This is part one of a two-part column.
The privacy horror story business got a major boost in February courtesy of ChoicePoint. The story began when it was revealed that an apparent identity-theft ring fraudulently obtained access to
ChoicePoint databases and put tens of thousands of individuals at risk. The story is remarkable for many reasons.
First, ChoicePoint handled the entire episode about as poorly as possible. The company knew that the story was coming for months, yet it violated nearly every basic principle of crisis public relations.
Instead of getting all the bad news out immediately, ChoicePoint let the story dribble out over days. The company changed its response more than once. Newspapers and national television news returned repeatedly to the story as developments prompted by ChoicePoint fumblings justified new coverage. The company even managed to turn a national story into a local one, compounding the damage even further.
The company previously did a great job promoting itself. It is amazing that it did so poorly in handling what has become a relatively ordinary privacy crisis. Any company with potential exposure should have a privacy crisis plan just in case. Any organization with personal data could be the target of the next horror story.
In fact, I thought that the incident came close to where a human sacrifice was needed to stop the bleeding. I am not talking about dropping virgins down volcanoes. The modern equivalent occurs, for example, when a political figure does something stupid, and the story resonates for days. The only way to stop it is for the figure to resign. Remember how Trent Lott’s obscure speech about Strom Thurmond ended up forcing his resignation as Senate majority leader?
I wonder whether ChoicePoint’s board of directors ever considered firing the CEO. The episode went on for so long and was handled so badly that the value of the company’s stock fell sharply. The Securities and Exchange Commission is even investigating the CEO for security sales made before the scandal broke. However, we probably have moved beyond the human sacrifice stage because the demands for legislation will not be satisfied that way.
Second, ChoicePoint and other information brokers had been basking in a post-9/11 glow of business. Books and articles discussed and marveled at the business successes of the industry. Federal agencies have been throwing money at the companies. ChoicePoint may have fallen into the trap of believing its own press releases.
No one outside the privacy community took a critical look at the data broker industry. In December, long before the new crisis hit the papers, the Electronic Privacy Information Center filed a petition with the Federal Trade Commission asking for an investigation into whether ChoicePoint was operating in violation of the Fair Credit Reporting Act. I need to disclose here that EPIC asked me (among others) to comment on the petition before it was filed, and I did so.
EPIC argues that ChoicePoint and its clients perform an end run around the FCRA by selling personal information to law enforcement, private investigators and businesses without substantive or procedural privacy protections. You can learn more about the petition at www.epic.org. The FTC hasn’t acted on the petition, but now other dogs are howling. All the publicity brought the politicians into the story. They were “shocked” to learn that there were so many unregulated sellers of consumer data.
Third, the story highlighted a California law requiring organizations to notify consumers when a security breach in a computer system exposes personal information to unauthorized disclosure. The ChoicePoint incident triggered the law and, incidentally, triggered the initial publicity. Because the law applies only to consumers in California, ChoicePoint initially was willing to notify only consumers in California.
That incredibly stupid decision didn’t last long. It took about a second for everyone to recognize that consumers in California were getting assistance, but people in other states were not. ChoicePoint quickly agreed to notify everyone. However, the delayed decision just kept the story alive for another day, and that’s what created the local angle.
In the last Congress, Sen. Dianne Feinstein, D-CA, introduced a federal security breach notice law modeled on the California statute. The legislation languished, but is now a hot item. It’s hard for politicians to explain to their constituents why they don’t deserve the same protections as the folks in California. I expect a federal notice law to pass, though its terms remain to be fixed. The business community wants to use the opportunity to weaken the California law through preemptive federal action.
After a few days of continuing bad press, ChoicePoint also agreed to pay for a year’s worth of credit watch services for all affected consumers. That was the first time in the whole incident where ChoicePoint did something new, unexpected, praiseworthy and affirmatively useful to victims.
But by trying to look good, ChoicePoint also raised the bar for other companies facing the same type of personal information disclosure problems. In the future, if a company’s actions put consumers at risk for identity theft, that company will be asked to provide the same credit watch service or to explain why not. Further, it could well become a mandatory item in a federal notice bill.
I am out of space but not out of issues. Next time I’ll discuss ChoicePoint more.