In its privacy statement, data-aggregation company ChoicePoint Inc. says that it is "dedicated to protecting the privacy of individuals," which includes "strict standards regarding the use and dissemination of personal information."
Yet such dedication is only exceeded by the determination of identity thieves who, by setting up some 50 fictitious businesses, duped the company into granting them access to 145,000 consumer-data profiles it maintains among its store of roughly19 billion public records.
In Los Angeles County Superior Court last week, a Nigerian national who participated in the identity-theft scheme was sentenced to 16 months in state prison. ChoicePoint was alerted of the breach last October. But some 35,000 California consumers didn't realize they were potential victims until they received a letter about the breach from ChoicePoint last week, per California law.
Disclosure of the incident was required under California's SB-1386, which took effect July 1, 2003. According to the law, any state agency, person, or business that does business in California and owns or licenses electronic data that includes personal information, is required to disclose any data security breach to California residents whose unencrypted personal information may have been accessed by an unauthorized person.
While the extent of the fraud arising from the incident may not be known for months, ChoicePoint said it would send out 110,000 more notifications to individuals outside California.
"That's certainly good practice and most responsible companies are going to do that, if no other reason than of mitigating any damages that might result," says Kevin Lyles, partner in the privacy practice at law firm Jones Day. Lyles says another privacy-related law, the Health Insurance Portability and Accountability Act, requires organizations to mitigate any damages as a result of security breaches, and there are similar provisions in the Gramm-Leach-Bliley law.
Gail Hillebrand, senior attorney for Consumers Union, a nonprofit testing and information organization that publishes Consumer Reports, suggests such provisions aren't enough. "This is a reminder to all consumers how insecure our personal financial information is when it's held by someone else who makes their own decisions about how much to spend on security," she says. "It highlights the need for consumers to have additional rights to protect themselves, particularly the need for state security freeze laws."
A security freeze lets a consumer prevent people or businesses from accessing a credit reports for the purpose of granting credit. In turn, it prevents identity thieves from accessing a credit report.
Currently, Hillebrand says, freeze laws are being considered in 11 states: Colorado, Connecticut, Hawaii, Illinois, Indiana, Maine, Maryland, Massachusetts, Oregon, Utah, and Washington. California, Louisiana, Texas, and Vermont already have passed some form of freeze law.
Consumers Union is pushing for federal laws that would require all companies to inform customers nationwide of data breaches. "We think that will help consumers to protect themselves but also will create a business environment that encourages more investment in security," says Hillebrand. Massachusetts already has a disclosure provision similar to California's, and Illinois may be next.
Yet many oppose a legislative approach to the problem. California state Sen. Debra Bowen's effort last year to expand the data-breach notification requirement to cover disclosures of data in any form, not just electronic data, was voted down amid lobbying by business groups such as the California Chamber of Commerce and the American Electronics Association.
Quinn Jalli, director of privacy and Internet service provider relations at E-marketing company Digital Impact Inc., says that that while data breaches often lead to calls for federal legislation, companies such as ChoicePoint already have a strong incentive to protect their data. "As we saw with spam, legislation is not going to solve the problem," Jalli says.
"This obviously means companies need to do a better job with their information security," Lyles says. "But having a law that says to do that doesn't really help. The problem is technology, and the ability of hackers is moving faster than some companies can move to keep information secure."
Laws don't dictate what companies need to do from a security standpoint, Lyles says. "Almost all the laws that I've seen just say you'll take reasonable security precautions," he explains. "It very well could be that ChoicePoint was using reasonable precautions and that wasn't good enough. The real key is what you do after it. And I think the lesson here for companies is if you have a breach you know about, whether you have a [disclosure] law in the state or not, you ought to let individuals know."
ChoicePoint could not be reached for comment regarding the data breach.
Last year, according to the Federal Trade Commission, consumers reported fraud losses of more than $547 million. Internet-related fraud accounted for 53% of all reported fraud complaints. According to the Better Business Bureau, 9.3 million Americans were victims of identity-theft fraud in 2004.