The Five Most Shocking Things About the ChoicePoint Data Security Breach

At first, the ChoicePoint security breach seemed not only ordinary but almost insignificant.

As part of its effort to reassure the public that it would prevent future fraud, ChoicePoint quickly announced that it was creating an office of credentialing, compliance and privacy that would report directly to the board of directors' privacy committee. "Recent events where criminals were able to become customers have led us to take this strong action in order to regain the trust of consumers that their information is being used only for their benefit, or the benefit of society at large," said privacy committee chairman John Hamre in a written statement. To lead that effort, the company needed to hire a privacy officer who would do more than just sign letters.

Starting on May 2, Carol A. DiBattiste, previously deputy administrator of the Transportation Security Administration, will be ChoicePoint's first chief credentialing, compliance and privacy officer.

The Limited Scope of the Disclosure

By now, everyone knows about California state law SB 1386, which went into effect on July 1, 2003. It requires businesses to inform residents if their unencrypted personal information—including name along with either driver's license number, Social Security number, or credit card or banking information—has been compromised. This is the law that brought light to the ChoicePoint breach. But what few people have realized is how narrowly that light was cast.

ChoicePoint originally began notifying some 35,000 California residents that their information had been involved in the scam. That wasn't good enough for the attorneys general in 38 other states, who demanded that the company notify all affected U.S. citizens. ChoicePoint quickly announced that more than just California residents had been affected after all, and that the company would send letters to consumers in all 50 states.

But even this broader notification process had a hitch. The nearly 145,000 people nationally that ChoicePoint identified as affected were based on an investigation that went back only as long as the law was in effect. According to public records filed by ChoicePoint, the company investigated "unauthorized access to our information products on or after July 1, 2003, the effective date of the California notification law."

This seems like the final straw for Beth Givens, director of the Privacy Rights Clearinghouse, a national consumer advocacy organization. "What a negligent company," she says, her voice falling, when she hears about the limitations of the ChoicePoint investigation.

When asked about the scope of the investigation during a Congressional hearing, CEO Smith stated (without much detail) that an "aggressive" investigation is still under way.