The following text is copyright 2005 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
Dumber decisions - Safer world?
By Scott Bradner
Hopefully by now Choicepoint has made enough dumb decisions to ensure that we get some useful national mandates requiring reasonable protection for data about people or at least requirements to tell us when some company holding such information screws up.
For those of you who did not see the news coverage, Choicepoint recently admitted to what is probably the biggest case of identity theft to date.
Choicepoint is a Georga-based, rapidly growing, company that offers a variety of data related services ranging from pre-employment screening to direct marketing support. They claim that their databases include 19 billion records about people, their activities, and histories. Choicepoint recently admitted that they discovered last October that, for at least a year, more than 50 fake companies, operating out of Kinko's stores, had had full access to Choicepoint's data and apparently had made good use of the access.
For a company whose registered web site motto is "Smarter Decisions - Safer World" Choicepoint has been making some rather dumb decisions of late.
o Choicepoint's validation procedures for permitting access to their databases was clearly inadequate. Maybe they decided that it was too expensive to do things correctly, for example by visiting all companies before granting access.
o Choicepoint did not tell any of the people whose data was stolen that that they were at risk for identity theft for almost 5 months. They said that it was the cops that did not give a hoot about warning people that their good names were in eminent danger and that the cops told Choicepoint not to tell anyone. Maybe, but Choicepoint's later actions indicate that they were not exactly eager to do what's right.
o When Choicepoint finally did admit that something had happened they downplayed it and said that the only people who were at risk were 35,000 or so Californians. Perhaps not coincidentally, California is the only state where people whose private information is exposed by such breaches of database security must be notified about the exposure. (See http://www.nwfusion.com/columnists/2004/102504bradner.html)
o Only after considerable pressure, including a letter from the attorneys generals of 38 states demanding that people at risk in their states also be notified, did Choicepoint belatedly say that they would send letters to 110,000 additional people. (One wonders if the attorneys generals of the other states think that identity theft is OK.) Since that expansion there have been news reports that the number of people whose data was accessed may exceed 500,000.
o Choicepoint includes information that it does not need to in the reports it provides. For example, it includes the social security number in its personal property and personal auto reports (samples of which are on their web page). I can understand that they might want to include an ability to look someone up using a SSN but I do not understand why one is needed in a report -- same for date of birth and a number of other fields -- unless they want to facilitate identity theft.
One good thing may come out of this fiasco, just maybe Congress will extend California's notice requirement nationwide. One thing that should happen but will not, unless some Congresscritters were in the exposed population, is to make companies like Choicepoint pay for any damage done by such lax processes.
Maybe Choicepoint's dumb decisions will wind up making this a little bit safer world.
disclaimer: Historians have (and will) say if Harvard makes dumb decisions but the above exploration and hope is mine not the university's.