FAQ on ChoicePoint

The ChoicePoint ID Theft Case: What it Means

In February 2005 the data company ChoicePoint disclosed that it sold records on thousands of Americans to identity thieves. In particular, it sold significant amounts of personal information on 145,000 consumers to a group of identity thieves in California, resulting in at least 700 known cases of fraud and identity theft. The information turned over to the thieves included names, addresses, Social Security numbers and credit reports.

This incident, which may have been the biggest release of personal information to data thieves ever, has captured the nation’s attention and brought new scrutiny to the data aggregator industry. This scandal has made it clear that Americans are extremely vulnerable to identity theft and that U.S. privacy laws are inadequate.

What is ChoicePoint?
ChoicePoint is part of an industry of “”data aggregators”” that make it their business to collect as much information as possible about everyone by drawing together data from a variety of sources. These companies, which also include such companies as Acxiom, Lexis-Nexis and many others, are largely invisible to the average person, but make up an enormous, multi-billion-dollar industry. They collect information from courthouses and other public sources, as well as marketing data – sometimes including extremely personal information, such as lists of individuals suffering from incontinence, prostate problems and clinical depression.

How did this incident become public?
The incident became public only because of a 2003 California law that requires companies to notify individuals when their personal information has been acquired by unauthorized parties through a security breach. The incident was discovered in October 2004, and after waiting over 3 months, ChoicePoint finally sent letters to approximately 30,000 California consumers about the sale of their data to identity thieves. (Consumers were told that their personal data may have been accessed by “”unauthorized third parties””; for many consumers, who had never heard of ChoicePoint, let alone sought a business relationship with them, it undoubtedly came as a surprise that ChoicePoint considered itself an authorized third party to collect vast amounts of personal data about them).

Only after the letters to California consumers became public did the company say it would notify consumers living in other states. Without the California law, it’s a good bet that ChoicePoint would never have admitted to this problem. In fact, in an SEC filing, ChoicePoint admitted that it determined that the number of individuals affected by the breach (145,000) by looking only at how many records the identity thieves had accessed after July 1, 2003, the date on which the California law went into effect.[1] The number of people exposed to identity theft by the ChoicePoint breach may therefore be far larger than the company has admitted.

In addition, although ChoicePoint’s CEO told reporters that this incident was a first, it quickly emerged that such a problem had happened at least one time before, in 2002, when a pair of fraud artists acc?essed at least 7,000 ChoicePoint records.[2] In that case, ChoicePoint apparently did not even notify the consumers involved, let alone the public.[3]

Clearly, this is a co?mpany? that is trying to disclose the bare minimum required to the public about the security and identity theft problems that it has had.

Is this incident unique?
Certainly not. In addition to the 2002 ChoicePoint case (and perhaps others that still have not been made public), numerous other companies have been involved in such information breaches. For example:

• Just days after the ChoicePoint debacle became public, Bank of America disclosed that it had lost computer tapes containing the social security numbers and account information of 1.2 million federal employees – all too literally a treasure trove for identity thieves.
• A few weeks later, another data company, Lexis-Nexis, revealed that 32,000 records on American citizens had been obtained by hackers.[4]
• In 2002 and 2003, two separate hackers managed to download personal information from databases owned by the data giant Acxiom Corp.[5]

How big a concern is identity theft?
Identity theft is an enormous problem. A September 2003 Federal Trade Commission report found that nearly 10 million Americans, or nearly 5 percent of U.S. adults, had been victimized by identity theft in 2002.[6] And ID theft is a fast-growing problem that has certainly gotten even worse since that report was written.

The effects on victims range from financial losses to lost mortgages and jobs, to even in some cases to the arrest of innocent people who are “”wanted”” for crimes committed by others using their identities.[7] In most cases, victims must spend many frustrating hours trying to untangle the resulting mess – much of which must be devoted to trying to get data companies like ChoicePoint to correct their records and stop propagating false information. Credit bureaus and other data companies have long been infamous for their extremely poor and hard-to-reach customer service. They are “”cost shifting”” – saving money on customer service by shifting the costs to the individuals who must endure long waits and frustrating lack of responses. And the individuals forced to endure that poor service cannot “”vote with their feet”” and leave for a competitor, because they are not customers of these companies, never wanted or asked to be involved with them, and thus have no power or leverage over them.

Are the data companies to blame?
Yes. First, these companies have gone into the business of compiling detailed information on you without your knowledge or permission, and then spreading around to others. This behavior, which according to most Americans’ lights qualifies as rude and wrong, at a minimum imposes a responsibility on these companies to treat that information about people’s lives with care. Yet these companies have long been known to be extremely careless and sloppy with the facts of individuals’ lives – doing unmeasured harm to uncounted individuals. Individuals who have obtained their ChoicePoint records have found them to be riddled with wild inaccuracies – including children that were never born, marriages that never took place, addresses where they never lived, neighbors they never had – and crimes they never committed.[8] Clearly, this cavalier attitude has extended to the realm of security.

Second, the data aggregators have become very aggressive in marketing their products – making fig-leaf claims about restricting their sales to “”legitimate users”” that the companies never tried very hard to verify and which no one with knowledge of the industry ever took seriously. ChoicePoint, for example, for a time sold boxed, off-the-shelf software for conducting background checks at the Wal-Mart-owned “”Sam’s Club”” stores for around $40.[9] The company now complains about being “”duped”” by the identity thieves, but ChoicePoint had every incentive to increase sales and it is easy to wonder how hard it worked to turn away business.

Is the government to blame?
Yes. Through its lax, hands-off attitude toward the shadowy activities of data brokers, the government failed to protect us against this breach of information to fraud artists. And more broadly, the government is failing to prevent the loss of control over our private information and what is done with it. Privacy is a human right; individuals cannot live their lives freely, and democracy cannot work effectively, unless individuals have a reasonable measure of knowledge and control over how they present themselves to the world. The government has a responsibility to protect that right and is not doing so.

Why are the data aggregators significant?
Aggregation of information is at the heart of the privacy issue. The growing piles of data being collected on Americans represent an enormous invasion of privacy, but our privacy has actually been protected to some extent by the fact that all this information still remains scattered across many different databases. As a result, there exists a pent-up capacity for surveillance in American life today – a capacity that is being fully realized as the government, landlords, employers, and other powerful forces gain the ability to draw together all this information. That is precisely what data aggregation companies seek to do, and why they therefore represent one of the greatest existing threats to Americans’ privacy.

For an animated illustration of the problems with untrammeled data aggregation, see www.aclu.org/pizza. You can also read the ACLU report “”Bigger Monster, Weaker Chains,”” available online at www.aclu.org/monster.

Does the government use this information?
Yes, the government is increasingly becoming a customer of private-sector data aggregators. In an era when individuals are being held without charge by the U.S. military, confined to detention camps without trial, and spirited away by the CIA to prisons in foreign countries that practice torture, this is a development that has the most serious implications.

For data companies, the “”war on terror”” has opened up a new government customer base and provided a way to squeeze new revenues out of its information dossiers. For government security and intelligence agencies who are barred (by the Privacy Act of 1974) from maintaining dossiers on individuals not suspected in wrongdoing, signing contracts with the data aggregators allows them to circumvent such laws by accessing the dossiers kept by the private sector.

ChoicePoint, for example, claims to have contracts with at least 35 government agencies. It has an $8 million contract with the Justice Department that allows FBI agents to tap into the company’s vast database of personal information on individuals, as well as contracts with the Drug Enforcement Administration, the U.S. Marshals Service, the IRS, the Bureau of Citizenship and Immigration Services (formerly INS) and the Bureau of Alcohol, Tobacco and Firearms.[10]

The growing surveillance nexus between the private sector and government is the subject of the ACLU report “”The Surveillance-Industrial Complex,”” online at www.aclu.org/surveillance.

What do we need to do to fix this problem?
ChoicePoint and its competitors have succeeded in laughing all the way to the bank as they collect information on consumers without their knowledge, sell it promiscuously, save money by shortchanging security and customer service, and then keep the resulting problems out of public view where these companies prefer to operate. In the face of this situation, the government must step in to protect Americans privacy.

The United States is the only major industrialized nation in the world that does not have a broad privacy law and a privacy minister to enforce it. Such a law must be enacted. The outlines of what such a law should contain are expressed in a broad set of privacy principles that have gained recognition around the world as the human rights standard for privacy. Those principles include:

• Notice. Individuals must be informed that information is being gathered about them, and what information that is. (California’s law requiring notice to individuals whose data has been leaked should also be enacted at the national level.)
• Choice. The data industry claims that their service is useful and helps make commerce more efficient. If that is the case, they should not have a problem with allowing individuals to judge for themselves the advantages of having one’s records on file with a data company, and requiring those companies to secure individuals’ permission before opening dossiers on them.
• Access. Individuals must have access to the data files that are kept on them.
• Purpose specificity. Companies must specify the purposes for which they are collecting personal information.
• Use limitation. Unless they get an individual’s permission, companies must not use personal information for purposes other than what they specified when they gathered it.
• Security. Personal information must be kept secure. Though perhaps the least controversial of the data principles, recent events appear to indicate that even this principle is not taken seriously by the data aggregator industry

  What should I do if I fall victim to identity theft?
  Consumers needing help and information about individual identity theft problems should contact the Privacy Rights Clearinghouse or the Identity Theft Resource Center.

  Footnotes

  [1] ChoicePoint, Securities and Exchange Commission Form 8-K, filed March 4, 2005; online at http://tinyurl.com/3lkeh. Thanks to Bruce Schneier for drawing attention to this statement.
  [2] David Colker and Joseph Menn, “”ChoicePoint CEO falsely called data theft a first Similar breach occurred in 2002,”” Los Angeles Times, March 4, 2005. Online at http://www.latimes.com/business/la-fi-ChoicePoint3mar03,0,5408578.story?coll=la-home-business.
  [3] Harry R. Weber, “”ChoicePoint was victim of ID theft in ’02,”” Associated Press, March 3, 2005. Available online at http://seattletimes.nwsource.com/html/businesstechnology/2002195125_ChoicePoint03.html. [4] Ellen Simon, “”U.S. Citizens’ Data Possibly Compromised,”” Associated Press, March 9, 2005. Available online at http://abcnews.go.com/US/wireStory?id=565714.
  [5] Caryn Rousseau, “”Man charged with massive Axciom personal-info hack,”” Associated Press, July 22, 2004. Available online at http://www.usatoday.com/tech/news/computersecurity/2004-07-22-axciom-hack-charges_x.htm.
  [6] Federal Trade Commission, Identity Theft Survey Report (Sept. 2003), available at http://www.ftc.gov/os/2003/09/synovatereport.pdf; Counterfeit Identification and Identification Fraud Raise Security Concerns: Hearing Before the Senate Comm. on Finance, 108th Cong. (September 9, 2003) (Statement of Robert J. Cramer, Managing Director, Office of Special Investigations, U.S. General Accounting Office).
  [7] See for example, Brian Maass, “”ID Theft Victim Put In Jail,”” CBS4 News [Denver, Colorado], February 8, 2005. Online at http://news4colorado.com/investigates/local_story_039183038.html. [8] Bob Sullivan, “”ChoicePoint files found riddled with errors,”” MSNBC, March 8, 2005. Online at http://www.msnbc.msn.com/id/7118767/.
  [9] Adam Geller, “”High-Tech Background Checks Hit Stores,”” Associated Press, March 8, 2004; available online at http://seattlepi.nwsource.com/business/aptech_story.asp?category=1700&slug=Background%20Check.
  [10] See information on EPIC Freedom of Information Act lawsuit, online at http://www.epic.org/privacy/ChoicePoint/default.html; Glenn R. Simpson, “”Big Brother-in-Law: If the FBI Hopes to Get The Goods on You, It May Ask ChoicePoint”” Wall Street Journal, April 13, 2001; William Matthews, “”Commercial database use flagged,”” Federal Computer Week, January 16, 2002; online at http://www.fcw.com/fcw/articles/2002/0114/web-epic-01-16-02.asp.