This story appeared on Network World Fusion at
Dumber decisions - safer world?
By Scott Bradner
Network World, 02/28/05
I hope by now ChoicePoint has made enough dumb decisions to ensure that we get some useful national mandates that require reasonable protection for data about people. Or I hope we at least get requirements to tell us when some company holding such information screws up.
For those who didn't see the news coverage, ChoicePoint recently admitted to being struck by what is probably the biggest case of identity theft to date . ChoicePoint is a rapidly growing company in Alpharetta, Ga., that offers data-related services that range from pre-employment screening to direct marketing support. The company says its databases include 19 billion records about people, their activities and histories.
ChoicePoint recently admitted discovering last October that, for at least a year, more than 50 fake companies, operating out of Kinko's stores, had full access to ChoicePoint's data and apparently made good use of the access. For a company whose registered Web site motto is "Smarter Decisions - Safer World," ChoicePoint has made some rather dumb decisions of late.
¥ The company's validation procedures for permitting access to its databases was clearly inadequate. Maybe the company decided that it was too expensive to do things correctly - for example, by visiting all companies before granting access?
¥ ChoicePoint didn't tell any of the people whose data was stolen that that they were at risk for identity theft for almost five months. The company said it was the cops who didn't give a hoot about warning people that their good names were in eminent danger and told ChoicePoint not to tell anyone. Maybe, but ChoicePoint's later actions indicate that it was not exactly eager to do what was right.
¥ When ChoicePoint finally admitted that something had happened, the company downplayed it and said that the only people who were at risk were 35,000 or so Californians. Perhaps not coincidentally, California by law is the only state where people whose private information is exposed by such breaches must be notified .
¥ Only after considerable pressure, including a letter from 38 state attorneys general demanding that people at risk in their states also be notified, did ChoicePoint belatedly say it would send letters to 110,000 additional people. (One wonders if the attorneys general of the other states think that identity theft is OK.) Since that expansion, there have been news reports that the number of people whose data was accessed might exceed 500,000.
¥ ChoicePoint includes information that it doesn't need to in the reports it provides - such as a Social Security number in its personal property and personal auto reports (samples of which are on the company's Web page ). I understand the company might want to include the ability to look someone up using a Social Security number, but I don't understand why it's needed in a report - same for date of birth and a number of other fields - unless the outfit wants to facilitate identity theft.
One good thing might come out of this fiasco: Maybe, Congress will extend California's notice requirement nationwide. One thing that should happen but will not, unless some Congress critters were in the exposed population, is to make companies like ChoicePoint pay for any damage done by such lax processes.
Maybe ChoicePoint's dumb decisions will wind up making this a safer world.
Disclaimer: Historians have said (and will say) if Harvard makes dumb decisions. But the above exploration and hope is mine, not the university's.