The Five Most Shocking Things About the ChoicePoint Data Security Breach

At first, the ChoicePoint security breach seemed not only ordinary but almost insignificant.

Chapman feels fortunate not to count herself among the 750 people who ChoicePoint says have already become victims of identity theft due to the security breach. But she's seething about the fact that her information was inadequately protected by a company she'd never done business with. She's also mad about how difficult it was for her to sign up for the free credit monitoring service that ChoicePoint is giving all the victims for one yearnot that she thinks one year is long enough.

"I'm going to have to watch my back for the rest of my life," she says. "I'm angry that my rights as a citizen have been violated. I'm angry that a company is out there selling my personal information for monetary gain. Yes, I'm angry. I'm very angry. And I hope to heavens that everybody who's involved in this is just as angry as I am."

Virginia attorney Leonard Bennett of Consumer Litigation Associates is hoping that other victims are angry too. Along with 10 other attorneys in four states, Bennett is preparing to file a class-action lawsuit against ChoicePoint on behalf of citizens whose information was compromised in the breach. As of press time, in fact, nearly 20 class-action suits had been filed, according to the Los Angeles Times.

Meanwhile, the furor seems to have roused other beasts. A dormant 2003 negligence case against the Arizona-based TriWest Healthcare Alliance (more than 500,000 names with personal information stolen) may be sputtering back to life. Others lawsuits are sure to follow. Hard on the heels of the ChoicePoint incident came revelations of a security breach at a competitor, the Reed Elsevier subsidiary LexisNexis (310,000 names with personal information), in addition to news of a database break-in at shoe retailer DSW.

At ChoicePoint, damage control eventually kicked in. The company announced that it would "discontinue the sale of information products that contain sensitive consumer data, including Social Security and driver's license numbers, except where there is a specific consumer-driven transaction or benefit" or law enforcement purpose. Although the company has not been clear about exactly what this business change entails, executives were ostensibly shutting down some of the business and admitting that they simply couldn't reliably verify credentials for some small-business customers. That seemed cold comfort to the privacy community.

"My reaction isn't, 'Gosh, I'm glad to hear that,'" says consultant Richard Purcell, who is CEO of the Corporate Privacy Group. "It's, 'My God, why have you been doing that when there's no reason to?'"