The ChoicePoint Settlement
posted by Daniel Solove
Recently, the FTC announced a settlement in its complaint against the data broker ChoicePoint for a data security breach that resulted in over 160,000 people’s personal information being sold to identity thieves. According to the Washington Post:
Data broker ChoicePoint Inc. yesterday agreed to pay a $10 million federal fine over security breaches that exposed more than 160,000 people to possible identity theft. Privacy experts praised the settlement as a warning to companies to get more serious about protecting sensitive information.
The Alpharetta, Ga.-based company, one of the nation’s largest buyers and sellers of personal information such as Social Security numbers, birth dates and addresses, also agreed to pay $5 million into a fund to compensate people who suffered as a result of the breaches.
The Federal Trade Commission, which said the fine was the largest civil penalty it had ever imposed, said ChoicePoint violated consumers’ privacy and breaking federal laws by mishandling the information and misleading people about its privacy policy.
The FTC complaint is here. There are some important issues worth discussing in connection with the news of the settlement.
1. The settlement might not have been possible were it not for the California security breach disclosure law (SB 1386, codified at Cal. Civ. Code § 1798.82(a)) that required ChoicePoint to disclose its security breach. Currently, data brokers are trying to get Congress to pass a very weak and narrow security breach notice provision that preempts stronger state laws. The Data Accountability and Trust Act, HR 4127, now in the House of Representatives, requires disclosure only if there is “a significant risk of identity theft.” Under the bill, who determines whether there’s a significant risk of identity theft? Ironically, it appears that it will be the very companies that leaked the data. With most of the security breaches that were announced in 2005, the companies insisted that the risk of identity theft was minimal to non-existent. So it would seem that with this provision, hardly any companies would make the disclosure. If a company decides that it must disclose, then it is also conceding that there is a “significant risk” of identity theft from its breach. Few companies will want to make such a concession, as it will create a public relations nightmare. Given the strong disincentive for companies to admit publicly that a security breach could cause significant risks to consumers, the “significant risk” threshold will lead to very few if any disclosures.
The reason why data brokers are pushing for a federal disclosure bill is because they want to preempt stronger protection in the states. When the ChoicePoint data security breach was disclosed, only California had a data security breach disclosure law. But afterwards, many states responded by passing similar laws. According to a compilation by the Public Interest Research Group (PIRG): “This year, security breach notification legislation was introduced in at least 35 states. As of 4 January 2006 at least 23 states have passed security breach notification laws.” A weak preemptive federal disclosure bill will wipe away much stronger protection in many states. The very kind of disclosure law that made the FTC settlement possible might be nullified if Congress passes the data “protection” laws that the data brokers want.
2. The FTC complaint and settlement illustrates why it is important to have data brokers regulated under the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681. FCRA, the law upon which the FTC’s complaint was premised, regulates consumer reporting agencies. According to the FTC complaint:
The persons who obtained this consumer information submitted applications to ChoicePoint and were approved by the company to be subscribers authorized to purchase ChoicePoint products and services. The applications contained false credentials and other misrepresentations, which ChoicePoint failed to detect because it had not implemented reasonable procedures to verify or authenticate the identities and qualifications of prospective subscribers. Among other things, ChoicePoint failed to: utilize readily available business verification products, such as those that identify commercial mail drops; examine applications and supporting documentation supplied by prospective new users; compare information supplied by prospective new users to information supplied by other applicants in order to identify suspect representations; conduct site visits; or utilize other reasonable methods to detect discrepancies, illogical information, suspicious patterns, factual anomalies, and other indicia of unreliability.
The complaint sets forth a series of specific examples. Here are a few:
ChoicePoint accepted and approved, without further inquiry, the applications of subscribers notwithstanding the fact that ChoicePoint’s own internal reports on the applicant linked him or her to possible fraud associated with the Social Security number of another individual. . . .
ChoicePoint also failed to monitor or otherwise identify unauthorized activity by subscribers, even after receiving subpoenas from law enforcement authorities between 2001 and 2005 alerting it to fraudulent accounts, and even when its own experiences with the subscriber should have raised doubts about the legitimacy of the subscriber’s business.
To the extent that FCRA applies to data brokers, it restricts and penalizes activities such as these. However, data brokers such as ChoicePoint still operate many databases that they claim fall outside of FCRA. Back in December 2004, before the ChoicePoint announced its data security breach, Chris Hoofnagle of the Electronic Privacy Information Center and I jointly submitted a letter to the FTC that stated that:
ChoicePoint sells a number of FCRA products in the employment screening, tenant screening, and criminal background check fields. But the company also sells two products, “AutoTrackXP” and “Customer Identification Programs” outside of the FCRA’s protections. AutoTrackXP is a database of 17 billion records that includes Social Security Number, addresses, property and vehicle information, and other information. The company’s anti-fraud “Customer Identification Programs” are a suite of data products that have been created in order to verify the identity and perform background checks on individuals who open new financial services accounts. From its description, Customer Identification Programs appears to be an AutoTrackXP report with additional identity verification services.
These two products are sold to financial institutions, members of the public (private investigators, law firms, etc.) and to law enforcement agencies. These are the same institutions which rely on credit reports and investigative consumer reports, but these new products are sold outside the protections of the FCRA, yet are often used for related (and sometimes identical) purposes.
These databases have yet to be regulated. The ChoicePoint settlement does not address the letter Hoofnagle and I sent to the FTC. Thus, although the settlement is a step forward, it does not address all of the problems caused by data brokers. Much more must be done to effectively regulate data brokers.
Related Posts:
1. Solove, ChoicePoint Wants Your Motor Vehicle Records (Concurring Opinions) (December 2005)
2. Solove, FTC: Letting Experian Keep the Spoils (Concurring Opinions) (November 2005)
3. Solove, ChoicePoint: More Than 145,000 Victims? (Concurring Opinions) (November 2005)
4. Solove, Free Credit Reports: My Exciting Adventure (Concurring Opinions) (October 2005)
5. Solove, Notice Much Delayed: The FDIC Security Breach (PrawfsBlawg) (June 2005)
6. Solove, Data Security Breach Supersized: 40 Million People Affected (PrawfsBlawg) (June 2005)
7. Solove, Data Leaks: Déjà Vu All Over Again (PrawfsBlawg) (June 2005)
8. Solove, Tallying Up Data Security Breaches (PrawfsBlawg) (May 2005)
January 30, 2006 at 12:42 am
Posted in: Privacy, Privacy (Consumer Privacy), Privacy (ID Theft)
Print This Post
Responses (2)
Gary Moore - January 30, 2006 at 8:26 am
Daniel,
Great article. And you are exactly correct in stating the following about the proposed bill
“With most of the security breaches that were announced in 2005, the companies insisted that the risk of identity theft was minimal to non-existent. So it would seem that with this provision, hardly any companies would make the disclosure. If a company decides that it must disclose, then it is also conceding that there is a “significant risk” of identity theft from its breach. Few companies will want to make such a concession, as it will create a public relations nightmare”
I have evidence to back that up. Back in 2002, Information Week had a survey of over 3400 companies. In that survey, almost 50% of the companies surveyed do not report an security incident with anyone. This includes partners, customers, legal counsel, the CERT advisory group and government authorities. In fact barely 20% of these companies contact legal counsel and less than 20% have contacted the government.
If that proposed bill passes, it will preempt stronger state lawas and companies will be less inclined to report security breaches.
Bruce - January 30, 2006 at 4:17 pm
I don’t agree with the conclusion that an exception for breaches that do not produce “a significant risk of identity theft” means that no breaches will be reported. That language is pretty mushy, and assuming more than minimal enforcement (which seems a safe assumption at the moment with the FTC), a subjective internal assessment of insignificant risk does not seem like a comfortable safe harbor for businesses attempting to avoid the PR and regulatory hit of having a complaint filed against them. On the plus side, it means that consumers won’t get flooded with notices every time a backup tape in a proprietary format gets logged in wrong at the warehouse.
Leave a Reply