ChoicePoint to tighten data access after ID theft

It promised a 'vigorous re-credentialing' of companies that buy data

As ChoicePoint Inc. continues this week to notify some 145,000 consumers of possible identity theft after it sold consumer information to fraudulent businesses last year, the company said it's beginning to double-check its existing clients to ensure they are legitimate businesses.

In an announcement yesterday, the Alpharetta, Ga.-based personal information vendor said it's undergoing a "rigorous re-credentialing of broad categories of customer accounts," as well as making changes that include masking or truncating sensitive personal identifier information, such as Social Security numbers and driver's license numbers.

ChoicePoint said that most of the fraudulent activity occurred in its small-business public-record products and that all customers using the information will now be subject to the new data restrictions and recredentialing efforts.

A ChoicePoint spokesman couldn't be reached today.

Last week, the company agreed to notify 145,000 consumers whose personal information may have been stolen by identity thieves posing as ChoicePoint clients who purchased the data through legitimate channels (see story).

The company said it began to detect possible fraudulent activity in several small-business accounts in the Los Angeles area last October. The Los Angeles County Sheriff's Department began an investigation and asked the company to delay notifying consumers so it could continue its investigation, ChoicePoint said. The company was told late last month that it could begin notifying consumers of the potential fraud.

ChoicePoint initially believed that about 35,000 consumers in California were the only ones affected.

According to the company, fraudulent customers used "stolen identities to create and produce the documents [they] needed to appear legitimate." Among the information obtained from ChoicePoint were names and addresses of consumers, Social Security and driver's license numbers, abbreviated credit reports and other information such as bankruptcies, liens and property records.

After authorities notified ChoicePoint that consumers in other states might have been affected, prompting the company to mail out another 110,000 warning letters to residents across the U.S.

Consumer advocates say the incident shows that government oversight is needed to protect consumer information.

Beth Givens, the director of the San Diego-based Privacy Rights Clearinghouse, said that while some of ChoicePoint's stored consumer data is protected by the federal Fair Credit Reporting Act -- including tenant, insurance and employment information -- other key personal information isn't protected by federal laws.

"This is an industry that has been allowed to develop and grow with almost no oversight by the government," Givens said. "This is a wake-up call for all individuals, whether or not they got those [fraud alert] letters" from ChoicePoint. "I do think we need higher standards enforced in law for security and transparency. I do think we'll see more of this along those lines."

In an open letter to ChoicePoint CEO Douglas Curling, the Washington-based Electronic Privacy Information Center asked the company to go even further than it has.

"ChoicePoint should send letters to all people affected and allow them to obtain copies of their files and find out all of the info ChoicePoint has about them ... for free by making just one request," wrote EPIC President Marc Rotenberg.

"Given the recent developments, it is obvious that ChoicePoint should provide consumers with the information that you provided to [the] criminals" so consumers can ensure that their records are correct, he wrote. "We also urge you to disgorge the funds that you obtained from the sale of the data and make these funds available to the individuals who will suffer from identity theft as a result of this disclosure. At the very least, you could make these funds available to individuals who may be at heightened risk of identity theft so that they can obtain copies of their credit reports."

Rotenberg said in his letter that the "recent security breach demonstrates the profound importance of having the Choicepoint AutoTrackXP and Customer Identification Programs databases regulated by the Fair Credit Reporting Act."

Copyright © 2005 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon