Embattled personal data vendor ChoicePoint will stop selling sensitive consumer data to many of its customers, except when that data helps complete a consumer transaction or helps government or law enforcement, the company says in a statement.
The company decided to stop selling sensitive data, such as Social Security numbers and driver's license numbers, after being tricked into divulging personal information on about 145,000 people to identity thieves who posed as customers, according to a statement attributed to ChoicePoint Chairman and CEO Derek V. Smith.
"These changes are a direct result of the recent fraud activity, our review ... of our experience and products, and the response of consumers who have made it clear to us that they do not approve of sensitive personal data being used without direct benefit to them," Smith says in the statement, which was posted on ChoicePoint's Web site.
From now on, ChoicePoint will only sell sensitive personal information to customers when the data is necessary to complete a transaction, to accredited corporate customers that will use the data for user authentication or fraud prevention, or to help federal, state, and local government and criminal justice agencies, ChoicePoint says.
The move, which should be complete within 90 days, will eliminate a number of "information products" that the company now sells to its customers, especially small businesses, the company says.
ChoicePoint also says it is creating an independent office of credentialing compliance and privacy. The office will oversee ChoicePoint's overhaul of the company's customer credentialing process, which was blamed for allowing identity thieves to register as legitimate customers and order personal information, the company says in its statement.
Among other things, ChoicePoint is considering increasing the number of on-site visits it conducts when verifying customers, the company says.
ChoicePoint, of Alpharetta, Georgia, has access to about 19 billion public records, and the company reportedly has information on virtually every adult living in the U.S.
The company has been the focus of intense scrutiny and criticism since it acknowledged last month that identity thieves gained access to records and personal information on individuals in the 50 U.S. states, the District of Columbia, Puerto Rico, Guam and the U.S. Virgin Islands. Information provided by ChoicePoint has since been used in about 750 identity theft scams, according to the company.
Since disclosing the security breach, the company has been the focus of a U.S. Federal Trade Commission inquiry into its compliance with federal information security laws, a U.S. Securities and Exchange Commission (SEC) investigation into possible insider stock trading violations by its CEO and chief operating officer, and lawsuits alleging violations of the federal Fair Credit Reporting Act and California state law, ChoicePoint disclosed in a filing to the SEC last week.
The mishap has also prompted calls for new federal legislation to protect consumers. U.S. Senator Dianne Feinstein (D-California) introduced legislation called the Notification of Risk to Personal Data Act, which would require businesses and government agencies to notify victims when there is reason to believe a criminal obtained personal information.
Information on the ChoicePoint data theft became public only last month, after the company was compelled by California law to notify about 35,000 of the state's residents that their data had been exposed to identity theft. However, ChoicePoint has known about the theft since last September, but did not notify consumers, citing an investigation by law enforcement.
Public outcry forced ChoicePoint to strike a deal with 19 state attorneys general to notify the remaining 110,000 people whose data could have been exposed.
ChoicePoint supports a national dialogue about how public records information should be used and supports increased penalties of intentional misuse of personal information, says Kristen McCaughan, a company spokesperson.
The company also warned investors last week that the expected changes to its business, and continued fallout from the identity theft revelations, will hurt its bottom line in 2005.
ChoicePoint expects the changes to cut between $15 million and $20 million of revenue in 2005, not including $2 million that the company will spend purchasing credit reports and monitoring services for consumers affected by the theft, as well as legal, consulting, and technology expenses related to the incident, the company says.