules and be open to review by the people who are the subjects of those records.

Company chairman and CEO Derek Smith, in a letter to EPIC, called the group's charges an "inaccurate, misdirected, and misleading attack."

Subscribe to the Security Watch Newsletter

Comments