Treating Personal Data Too Casually

Business executives have a habit of kicking up a fuss over state regulatory initiatives that, in true California style, exceed the stringency of the federal versions.

There’s a rule restricting tailpipe emissions of greenhouse gases, starting in 2009, that has attracted a lawsuit from the entire global auto industry, for instance. And another on bank subsidiaries sharing data from credit reports with each other that the American Bankers Assn. has haled into court.

I wouldn’t wish bad things on anybody, but I wonder how the people who run the auto companies and banks would feel if they were among the 145,000 souls who recently received a rather disturbing letter from Alpharetta, Ga.-based ChoicePoint Inc. The missive notified recipients that ChoicePoint had inadvertently given a criminal gang access to their personal information. The error subjected those consumers to the risk of identity theft.

It’s plain that the only reason the word got out was that a state law requires companies such as ChoicePoint to notify California consumers when the security of their personal information has been breached.


Indeed, there are indications that ChoicePoint’s first impulse was to inform only California consumers, who account for about 35,000 of the 145,000 total victims identified so far. A public outcry soon convinced it to change its mind and inform everybody.

Now there’s talk in Washington about enacting a federal notification law like ours. This is an encouraging step, considering that the last California statute the feds viewed as a model was one that restricts the rights of medical malpractice claimants.

Still, one wonders how much even a federal law can help consumers, if ChoicePoint’s treatment of its responsibilities under the California act is any guide.

To recap reports by my colleagues Joseph Menn and David Colker, ChoicePoint discovered back in October that it had sold consumer files to a group of Los Angeles criminals, who themselves had used stolen identities to mask their nefarious intentions. But it didn’t start notifying potential victims until early February. One Nigerian national has already pleaded guilty in connection with the case, and the investigation continues.


When I asked a ChoicePoint spokesman to explain the delay, he said that the release of the information had to wait until it was “cleared” by the Los Angeles County Sheriff’s Department, which is handling the investigation. But there’s some confusion about that. One Sheriff’s Department officer has been quoted as saying his agency informed the company in November that it had a duty to disclose the breach to California consumers.

The company, however, says it has a letter from the department, dated in November, asking it to “delay” notification while the investigation continues. When I asked to see it, the company refused on grounds that this episode has become the subject of a consumer lawsuit.

ChoicePoint’s spokesman, Chuck Jones, couldn’t tell me if the company challenged the Sheriff’s Department’s request -- say by pointing out that identity theft might already be afflicting innocent and unwitting consumers while the investigation lumbered along. Atty. Gen. Bill Lockyer, incidentally, has also asked the company to explain the delay.

There’s also a lot of murkiness about why ChoicePoint didn’t decide voluntarily to alert all affected consumers nationwide, as opposed to just the Californians for whom notification was mandatory. ChoicePoint’s marketing director, James Lee, distinguishes between the “pool of potential” victims -- all those whose personal data may have been accessed by the crooks -- and the “compromised” victims -- a smaller group whose data was in fact accessed by the crooks.


He says the company decided to notify all the “potentials” living in California, but held off on all out-of-staters until sheriff’s investigators established that there were compromised victims all over the country, at which point it sent out the non-Californian notifications.

It still doesn’t sound like ChoicePoint moved heaven and earth to let all the possible victims know they might be in for trouble, does it?

But that’s perhaps the most important lesson of this case -- the consumers whose life stories are wholesaled by companies like ChoicePoint occupy the very bottom of the databank industry food chain.

In its official statement about the breach, the company notes that the incident “did not involve any of ChoicePoint’s customer information.” (Italics mine.) To put it more clearly, those whose personal lives were compromised aren’t ChoicePoint’s customers.


Rather, its customers are the buyers of this information: insurance companies, banks, telemarketers, junk mailers, police departments, and, not to put too fine a point on it, newspapers. (The Los Angeles Times subscribes to at least one ChoicePoint database, and I’ve used it regularly to dig up addresses, real estate holdings and phone numbers of people I want to reach or write about, without their knowledge.)

ChoicePoint says it had “very robust” systems in place to protect its non-customer data from abuse, adding that, in effect, there’s little you can do to defend yourself from highly sophisticated rings of Nigerian con men. Pu-leeze. I’d bet that ChoicePoint spent everything on database security that made economic sense according to its profit-and-loss calculations, and not a penny more.

Absent a law forcing such companies to treat the raw data as carefully as it does its customer relationships, more such cases are sure to surface.

“If ChoicePoint spent lots of money to protect our privacy, they’d go out of business,” observes Bruce Schneier, a Bay Area computer security expert. “Taking care of our privacy is an externality for them. We need to make them internalize it.”



Golden State appears every Monday and Thursday. You can reach Michael Hiltzik at and read his previous columns at