• United States



by Jon Surmacz

Should Companies Be Required Break the Silence?

Mar 01, 20053 mins
CSO and CISOData and Information Security

In October 2004, ChoicePoint, the Alpharetta, Ga. company that collects consumer information and sells it to third parties (such as banks, the federal government and landlords), discovered that it was the victim of a fraud. Several frauds, in fact.

Over the course of a year, scammers duped ChoicePoint by setting up 50 fake merchant accounts, which were used to obtain personal information (Social Security numbers, names, addresses, phone numbers and so on) of consumers in ChoicePoints databases. Scammers then used this information to commit other frauds, such as setting up fake credit card accounts or buying goods under assumed names. All told, the personal information of up to 145,000 consumers may have been exposed in the fraud. ChoicePoint announced this bombshell& two weeks ago.

According to the Los Angeles Times, ChoicePoint began notifying 35,000 California residents on Feb. 15, per state law, that their data may have been compromised. At that time, the company announced no plans to notify some 110,000 residents in other states whose data also may have been compromised, because no law compelled them to do so. A day later, ChoicePoint had changed its tune and said that it would, indeed, begin notifying everyone whose data may have been affected by the breach.

As of this writing, the Los Angeles County Sheriffs Department has identified 750 people whose personal data had actually been used to commit fraud. On Feb. 17, one man, Olatunji Oluwatosin of North Hollywood, a 41-year-old Nigerian national, pleaded no contest to a charge of felony identity theft in connection with the ChoicePoint scandal. He will serve 16 months in California prison.

ChoicePoint says it waited nearly four months to announce the breach because it was instructed by law enforcement to do so, fearing that the publicity might impede the investigation. But the Los Angeles Times reports that at least one law enforcement source said he told the company as early as November to begin notifying the potential victims in California. On Feb. 23, a California woman filed a lawsuit against ChoicePoint for fraud and negligence in its handling of the breach.

The event has touched off a debate in Washington about consumer privacy. Sen. Arlen Spector (R-Pa.) has said that the Senate Judiciary Committee will hold hearings on the ChoicePoint scandal, and Sen. Diane Feinstein (D-Calif.) has sponsored a bill that would essentially extend Californias law to cover the entire nation.

Does ChoicePoints silence speak volumes about corporate use of consumer data? Tell us what you think. Do we need a federal law that requires companies to notify every consumer whose data may have been compromised?