Law Prompts Company To Disclose Data Breach - InformationWeek
06:05 PM
Connect Directly

Law Prompts Company To Disclose Data Breach

ChoicePoint to notify thousands more about identity-theft threat

In its privacy statement, ChoicePoint Inc. says it's "dedicated to protecting the privacy of individuals," which includes "strict standards regarding the use and dissemination of personal information."

Yet such dedication is exceeded only by the determination of identity thieves who, by setting up some 50 fictitious businesses, duped the data-aggregation company into granting them access to 145,000 consumer-data profiles it maintains among its store of roughly 19 billion records.

In Los Angeles County Superior Court last week, a Nigerian national who participated in the scheme was sentenced to 16 months in state prison. ChoicePoint was alerted of the breach in October. But some 35,000 California consumers didn't realize they were potential victims until they received a letter about the breach from ChoicePoint last week.

Disclosure of the incident was required under California's SB-1386, which took effect July 1, 2003. According to the law, any person or company that does business in California and owns electronic data that includes personal information is required to disclose any data security breach to California residents whose unencrypted personal information may have been accessed by an unauthorized person. While the extent of the fraud arising from the incident may not be known for months, ChoicePoint said it would send out 110,000 more notifications to individuals outside California.


ChoicePoint's privacy efforts didn't stop the actions of a large identity-theft ring.

THE CRIME: Identity thieves duped ChoicePoint into granting them access to 145,000 consumer profiles.

THE LAW: Disclosure of the incident was required under California SB-1386.

THE RESPONSE: ChoicePoint notified 35,000 Californians and will alert 110,000 consumers in other states.

THE IMPACT: California isn't alone. Massachusetts has a similar law, and Illinois is considering one.

"That's certainly good practice, and most responsible companies are going to do that, if for no other reason than to mitigate any damages that might result," says Kevin Lyles, partner in the privacy practice at law firm Jones Day. Another privacy-related law, the Health Insurance Portability and Accountability Act, requires organizations to ameliorate damages as a result of security breaches, and there are similar provisions in the Gramm-Leach-Bliley law, Lyles says.

ChoicePoint has since intensified its privacy efforts, a company spokesman says. "We're being much more stringent in our requirements about who customers are, and making them prove they're a legitimate business," he says.

The incident and its required disclosure should serve as a wake-up call to IT departments, says Randolph Kahn, a consultant in IT-related legal compliance issues. While ChoicePoint's IT systems weren't broken into, companies that do business in California would have to follow similar legal steps if a security breach resulted from unencrypted information or unsecured systems. "The only [entity] that can correct or prevent the problem is the IT department," Kahn says.

Consumers Union, a nonprofit testing and information organization that publishes Consumer Reports, is pushing for laws that would require all companies to inform customers nationwide of data breaches. "That will help consumers to protect themselves but also will create a business environment that encourages more investment in security," says Gail Hillebrand, senior attorney for Consumers Union.

Many oppose a legislative approach to the problem. California state Sen. Debra Bowen's effort last year to expand the data-breach notification requirement to cover disclosures of data in any form, not just electronic data, was voted down amid lobbying by business groups such as the California Chamber of Commerce and the American Electronics Association.

While data breaches often lead to calls for federal legislation, companies such as ChoicePoint already have a strong incentive to protect data, says Quinn Jalli, director of privacy and ISP relations at E-marketing company Digital Impact Inc. "As we saw with spam, legislation isn't going to solve the problem."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll