ChoicePoint Update (Large Scale Identity Theft)

washington monthly ^ | 2/24/2005 | Kevin Drum

[Southack]

CHOICEPOINT UPDATE....It turns out that the massive identify theft scam at ChoicePoint happened last October — but nobody got notified until last week. And even that never would have happened if not for the fact that California has a law requiring disclosure of leakage of personal information. Security expert Bruce Schneier says the same thing is likely to happen again unless economic incentives are brought to bear:

ChoicePoint protects its data, but only to the extent that it values it. The hundreds of millions of people in ChoicePoint's databases are not ChoicePoint's customers. They have no power to switch credit agencies. They have no economic pressure that they can bring to bear on the problem. Maybe they should rename the company "NoChoicePoint."

The upshot of this is that ChoicePoint doesn't bear the costs of identity theft, so ChoicePoint doesn't take those costs into account when figuring out how much money to spend on data security....Until ChoicePoint feels those costs — whether through regulation or liability — it has no economic incentive to reduce them.

Bruce is right. Unless ChoicePoint feels some pain, why should they care about keeping their records safe? Here's the pain:

A California woman has sued ChoicePoint Inc. for fraud and negligence after criminals gained access to a database of personal records compiled by the company.

.... The suit seeks to represent anyone whose personal records were maintained by ChoicePoint from October 2004 through the completion of the suit, regardless of whether or not that data was actually released to anyone.

Let's hope George Bush's new law restricting class action suits doesn't force this one into federal court and then into infinite limbo. At the moment, a civil suit is the only way to cause ChoicePoint enough pain to make them take security seriously.

[Southack]

Southack responds: President Bush's Patriot Act requires customer banking data to be encrypted, and holds companies criminally responsible for *any* loss of control of said customer data.

http://www.imgdata.com/patriot.html
The passing of the USA PATRIOT Act reinforces the reality that any paper or electronic data management program should garner top priority for corporate leadership and corporate governance. The Patriot Act requires the Secretary of the Treasury to prescribe regulations "setting forth the minimum standards for financial institutions and their customers regarding the identity of the customer that shall apply in connection with the opening of an account at a financial institution."

[FactsMatter]

And the Dept of Homeland Security just put a major spyware vendor on a privacy committee.

http://www.freerepublic.com/focus/f-news/1349961/posts

[SigPro2340]

Choicepoint freaking SUCKS. I got very bad info from them, and they were USELESS about it. I hope they shut down.

[1FASTGLOCK45]

Are these the same guys like the ones that have all the data on people when you go buy a home, like credit scores and stuff?

[Jambe]

There are three major credit reporting companies in the U.S. - Equifax, Experian formerly TRW) and Trans Union.

From the information I've heard ChoicePoint is a spin-off company of Equifax.

Headquartered outside of Atlanta, ChoicePoint employs approximately 5,500 people in nearly 60 locations. ChoicePoint shares are traded on the New York Stock Exchange under the symbol CPS.

Equifax is also located in Atlanta.

[the invisib1e hand]

Hello! Is anyone listening? Legislation must be crafted or modified to give ownership of all information unique to you, to you.

[1FASTGLOCK45]

WOW, Thanks for the 411!
i learned something new :)