The company is a data broker that boasts a collection of 17 billion public records. The records span everything from birth dates and addresses to driver's license and Social Security (news - web sites) numbers - just enough information to cause trouble if it gets into the wrong hands.
And it did.
The company, duped by criminals masquerading as business owners, gave up personal information on 145,000 people last year. For months, as police investigated, the consumer-victims weren't told.
The theft became public only this month when ChoicePoint began notifying California consumers whose data were compromised. In one way, consumers got lucky.
ChoicePoint had to confess because of a law in California - the only state that mandates notification of its residents when their data are breached. After the theft shot into the headlines, ChoicePoint began sending notices to victims in every state.
Outside of California, protections are few, even as the frequency of identity theft increases.
The Federal Trade Commission (FTC) received 246,570 identity theft complaints last year, and the problem actually is much worse: 9.9 million people (about one in every 30 Americans) were victims of identity theft in a one-year period starting in spring 2002, according to an FTC survey. Thieves use the data to get credit cards, pilfer bank accounts and take over identities for future thefts.
Several factors give them the upper hand:
• Companies hide break-ins. Many companies react as ChoicePoint did initially. They keep quiet after computers are hacked, fearing lawsuits and damaged reputations.
• Police are busy elsewhere. Local police are often reluctant to pursue cases. The amounts, while large to an individual, seem small compared with other monetary crimes. Often the consumer lives in one state, the thief in another. Federal authorities can act, but only about 1 in 700 cases of identity theft resulted in a federal arrest in 2002, according to Avivah Litan, a cybercrime expert with the Gartner research firm.
• Oversight is weak. Identity theft is a relatively new crime and, outside of California, governments haven't yet geared up to address it. The rising industry of data brokers has little oversight, and rules for financial institutions aren't up to the task.
The good news is that the ChoicePoint breach is prompting several states, including Georgia, New Hampshire, New York and Texas, to consider bills patterned on the California notification law. Several U.S. senators are pushing a federal law.
The argument against this is hopelessly weak. Critics argue that requiring companies to notify people whose identities have been stolen is expensive and notices might become so frequent that consumers eventually would ignore them. Really? It's hard to imagine any consumer ignoring a notice that says his Social Security number has been stolen.
People have the right to know and to protect themselves. And a business earning profits from the sale of such information has an obligation to tell them.
News Alerts
