ChoicePoint: More Than 145,000 Victims?
posted by Daniel Solove
ChoicePoint just won’t be outdone. They were, after all, the company that started all the extensive attention on data security breaches. Back in February 2005, ChoicePoint announced that it had improperly sold personal data on about 145,000 people to identity thieves. Pursuant to a California data security breach notice law, ChoicePoint notified the affected individuals in California. Soon afterwards, many states started thinking: Geez, we’d like our citizens to be informed too. They put up a fuss, and ChoicePoint voluntarily agreed to notify all of the 145,000 people it said were affected. Many states subsequently passed data security breach notification laws similar to California’s.
After ChoicePoint’s announcement came a barrage of announcements of security breaches by numerous companies and institutions. According to a very useful listing and tally by the Privacy Rights Clearinghouse, data security breaches have affected over 50 million Americans (there may surely be some double-counting here, as some unlucky folks may have been affected multiple times).
Now ChoicePoint has announced that it has notified another 17,000 people that their personal data was compromised in the breach announced in February. According to the AP:
ChoicePoint Inc., the company that disclosed earlier this year that thieves had accessed its massive database of consumer information, said Tuesday in a regulatory filing it has sent out another 17,000 notices to people telling them they may be victims of fraud.
The Alpharetta-based company had said in February, after announcing the breach, that it had notified roughly 145,000 consumers that they may have had their personal information improperly accessed.
That number has now increased to 162,000, ChoicePoint said in its quarterly report to the Securities and Exchange Commission. The filing did not detail reasons for the increase, though the company had previously said the number could ultimately be higher.
Related Posts:
1. Solove, Free Credit Reports: My Exciting Adventure (Concurring Opinions) (October 2005)
2. Solove, Notice Much Delayed: The FDIC Security Breach (PrawfsBlawg) (June 2005)
3. Solove, Data Security Breach Supersized: 40 Million People Affected (PrawfsBlawg) (June 2005)
4. Solove, Data Leaks: Déjà Vu All Over Again (PrawfsBlawg) (June 2005)
5. Solove, Tallying Up Data Security Breaches (PrawfsBlawg) (May 2005)
Posts on Identity Theft:
1. Solove, Youngest ID Theft Victim? (PrawfsBlawg) (July 2005)
2. Solove, Why Identity Theft Isn’t Pretty (PrawfsBlawg) (July 2005)
3. Solove, Identity Theft Fears and Online Shopping (PrawfsBlawg) (June 2005)
4. Solove, Identity Thief Professors (PrawfsBlawg) (June 2005)
November 9, 2005 at 12:35 pm
Posted in: Privacy
Print This Post
Responses (6)
Jim Harper - November 10, 2005 at 11:01 am
Isn’t the relevant datum how many people have suffered some harm or loss? I find the Privacy Rights Clearinghouse collection interesting, but not particularly useful.
Shortly after the orignial ChoicePoint revelation, I heard that something like 700 or 1,000 people were victimized by identity fraud as a reault. That makes 144,000 people – now 161,000 – who were not, or about whom we don’t know.
I would resist calling people to whom nothing has happened “victims“.
Jim Harper - November 10, 2005 at 11:03 am
original
result
Honest, I know how to spell . . . .
Daniel J. Solove - November 11, 2005 at 12:16 am
Jim,
Isn’t there a harm in being exposed to a greater risk of future harm? So if a person is exposed to radiation, increasing his risk of cancer by a non-trivial amount, do we say that he is not harmed at all? The people whose information was leaked are indeed worse off. There is a harm here even though the people are not victimized by identity theft.
Jim Harper - November 14, 2005 at 11:13 am
Having gone back to the law books, I have to admit having been slightly imprecise with language. I used “harm” to denote injury or damage. The word “harm” does appear to include metaphysical detriments like being placed at greater risk of some adverse event.
The question I’m trying to get at (and I’ve assumed we’re working on because this is a law blog, not a philosophy blog) is when liability should accrue.
I would be very careful about equating (I would argue conflating) risk and harm (in the injury/damages sense). Try applying elsewhere the general principle that creation of ‘non-trivial’ risk is a legally cognizable harm: I would have a cause of action against hundreds of drivers every week, and they against me.
I reacted to your characterization of the people about whom data has been lost or leaked as “victims.” I think the barriers around the meaning of the word have fallen away if each person exposed to a risk is a victim.
[I spell-checked this before posting in hopes of avoiding the humiliation of finding errors after posting again. ;-]
Daniel J. Solove - November 14, 2005 at 12:51 pm
Jim,
Based on things you’ve said here and elsewhere, here’s how I understand your basic view as to how to address privacy and security issues:
1. You’d eliminate regulation and move to a common law tort model to address data security and privacy harms.
2. You’d only recognize liability when there’s a “harm,” which consists of an actual identity theft or fraud, not being exposed to a greater risk.
Here are the problems I see with your view:
1. Your common law tort model would be hard to work because harm often doesn’t materialize immediately after an information leak. Information gets out there and it could be years before an identity theft occurs.
2. People are certainly worse off after their information is leaked. They may also feel anxiety about the increased risk of identity theft and fraud. Is there anything in your solution to make them whole again or to address their being worse off? If the system doesn’t deter behavior that causes leaks (but ones that don’t clearly result in “harm” as you define it), then how will it deter companies from making people worse off in this way?
3. Even in the event of an identity theft, it is very hard to prove causation. There are many sources of personal data — how do we know an identity theft was caused by info leaked by a particular company? Does the identity thief’s actions break the chain of causation? With such difficulty in establishing causation, can a tort regime be effective?
4. The damages from each identity theft victim are not likely to be gigantic. They will often be relatively insignificant for companies like ChoicePoint. The difficulty in proving causation might make tort cases relatively rare, and with small damages for each one. Thus, there’s little of an incentive for companies to exercise better care. How do you address this issue?
5. What is the duty owed to particular people when companies maintain their data? There must be a duty before there’s tort liability.
6. Quite frankly, I fear that your tort solution, definition of harm, and call for curtailing regulation is really a big boon for the companies that faciliate identity theft. My guess is that companies would just love your position — it seems like it is tailor made for companies that want to avoid liability. You’re basically attacking regulation and move toward a tort solution — and it remains very dubious whether your tort solution will be more effective if not much much worse in protecting the consumer. I’m not adverse to using torts, but I’d very much like to see you develop your tort solution into something more meaningful — to demonstrate how it might work, how it will have teeth, how it will more effectively address the problems. It’s easy to say “less regulation; let’s stick with common law torts,” but I’m unconvinced unless you develop this more. I know that you’re advancing your tort solution in good faith, but without elaboration on these issues, it appears as little more than a clever strategy to help out the companies.
Jim Harper - November 14, 2005 at 1:24 pm
These are great questions, and they do need more thorough answers. Hopefully, I can turn to that for my next project. (Currently finishing a book, out mid-next year, on identification – which you’re gonna love!)
I will respond to the tweak in your last sentence: If someone really wanted to help companies, they would promote administrative regulation. Enforcement in that arena results in costs to wrongdoers as low as one one-thousandth of the ill-gotten gain. [Follow link to notable blog.]
Now that’s a clever strategy!
Leave a Reply