ChoicePoint Discloses Federal Probes In Data Scandal
ChoicePoint says federal authorities have begun inquiries into last year's theft of personal data affecting tens of thousands of consumers in 50 states.
ChoicePoint Inc. on Friday said federal authorities have begun inquiries into last year's theft of personal data affecting tens of thousands of consumers in 50 states, as well as recent trading in company stock by two of its top executives.
In addition, the Alpharetta, Ga., company that keeps records on nearly every U.S. citizen said it would no longer sell information that contained Social Security numbers, driver's license numbers and other sensitive consumer data. Exceptions included cases where there was a "specific consumer-driven transaction or benefit," or where the information was being used by law enforcement or federal, state, or local governments.
In a disclosure report filed Friday with the Securities and Exchange Commission, ChoicePoint said it had received notice that the SEC was conducting an "informal inquiry" into the circumstances surrounding last fall's identity theft. In addition, the federal agency was looking at recent trading in ChoicePoint stock by chief executive Derek Smith and Chief Operating Officer and President Doug Curling.
Company officials declined to discuss the stock inquiry, beyond a brief statement issued by ChoicePoint Friday.
"In November 2004, Mr. Smith and Mr. Curling adopted plans that provided for prearranged sales of stock over a six-month period," the statement said. "These plans are typical for senior executives of public companies and the plans were approved by the company's board of directors."
ChoicePoint also said the Federal Trade Commission was conducting a separate investigation into the company's compliance of federal laws governing consumer information security and related issues.
"In particular, the FTC has asked for information and documents regarding our customer credentialing process and the recent incident in Los Angeles," the company filing said.
ChoicePoint said it was cooperating with both agencies. Company officials weren't immediately available for comment.
ChoicePoint discovered in October that fraud artists in Los Angeles County posing as legitimate businesses received consumers' names, addresses, Social Security numbers and credit reports. The company in late February sent out 145,000 notifications to residents in 50 states whose personal information may have been sold to the con artists. The total included 35,000 notifications to consumers in California, which is the only state that requires notification in cases of identity theft.
Law enforcement officials have identified at least 750 consumers nationwide who have found that some attempt has been made to compromise their identities, as a result of the theft, ChoicePoint said.
In conning the company, the fraud artists used stolen information to set up businesses that looked legitimate when checked by ChoicePoint, the company said. The fraudulent companies opened 50 accounts and requested thousands of personal and financial records, which were sent either over the Internet or by mail.
In a plea bargain, a Nigerian national arrested in a sting operation in October has been found guilty in the case and sentenced to 16 months in prison.
On tightening the sale of sensitive consumer data, ChoicePoint said the new rules would affect primarily small businesses and cost the company between $15 million and $20 million in 2005 revenues. Earnings were expected to be reduced by 10 cents to 12 cents a share.
Under the new criteria, sensitive consumer data would be sold in cases where it was needed in consumer-driven transactions, such as for insurance purposes, employment and tenant screening; or if consumers were seeking access to their own data. The information also would be available to large, accredited corporate customers that use the information for identity verification, customer enrollment, insurance claims and other transactions stemming from existing relationships with consumers.
Adoption of the new criteria would be completed within 90 days, ChoicePoint said. In addition, the company said it was in the process of strengthening its customer credentialing procedures, and was re-credentialing "broad segments" of its customer base, including all small-business customers.
The company also disclosed in its SEC filing that it is the defendant in two separate lawsuits filed last month in Los Angeles. The first filed in state Superior Court alleges that the company violated California law in the latest fraud case and seeks unspecified damages.
The second suit, filed in U.S. District Court, accused the company of violating the federal Fair Credit Reporting Act, various California laws and the privacy rights of the plaintiffs. The suit seeks to prevent the company from disclosing consumer information improperly and to require the company to allow the plaintiffs to be excluded from ChoicePoint databases. The suit seeks damages up to $1,000 for each FCRA violation and unspecified punitive damages.
ChoicePoint said it planned to fight both suits.
In related news, the Associated Press reported this week that the latest case was not the first time ChoicePoint had been tapped by identity thieves. The news agency reported that a Nigerian brother and sister had duped the company in 2002 to make 7,000 to 10,000 inquiries on names and Social Security numbers in the company's database. The information was used to commit at least $1 million worth of fraud, a federal prosecutor in Los Angeles told the AP. Both suspects were arrested and pleaded guilty in the scam.
ChoicePoint provides personal and financial data on consumers mostly to businesses, government agencies, nonprofit organizations, law enforcement, insurance companies and financial institutions. The company has about 19 billion public records in its databases.
Experts say identity theft is the fastest growing crime in the U.S., with more than 9.9 million victims in the U.S. last year, according to the AP. The U.S. Postal Inspection Service estimates the cost of the crimes at $5 billion.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.