The Five Most Shocking Things About the ChoicePoint Data Security Breach

At first, the ChoicePoint security breach seemed not only ordinary but almost insignificant.

Going forward, though, companies may not be so lucky in how they limit an investigation. The U.S. Federal Reserve Board has since announced new rules requiring financial institutions to notify customers "as soon as possible" if their personal information has been breached. A bill that Sen. Dianne Feinstein (D-Calif.) reintroduced to the Senate on Jan. 24, 2005, has been gaining traction. Similar to the California disclosure law, Feinstein's bill would require businesses and government agencies to notify individuals when there is a "reasonable basis to conclude" that a criminal has obtained their unencrypted personal data. The FTC supports this type of notification law, and also a possible expansion of the Gramm-Leach-Bliley Act, which currently affects how financial institutions protect their customers' privacy. Also, Sen. Bill Nelson (D-Fla.) is introducing legislation that would empower the FTC to regulate the information industry. Those are only the more prominent laws introduced on both the federal and state levels.

Cigna's Shumard expects some kind of national disclosure law as a likely outcome. "And if you have a couple other high-profile incidents while that legislation is being debated, that will have an impact," he says. The end result? The further we get from July 1, 2003, the longer the time span of an investigation will need to beand the harder it will be to hide the true scope of a security breach.

The SEC's Emergence as a Confession Booth

Consumers whose information was compromised in the scam weren't the only ones to hear the bad news straight from ChoicePoint. On March 4, 2005, in what may be a first for a publicly held company, ChoicePoint filed an 8-K with the Securities and Exchange Commission, warning shareholders that revenue would be affected by the fallout from the security breach, to the tune of an estimated $15 million to $20 million decline by Dec. 31, 2005, and another $2 million in expenses from the incident. A spokeswoman downplayed the disclosure, saying it was a routine SEC filing done because ChoicePoint was exiting one of its lines of business due to the security breach.

But the confession must have looked cathartic for Reed Elsevier, the London-based parent company of ChoicePoint competitor LexisNexis. Less than a week after ChoicePoint filed its 8-K, Elsevier filed a 6-K (the equivalent filing for a non-U.S. company), as a way of announcing its own news. The personal information of 32,000 individuals in its databases may have been fraudulently accessed in a similar scheme in which criminals stole legitimate business credentials. Elsevier sought to reassure shareholders: "The financial implications are expected to be manageable within the context of LexisNexis's overall growth." (Access both reports at www.csoonline.com/printlinks.)