ChoicePoint Breach Prompts New Federal BillsAs the fallout from identity thieves accessing consumer data from ChoicePoint Inc. continues, two federal bills prompted by the security breach were introduced yesterday in the Senate and House of Representatives. Each would create new fair information practices and require information brokers to provide consumers with individual access to personally identifiable information and the right to correct information, among other provisions.
Sen. Bill Nelson, D-FL, introduced the Information Protection and Security Act, which also would require the Federal Trade Commission to devise and enforce rules for data brokers regarding security and customer screening. In a Feb. 18 letter to FTC chairwoman Deborah Majoras, Nelson addressed the ChoicePoint situation specifically and asked for a meeting with the commission.
Rep. Edward Markey, D-MA, introduced the legislation in the House.
If the legislation is enacted, the FTC would be required to issue the new rules in six months.
ChoicePoint, Alpharetta, GA, houses billions of data points on businesses and nearly every adult in the United States.
The company realized in October that some requests for names, Social Security numbers and other information it filled might have been fraudulent. Since then, the company and law enforcement have discovered nearly 50 bogus accounts posing as legitimate businesses. After an investigation, the company was cleared in late January to notify California consumers, as required by law in the state, that their information may have been accessed.
ChoicePoint initially confirmed that data on 35,000 California consumers might have been accessed, but on Feb. 16 the company said that another 110,000 letters would be sent nationwide involving the fraud. As of late February, 750 consumers had been confirmed as directly affected.
Prior to the introduction of Nelson's bill, Sen. Dianne Feinstein, D-CA, offered legislation Jan. 24 for a federal law that would give consumers nationwide the same protection Californians have when their data are accessed mistakenly. The law would require mandatory notification when sensitive data are breached.
Lawmakers in several states, including Georgia, New Hampshire, New York and Texas, are also considering such legislation. Several states are looking at legislation that would let consumers put security freezes on their credit reports to prevent access.
Though the chairman of the Senate Judiciary Committee, Arlen Specter, R-PA, said Feb. 24 that the committee would hold a hearing on identity theft and information brokers, his press office said such a hearing had not been scheduled as of yesterday.
Also, a Los Angeles Times report March 2 said the current breach was not the first ChoicePoint had suffered. Two people were charged in 2002 with accessing records of at least 7,000 people through ChoicePoint by setting up accounts with fake identification in 2000, according to the Times.
The two people arrested in 2002 were Nigerian-born. The Times story said Bibiana Benson pleaded guilty to one felony count of unlawful use of identification in September 2002 and was sentenced to 54 months in prison. Her brother, Adedayo Benson, pleaded guilty to three felony counts of use and attempted use of fake credit cards in November 2004 but has not been sentenced yet.
Though no law was in place at the time that would have required ChoicePoint to notify the consumers who had their data accessed, the disclosure of the previous data breach likely will arise during Senate hearings.
In response to the revelation of the earlier disclosure of data, ChoicePoint issued a statement March 2 highlighting the recredentialing process it is undertaking as a result of the identity thieves as well as steps it has taken to mask or truncate sensitive personal information such as Social Security numbers and date of birth in its small business segment.
Though the firm did not directly address the previous breach, the statement also said, "As in the Los Angeles incident, we occasionally notify law enforcement of suspicious activities related to customer enrollment and other customer activities. We also occasionally receive subpoenas and other inquiries from law enforcement regarding activities of our customers, which may be related to, or may be completely unrelated to the company's business relationships with customers. In some cases, we may never learn the purpose or conclusions of these investigations."
In the more recent case, one arrest of a Nigerian man was made in October 2004. In late February, Olatunji Oluwatosin pleaded no contest to creating a ChoicePoint account with a stolen identity and was sentenced to 16 months in prison.
Other developments in the ChoicePoint saga include several paid search engine ads for class action lawsuits against the firm as well as identity theft information and services.
One ad that appeared on a Google Web search under the keyword "ChoicePoint" was for www.classcounsel.com and said, "Did you buy your Choicepoint stock while its CEO was selling his?" The link takes users to a site for class action law firm Green Welling LLP and claims that the firm is investigating what it describes as the claims of securities fraud against ChoicePoint. It also asks visitors who bought ChoicePoint stock between Nov. 9 and Feb. 15 to submit their transaction histories.
Questions were raised in late February about two ChoicePoint executives' stock sales that occurred before the recent data breach was made public. CEO Derek Smith and president Douglas Curling made $16.6 million from selling shares of the company's stock after the discovery of the breach in October, but before public notification began in late January.
The company defended Smith's and Curling's actions in a Feb. 28 statement.
"Articles published recently raise questions about the pre-arranged stock trading plans of ChoicePoint chairman/CEO Derek Smith and president/COO Doug Curling," the statement said. "The record is not only clear, it is public. In November 2004, Mr. Smith and Mr. Curling adopted plans that provide for pre-arranged sales of stock over a six-month period. These plans are typical for senior executives of public companies and the plans were approved by the company's board of directors."
Two other ads on Google and one on Yahoo were for class action lawsuits for consumers who received a letter from ChoicePoint informing them that their data had been accessed. Though at least one such lawsuit was reportedly filed, ChoicePoint said it was not the company's policy to comment on litigation.
Kristen Bremner covers list news, insert media, privacy and fundraising for DM News and DMNews.com. To keep up with the latest developments in these areas, subscribe to our daily and weekly e-mail newsletters by visiting www.dmnews.com/newsletters