Did ChoicePoint End Run Backfire?

ChoicePoint Inc. was created to avoid just the sort of mess in which it now finds itself.

The nation’s biggest private collector of personal information was spun off seven years ago from credit bureau Equifax Inc. largely to get around laws restricting the way such bureaus sell data.

Because it was not considered a financial services company, ChoicePoint was not subject to data laws, and for years the plan worked like a charm.

Freed from regulation, the company saw sales more than double -- and its profit and stock price more than quadruple -- as businesses demanded more data to manage risks and target marketing. ChoicePoint became the quintessential Information Age company, culling all manner of sensitive facts and figures about virtually every adult in the United States, some 19 billion records in all.

But in the wake of a security breach that allowed a ring of identity thieves to peruse tens of thousands of those records, ChoicePoint suddenly faces the sort of government oversight that it and similar companies have sought to avoid.

The Securities and Exchange Commission and other regulators are investigating ChoicePoint’s practices. Last week, the Senate Banking Committee held the first in a series of congressional hearings. Legislators and industry experts predict new regulation of ChoicePoint and competing information brokers that compile and sell Social Security numbers, driver’s license numbers and financial histories to tens of thousands of customers, including lenders, landlords and many of the Fortune 500.

“It’s very unfortunate,” said former ChoicePoint Vice President Catherine Aldrich. “They are a victim of a really heinous crime, and they are going to be really penalized -- the whole industry is.”

Privacy advocates disagree, saying ChoicePoint brought the prospect of more vigorous regulation on itself with an aggressive push to find new customers. They note that the recent breach was only the most widely publicized and that ChoicePoint has erred before -- as during the 2000 election, when it was hired by the state of Florida to run background checks on voters.

Chief Executive Derek V. Smith and other company officers declined repeated interview requests, as did company directors.

In regulatory filings and news releases, though, the company has said it is cracking down on potential identity thieves by turning away some customers, giving up a projected $15 million to $20 million in annual revenue. Last year, the company posted profit of $148 million on sales of $919 million.

In a statement to Congress last week, ChoicePoint said it could live with some measure of new regulation. In the past, information brokers have offered support for legislation and then succeeded in watering it down, according to a new book on the industry, “No Place to Hide: Behind the Scenes of Our Emerging Surveillance Society” by Robert O’Harrow Jr.

Information Raid

The latest problems erupted when con artists posing as small-business owners looked up sensitive information on 145,000 individuals.

ChoicePoint then made several missteps. Forced to notify California consumers under a law that took effect in 2003, ChoicePoint initially said only 35,000 state residents were at risk. Only later did it acknowledge the national scope of the breach. After that, CEO Smith said the incident was the first of its kind. But The Times soon discovered that, in fact, a similar episode had occurred in 2002.

Meanwhile, ChoicePoint still hasn’t checked for people who might have been victimized before the California law went into effect.

All in all, ChoicePoint’s handling of the affair has only added to the chorus calling for tighter regulation.

“They probably were too cavalier about it,” said analyst Brandt Sakakeeny of Deutsche Bank Securities. “They didn’t expect the firestorm that they’ve got.”

That might be because despite all the company’s knowledge about the people in its databases, ChoicePoint has few direct dealings with them.

The same isn’t true of Equifax, Experian Ltd. and Trans Union Corp., which must address errors in the credit reports they compile. Although ChoicePoint resells information from the three bureaus, it doesn’t have to take responsibility for the content.

That legal loophole, which Congress may soon shut, has been a tremendous boon to ChoicePoint. And the company has benefited from the wording in other laws as well. Financial institutions, including banks and other lenders, face much more onerous regulation about what they can do with customer data. ChoicePoint says it doesn’t meet the definition of a financial institution.

“There are a lot of dark crevices in the law that need to be opened up and filled in,” said Daniel Solove, author of “The Digital Person: Technology and Privacy in the Information Age.”

ChoicePoint has flourished by exploiting such regulatory weak spots, even in insurance services, its oldest and most profitable line of business. The company keeps a database of insurance claims by holders of auto and homeowner policies. Insurers submit those records to the database and check new applicants against it.

State Sen. Jackie Speier (D-Hillsborough) and other critics say that consumers often don’t know the database has been tapped or what’s in it; that the files can include errors that go uncorrected; and that insurers even count simple inquiries that don’t lead to the filing of a claim as a strike against policyholders.

Speier, who pushed a 2003 bill that would have curtailed the practice, maintains that insurers sometimes use the information to discriminate against customers. The state Insurance Department says one insurer, for example, refused to cover a San Francisco homeowner who had once asked her agent if she was covered for a clogged pipe.

Data and More Data

More frequent targets for critics have been ChoicePoint acquisitions that specialize in collecting widely dispersed public records, including legal judgments, liens and voter registration information, and then tying them to more sensitive data such as Social Security numbers and driver’s licenses.

ChoicePoint bought Santa Ana-based CDB Infotek in 1996, shortly before spinning off from Equifax, and added Database Technologies Inc. in 2000. The next year, Database Technologies came under fire for having given Florida election officials a list of thousands of suspected felons that state officials used to bar people from voting.

The list was riddled with errors, and many of the accused were black Democrats. At least 1,000 people were improperly kept from voting, more than George W. Bush’s margin of victory. The NAACP sued. ChoicePoint blamed Florida officials for asking for near-matches without making confirmation checks on their own. ChoicePoint settled the case in 2002 and agreed to reprocess its list of suspected ex-cons.

Although ChoicePoint’s government deals generate only about 10% of revenue, Sakakeeny said, the company made the area a top priority after the Sept. 11 terrorist attacks, and the firm won a four-year, $67-million contract with the Justice Department. Local police, the FBI and other agencies are big customers, in part because laws prevent the authorities from keeping close tabs on those who aren’t suspected of a crime.

“These government agencies are increasingly outsourcing various law enforcement and intelligence functions,” Solove said. In a sense, he added, the government doesn’t even need its own surveillance program. “It can achieve the same goal by having these companies do the work for them.”

Yet ChoicePoint’s government work has brought criticism from civil liberties groups.

“Individuals need to give their information to third parties in order to participate in society,” Chris Hoofnagle, an attorney with the Electronic Privacy Information Center, wrote in a law journal last year. “It is unfair to cede all individuals’ rights to a company that can simply hand over personal information to law enforcement.”

Several foreign governments also launched investigations after ChoicePoint acquired secret information on their citizens. Mexico placed three accused middlemen under house arrest for their suspected roles in helping ChoicePoint buy the entire country’s voting rolls, which are protected under federal law.

Despite the backlash, ChoicePoint has indicated that it wants to go much further in mining for information. The company has been working on a secret database prototype for the FBI. And Smith, the CEO, has pressed for the expansion of DNA collection from criminals and others, as well as for parents to take DNA samples from their children.

“In the near future, identity, so weakened by fallible representations like birth dates and Social Security numbers, will be anchored by infallible genetic markers,” Smith wrote in his 2004 book “Risk Revolution.”

Although such sentiments have alarmed privacy advocates, ChoicePoint has taken the most flak for the way it peddles far more workaday information.

The Nigerian fraud rings that repeatedly penetrated ChoicePoint’s databases passed themselves off as legitimate small companies interested in tapping people’s addresses, phone listings, Social Security numbers and credit reports.

The company stresses that it doesn’t grant access to information to just anybody. But it has opened its arms much wider in recent years.

Backgrounds Exposed

The clearest case is a product called Employee Background Check, which was sold in 2003 to the general public at Sam’s Club stores for less than $40. ( ChoicePoint’s lead outside director, Thomas Coughlin, recently retired as vice chairman of Wal-Mart Stores Inc., where he oversaw the U.S. operations of Sam’s Club.) The kit, since pulled from the market, featured many of ChoicePoint’s databases and allowed customers armed with someone else’s Social Security number to look up identifying information and possible criminal records.

Ostensibly aimed at employers, the product did little to weed out nosy neighbors or crooks.

The package came with a seal reading “Business License Required.” But the online registration forms, which took less than half an hour to complete, didn’t ask users to submit a license number, according to Pam Dixon, founder of nonprofit research group World Privacy Forum.

And though users were supposed to have the approval of purported job candidates for some searches, all ChoicePoint demanded was that customers check an electronic box marked “candidate authorization obtained?”

The company told users they might be audited, but Dixon said she bought a kit and never got so much as a phone call asking who she was.

“It was the single most insecure background check product I have ever seen in my life,” she said.

In some eyes, the Sam’s Club sales exemplified ChoicePoint’s drive to trade wider access to its information for greater revenue.

“The public records side had really stagnated,” said Aldrich, the former vice president, who now works at an employee-screening firm. Even so, she called the kit decision “a really odd thing.”

CEO Smith has called for a broad discussion of how the increased flow of information can be used for good and ill.

“The electronic ‘pipeline’ is not the problem,” he wrote. “The problem is society’s continuing delay in implementing consistent, coherent standards and guidelines to monitor and protect the flow.”

But by putting profit above all else, some analysts say, Smith has lost his shot at driving that conversation.

“They should have taken a stronger leadership role on the process, in who they disclose to,” said Gartner Inc. financial security analyst Avivah Litan. “Companies like ChoicePoint can’t see the forest for the trees.”

*

Times staff writer David Colker and researchers John Tyrrell and Penny Love contributed to this report.