Data Show Information Collector Can’t Be Trusted
Management experts tell us that companies sometimes reveal hidden skills when they’re confronted with unexpected challenges, such as the need to recall a popular product or address a case of corporate malfeasance.
Alpharetta, Ga.-based ChoicePoint Inc., the data-selling company at the center of an identity-theft scandal, has been displaying one of these hitherto unrecognized talents, big time. In its case, it’s a talent for convincing the public that it can’t be trusted with people’s personal information any more than a 3-year-old can be trusted with a machine gun.
In fact, the company seems determined to prove that it should be regulated like a chemical polluter or, even better, put entirely out of business.
What else is one to conclude from the revelation this week that the recent security breach the company suffered, supposedly at the hands of a ring of Nigerian identity thieves -- a case that the company claimed to be unprecedented -- was preceded by a nearly identical breach of its data five years ago, also by a ring of Nigerian identity thieves?
What light does that shed on ChoicePoint’s assurances in recent weeks that it has “always restricted and controlled access to personal data” and that it is “aggressively addressing” its security problems?
The earlier episode occurred before ChoicePoint was legally obligated to inform California consumers that they might be affected, which must explain why it stayed mum. But did it “aggressively address” the problem then? If so, why did it happen again?
ChoicePoint seems to have a habit of substituting high-flown rhetoric for real action. It says it’s going to “extraordinary lengths” to assist those whose personal data may have been compromised, but when you peer closely at what it’s doing, you don’t find anything so extraordinary. The company has agreed to pay for a one-year credit monitoring service from GUS’ Costa Mesa-based Experian unit, another data wholesaler, for all the affected consumers. Experian’s retail price for this service is $120 a year; so if all 145,000 victims were to sign up, it would cost ChoicePoint about $17.4 million, or a measly 2% of its annual revenue in 2003. And given that ChoicePoint is sending Experian a chunk of potential renewal customers, I’d bet it’s receiving a healthy discount.
The company also wants to be congratulated for offering affected consumers one free look at the financial dossiers compiled on them by all three national credit reporting companies. But under a federal law being rolled out in stages across the country, all Americans now have the right to a free look at their reports once a year. No big whoop there. The free reports are already available to residents of Western and Midwestern states through www.annualcreditreport.com.
Ask ChoicePoint for more than that, and you may get stiff-armed. That’s what has happened to Elizabeth Rosen, a Southern California nurse whose data have been compromised. She has asked ChoicePoint for all the background information about her in its files -- the same information that it would sell to any business. So far, all she’s received is an incomplete data sheet, drawn from public records, that ChoicePoint sends for free to any consumer who asks.
Rosen’s form, as it happens, brims with erroneous addresses, phone numbers and business relationships. “I’ve already spent three weeks dealing with this,” she told me. “I want every bit of information they’re putting out about me, and reimbursement for the personal time I’ve spent because of something they did.”
Something they did? Perish the thought.
ChoicePoint prefers to act as though it’s the aggrieved party in the Nigerian case. It has reportedly asked law enforcement officials to refer to it officially as the “victim,” sounding like the prima donna in a Tennessee Williams tragedy. The thousands of people who may face years of hassles because of ChoicePoint’s inept security measures are apparently only bit players.
Portraying its own failures as the fault of wicked strangers seems to be ChoicePoint’s standard position when it’s caught with its carelessness showing. The maneuver doesn’t always work. It certainly didn’t save the company from a thrashing by a federal court jury and judge in Kentucky in 2003.
ChoicePoint was sued by a Louisville homeowner who had found herself uninsurable because the company reported, inaccurately, that she had filed several claims for fire damage to her home. Turned into a nervous wreck by the experience, she tried repeatedly to get ChoicePoint to correct the record; instead, over time the inaccuracies in her report actually proliferated.
The jury, unimpressed by ChoicePoint’s defense that the errors were all the fault of CNA Financial Corp., the insurance company that provided the original data, awarded the plaintiff $447,000 in compensatory and punitive damages. The parties subsequently settled the case for an undisclosed amount.
In his ruling at the close of the litigation, the judge, John G. Heyburn II, made plain what he thought of ChoicePoint’s behavior.
The company “displayed a generally uncaring attitude at trial,” he wrote. “ChoicePoint’s witnesses made particularly negative impressions upon the jury. They repeatedly denied making any mistakes, and, instead, seemed to blame all defective data on others.” He added that “no ChoicePoint witness ... ever took responsibility for assuring that its data was accurate,” and concluded, “ChoicePoint employees appeared slow to recognize problems even once they were put on notice, and disclaimed all responsibility.”
Anything there sound familiar?
Golden State appears every Monday and Thursday. You can reach Michael Hiltzik at golden.state@latimes.com and read his previous columns at latimes.com/hiltzik.
