Jan. 26, 2006 -- The shaky security surrounding companies that aggregate U.S. consumers' personal and credit information has stoked fears of identity theft, and today one of the biggest companies, ChoicePoint Inc., paid the price for a breach in its security. The Federal Trade Commission announced that ChoicePoint would pay $15 million to settle charges it violated consumer privacy rights and federal laws.
When ChoicePoint announced last year it had informed more than 30,000 Californians that their personal and financial information had been compromised by thieves who had accessed the company's database, alarms went off for the consumers affected. But many privacy advocates were far from shocked.
ChoicePoint is a Georgia-based data collection firm that compiles personal and credit information about individuals and then sells access to its database to government agencies and businesses. Under California law, data collection companies like ChoicePoint must notify the state's residents when security breaches involving their personal data occur. In October 2004, the company discovered that identity thieves masquerading as legitimate corporations were given access to the Social Security numbers, credit reports, and personal information of thousands of Californians.
The company sent out about 35,000 notification letters last February, and ChoicePoint later sent letters to an additional 110,000 consumers who might have been affected, including some outside of California.
"We take this very seriously. We're not trying to shy away from it," ChoicePoint spokesman James Lee said last year after the notification letters were initially sent out.
The personal records of 145,000 consumer were potentially compromised, according to a settlement agreement announced today by the FTC. The settlement includes a $10 million fine and an additional $5 million in compensation to be paid to consumers.
Though most consumers follow guidelines to protect sensitive information like banking and credit card account numbers, anyone is susceptible to an incident like the ChoicePoint fraud, privacy experts say.
"Ultimately, this is a good example of the unfortunate situation that there really is no way an individual can prevent theft," said Beth Givens, director of Privacy Rights Clearinghouse, a consumer advocacy group based in San Diego. "They can reduce risk by doing all those things we tell them to do. But you can't prevent identity theft -- you can only reduce your risk."
Everyone Is a Potential Victim
Even consumers who are diligent with their credit information and shred potentially dangerous documents are susceptible when outside companies like ChoicePoint are breached. But most consumers have no idea that companies like ChoicePoint exist, a cause of much concern for privacy experts.
"The approach we take to identity theft is to put the burden on consumers to take steps to prevent it," said Daniel Solove, a professor at the George Washington University School of Law and a board member with the nonprofit Electronic Privacy Information Center. Solove recently published a book on the implications of living in a digital society that creates dossiers on every citizen.
"The real reason we have identity theft is because businesses are irresponsible with their security for identity information. The system by and large shuts consumers out and leaves them no recourse to do anything once they've been a victim," he said.
Solove and others would like to see the California law enacted nationwide. Pam Dixon of the World Privacy Forum, a nonprofit privacy watchdog group in San Diego, has tracked ChoicePoint's business for nearly two years and said this week's announcement was not surprising to her.
Dixon is concerned that the company stores details that are much more personal than credit information, and that consumers are completely ignorant about how such information can be accessed.
"We're not talking about just credit reports here, we're talking about consumer report histories. That can include things like your criminal history, purchasing history, your Social Security number, your neighbors' names," Dixon said. "It's really random stuff, and it's very rich data about every aspect of your life."
ChoicePoint said the only information compromised in the 2004 fraud included addresses, Social Security numbers, and the possibility that thieves could request credit reports on individual consumers. ChoicePoint also said that audits were performed on all background checks to make sure they were being done legally.
"One of the main questions people have always asked about ChoicePoint is: 'What is their auditing process?'" Dixon said. "They need to come forward with exactly what they're doing to stop this from happening."
Immediately after the announcement of the security breach, ChoicePoint's Lee said the company had taken measures to improve security.
"I can't give details, but we have made immediate changes to the customer process and we've strengthened the vetting process," he said. "What we have to realize is that these are bright, smart people who wake up every day looking for better ways to commit fraud, and we have to do the same thing."
Security and Transparency
The California law does not go far enough for many privacy experts, who say data collection agencies like ChoicePoint should be held to higher standards of security and transparency. Many were concerned with the lag time between the fraud in October 2004 and the sending of notification letters in February 2005.
ChoicePoint said the four-month lag was due to an agreement with the Los Angeles Sheriff's Department that no one would be notified until the investigation was complete.
Hoping for More Attention
Privacy advocates hope this incident will be a turning point in the struggle to draw the public's attention to the dangers of identity theft.
"This is the Exxon Valdez of privacy. This is a lot of people who have had information leaked, so hopefully it will get the ball rolling," said the World Privacy Forum's Dixon, referencing the oil tanker spill that turned public attention toward oil companies' safety procedures.
She said people should be aware of the activities of data collection firms and take a more active role individually to ensure their safety. She suggested that people request, by mail, a copy of their credit reports from credit reporting agencies. She also said it's wise for consumers to contact ChoicePoint directly and attain a copy of their consumer report, which may have more wide-ranging information than a credit report.
For its part, ChoicePoint has advised the consumers affected by the security breach to take steps that will help detect signs of identity theft. The company suggested requesting a credit report and checking to make sure no new accounts have been opened and existing accounts have not seen any unauthorized activity. Consumers can also request a free fraud alert from credit reporting companies that would require notification for any changes to a personal credit report.