ChoicePoint Error Prompts Calls for Identity Theft Law

Computerworld - A variety of privacy groups and U.S. Sen. Dianne Feinstein (D-Calif.) are renewing calls for a national privacy law in the wake of news that data collector ChoicePoint Inc. mistakenly gave private information on up to 145,000 U.S. residents to identity thieves.
Alpharetta, Ga.-based ChoicePoint this month reached an agreement with 19 state attorneys general to tell potential victims that thieves may have gained access to personal information such as Social Security numbers and credit reports .
Potential victims live in all 50 states, the District of Columbia, Puerto Rico, Guam and the U.S. Virgin Islands.
The ChoicePoint problem points to the need for a national privacy law, said the Electronic Privacy Information Center (EPIC) and the Center for Democracy and Technology (CDT).
For most U.S. companies, only a 2003 California law requires identity theft notification.
"There certainly is agreement that we need better notification, exactly because of cases like this," said Ari Schwartz, associate director at the CDT.
Feinstein has also called for congressional hearings on privacy legislation she introduced this year. Feinstein's Notification of Risk to Personal Data Act would require businesses and government agencies to notify likely victims when there is a "reasonable basis to conclude" that a criminal has obtained unencrypted personal data.
Legislative Prospects
Feinstein's bill lacks co-sponsors, and a similar bill of hers went nowhere in Congress in 2004. "Moving any bill is always a difficult prospect, but now more people are coming to an understanding of the issue of identity theft," a Feinstein spokesman said.
Schwartz and Marc Rotenberg, EPIC's president, questioned whether ChoicePoint would have notified potential victims at all without the California identity theft law. "They've been reckless with people's information," Rotenberg said of ChoicePoint.
David Bernknopf, a ChoicePoint spokesman, disagreed. The company first notified the sheriff's office in Los Angeles County in October of the possible data leak because it believed the leak started there, he said. It's still not clear how the thieves got access to ChoicePoint's data, Bernknopf said.
Authorities believe a group of people used IDs stolen from legitimate businesspeople to set up phony businesses that contracted with ChoicePoint for identity checks, he said.
Gross writes for the IDG News Service.

Read more about privacy in Computerworld's Privacy Knowledge Center.