This story appeared on Network World Fusion at
http://www.nwfusion.com/columnists/2005/022805bradner.html
'Net Insider
Dumber decisions - safer world?
By Scott Bradner
Network World, 02/28/05
Scott Bradner
I hope by now ChoicePoint has made enough dumb decisions to ensure
that we get some useful national mandates that require reasonable protection
for data about people. Or I hope we at least get requirements to tell us when
some company holding such information screws up.
For those who didn't see the news coverage, ChoicePoint recently
admitted to being struck by what is probably the biggest case of identity theft
to date . ChoicePoint is a rapidly growing company in Alpharetta, Ga., that
offers data-related services that range from pre-employment screening to direct
marketing support. The company says its databases include 19 billion records
about people, their activities and histories.
ChoicePoint recently admitted discovering last October that, for
at least a year, more than 50 fake companies, operating out of Kinko's stores,
had full access to ChoicePoint's data and apparently made good use of the
access. For a company whose registered Web site motto is "Smarter
Decisions - Safer World," ChoicePoint has made some rather dumb decisions
of late.
¥ The company's validation procedures for permitting access to its
databases was clearly inadequate. Maybe the company decided that it was too
expensive to do things correctly - for example, by visiting all companies
before granting access?
¥ ChoicePoint didn't tell any of the people whose data was stolen
that that they were at risk for identity theft for almost five months. The
company said it was the cops who didn't give a hoot about warning people that
their good names were in eminent danger and told ChoicePoint not to tell
anyone. Maybe, but ChoicePoint's later actions indicate that it was not exactly
eager to do what was right.
¥ When ChoicePoint
finally admitted that something had happened, the company downplayed it and
said that the only people who were at risk were 35,000 or so Californians.
Perhaps not coincidentally, California by law is the only state where people
whose private information is exposed by such breaches must be notified .
¥ Only after considerable pressure, including a letter from 38
state attorneys general demanding that people at risk in their states also be
notified, did ChoicePoint belatedly say it would send letters to 110,000
additional people. (One wonders if the attorneys general of the other states
think that identity theft is OK.) Since that expansion, there have been news
reports that the number of people whose data was accessed might exceed 500,000.
¥ ChoicePoint includes information that it doesn't need to in the
reports it provides - such as a Social Security number in its personal property
and personal auto reports (samples of which are on the company's Web page ). I
understand the company might want to include the ability to look someone up
using a Social Security number, but I don't understand why it's needed in a
report - same for date of birth and a number of other fields - unless the
outfit wants to facilitate identity theft.
One good thing might come out of this fiasco: Maybe, Congress will
extend California's notice requirement nationwide. One thing that should happen
but will not, unless some Congress critters were in the exposed population, is
to make companies like ChoicePoint pay for any damage done by such lax
processes.
Maybe ChoicePoint's dumb decisions will wind up making this a
safer world.
Disclaimer: Historians have said (and will say) if Harvard makes
dumb decisions. But the above exploration and hope is mine, not the
university's.