Complain about a product or service

ChoicePoint Gets a Makeover

Data Broker Cleans House, Burnishes Image

By Martin H. Bosworth
ConsumerAffairs.com

July 17, 2006

• ChoicePoint Gets a Makeover • Data Blunders Cost ChoicePoint $15 Million • FBI Deal Raises New Questions about ChoicePoint • PATRIOT Act Further Empowers ChoicePoint • FTC Partly to Blame For Growing Identity Theft Problem, Groups Charge • ChoicePoint Not the Only Weak Link in the Data Chain • More about ChoicePoint...

If the first thing your company name brings to mind is "identity theft," there's a lot of public relations housecleaning to do. That's the situation facing data broker ChoicePoint.

The company is most widely known for its inadverent sale of thousands of individuals' data records to a ring of Nigerian identity thieves in 2005, and for triggering an avalanche of media coverage of data breaches, identity theft, and online fraud.

The company paid $15 million for its trouble, and since that time, has implemented a series of steps it hopes will improve security. It's also placed restrictions on the types of records it sells, and has moved away from contracts with government and law enforcement agencies, which has cost it millions in revenue.

Even with the hiring of former Transportation Security Administration (TSA) administrator Carol DiBattiste as its new privacy officer, and commendations from the likes of Gartner security analyst Avivah Litan, ChoicePoint is still buried under a mountain of bad press and negative public sentiment.

Privacy advocates, security specialists, and media pundits have not cut the company much slack, using ChoicePoint almost as a synonym for the shadowy, complex, and often frightening world of data brokers.

On July 10th, the company announced it was selling several of its business components, including a direct marketing firm, even as stock analysts continued to express wariness about the company's long-term financial prospects and modest profit gains.

ChoicePoint • Lexis-Nexis Parent To Buy ChoicePoint • ChoicePoint Settles Data Breach Lawsuit • More ChoicePoint Identity Theft Victims Identified • ChoicePoint Settles With Attorneys General Over Data Breach • FTC Finally Sets Up Redress For ChoicePoint Victims • ChoicePoint Names a "Consumer Advocate" • FTC Fails To Pay Victims Of ChoicePoint Data Breach • ChoicePoint Gets a Makeover • Data Blunders Cost ChoicePoint $15 Million • Guilty Plea in ChoicePoint Data Theft • ChoicePoint Finds More Cases Of Illegal Data Access • ChoicePoint Responds • PATRIOT Act Further Empowers ChoicePoint • Previous Data Thefts Went Unreported • Consumers Will Be Able to See Their ChoicePoint Records, Company Says • Nigerian Sentenced to Prison in ChoicePoint Theft • State Tally of ChoicePoint Victims • ChoicePoint Breach Worse Than First Reported • Is National Security Compromised by ID Theft? • States Demand ChoicePoint Notify ID Theft Victims • Private Information Stolen from Nationwide Consumer Database

In the words of company president and chief operating officer Doug Curling, "we are improving our reach and meeting with lots of media and privacy folks to address the different biases people have."

Corporate communications vice-president Matt Furman believes that "there's a lot of mythology about us that needs to be shed ... we're not like any company out there."

Thus it was that I received an invitation to sit down with some of the company's biggest players and get a first-hand account of how the company is -- and is not -- changing its ways.

The Inside Job

ChoicePoint's government affairs and privacy division is headquartered in a nondescript office building in McLean, Virginia, the Washington suburb that is also home to the CIA and its secretive band of contractors.

As Nicole Bertucci, DiBattiste's cheery special assistant, used her ID card to get us through the door and past several generic offices and cubicles, I noted how such a powerful organization as this could be so utterly normal in appearance. Indeed, this could be any office, in any city.

According to Doug Curling, the company's new media push is to prove how precisely normal they are. When I asked him how they could not see the potential for a mistake like the data breach, he said, "We're not omnipotent. We made a mistake, and said, 'Now let's learn from that and see what we can do better.'"

Curling, an affable, loquacious fifty-something with a mop of silver-grey hair, was not at all shy about evangelizing ChoicePoint's mission and its new push for transparency.

In a meeting of five people, he did virtually all of the talking on the company's part. His goal, he said, was to "cut through the media clutter" and help people "understand how the industry works."

Curling claims that the company is not in the business of selling the records that people think it sells.

"Of the data we possess, we don't do medical records, DNA transactions, or share financial records," he said.

So what makes up the bulk of the reputed 19 billion records that the company holds and shares?

The majority of ChoicePoint's data brokering, claimed Curling, was in auto and home insurance risk assessments. Insurers use the reports ChoicePoint provides to gauge the "underwriting risk" of potential borrowers and price their premiums accordingly.

The practice of using ChoicePoint's "CLUE" reports to gauge an insurance premium has been heavily criticized for relying on data that may be inaccurate or out of date, but Curling emphasized the need for "pricing premiums according to uniqueness."

"There's such a high propensity for insurance fraud out there," he said, "we have to find ways to lower the underwriting risk, and aggregated statistics help lenders gauge the level of appropriate risk to them and yourself."

ChoicePoint's other major market, Curling said, was in "pre-employment screening," providing comprehensive personal profiles of individuals' birth records, employment histories, police records, and so on to major corporations and businesses.

Even with the company's recent shedding of several of its subsidiaries, ChoicePoint still owns or controls a dizzying array of companies that trade in sifting the billions of data troves for viable data on individuals.

ChoicePoint acquired the "Bridger Insight" software system, partnered it with ChexSystems, the infamous database of rental histories owned by information services company eFunds, and put the two together to help banks and lenders comply with the PATRIOT ACT's mandate for investigating potential borrowers for terrorist activity.

ChoicePoint also owns VitalChek, one of the biggest clearinghouses for processing documents that verify a person's birthplace, date of birth, and general identity.

On June 28th, the company bought the assets of USCERTS, a Memphis, TN-based data company that provided software systems for managing identity documents, and planned to put the new assets to work expanding its VitalChek operation.

ChoicePoint's primary focus these days isn't as much in data collecting as much as it is in data analysis -- combining different bits of data about a person and providing a particular equation.

"What if the government came to you and asked you to find out something about me?" I asked Curling.

"If a law enforcement agency wanted us to find something about someone, we would do it, but we'd need a source to start with," he said.

Furman concurred. "We don't just collect records and dive right in."

"It wouldn't be about you, per se," added Curling. "They'd be looking for the guys next to you -- the people you might be associated with."

"Everyone's In The Data Business"

Analyzing and correlating data isn't the same as just hoarding and reselling it, but the fundamental flaw of all data brokers is the same -- if the data itself is inaccurate or out of date, it can unfairly hamstring the person being investigated.

How many times have you had to mail or telephone a credit bureau and demand that they remove an inaccurate record from your report, or to update their files with your proper personal info?

Beth Givens, director of the Privacy Rights Clearinghouse, has been a strong proponent of greater accuracy in reporting and responsibility on the part of the data brokers to verify and correct the records they parse.

In submitted testimony to the Federal Trade Commission on the subject in May 2006, Givens cited multiple examples of mistakes in the CLUE reports, including a consumer who ordered his report while seeking a new insurance deal, and got one that contained his father's information instead.

Givens also advocated stronger and specific legislation specifically for employment screening, as those records are much more permanent and potentially harmful than negative credit items.

"A job applicant's ability to see an employment report is triggered by the employer's willingness to acknowledge that something in the report led to an adverse decision," she said. "Rather than following the FCRA procedure, an employer may simply say there was a more qualified candidate."

Not surprisingly, ChoicePoint believes the responsibility for maintaining accurate records rests largely with the records source, not the aggregator.

"We mostly utilize public records for our businesses," Curling said. "We provide our clients with extra effort to ensure accuracy and the best, most up-to-date records we can, but you have search engines like Yahoo and Google that everyone uses. Who vouches for their results? Do you hold them responsible if you get bad records back?"

In fact, all of the ChoicePoint executives I spoke to made the same claim -- they are more heavily regulated and monitored than virtually any other agency in their business. And according to Curling, "Everyone is in the data business, but few are more regulated than we are."

In addition to their compliance with all the laws that govern credit bureaus, chiefly the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA), Carol DiBattiste outlined how the company is providing regular audits of its work on the business and consumer levels, "including heavy credentialing on both the front-end and back-end" of their systems.

Furman detailed how the company will be developing video presentations of how to get one of its reports, and the new "identity quiz" users will be taking to gain access to particular products. "We're very far ahead of the game when it comes to our transparency," he said.

But is it enough? Many don't think so. I asked Ed Mierzwinski, head of the U.S. Public Interest Research Group, if the company's new practices were enough to assure trust in its business.

"ChoicePoint and other data brokers need robust regulation based on 'Fair Information Practices'," he said.

Mierzwinski has written at length that existing federal laws such as FCRA and FACTA are weak, and don't do enough to assure consumer privacy and security. In 2005, he endorsed legislation authored by Congressman Ed Markey (D-MA) that would reestablish and strengthen state consumer privacy laws, such as the laws in California that forced ChoicePoint to disclose the sale of its data to criminals.

"Were it not for California's previous enactment of security breach disclosure legislation, for example, we would not have found out about the ChoicePoint fiasco," he said.

Curling pointed to the disclosure as an example of ChoicePoint's willingness to come forward and be honest about its business practices -- including its mistakes. "We took a huge hit by coming forward like we did, " he said. "But it was the right thing to do."

Curling expressed his preference for universal federal privacy laws over the "mosaic quilt" of multiple state laws.

"Simplicity works," he said. "I find that market pressures, and media pressures, work much better to ensure better business than regulation."

"The government can't regulate itself, so they try to regulate private business to compensate," he said. "Why aren't they dealing with the NSA asking for people's records, instead of the companies giving it to them?"

"Schizophrenic About Privacy"

Perhaps surprisingly, Curling expressed ambivalence about today's information-saturated culture, with the emphasis on knowing everything you can about someone all at once.

"Companies are looking at social networking sites like MySpace to check potential employees. They shouldn't be doing that, but it happens anyway," he said. "I tell my kids, 'Anything you put on there is going to come back to you later.'"

Curling called the Internet "the opposite of Las Vegas -- what happens in Vegas stays there, and what goes on the Internet's permanent and follows you around."

Curling also expressed a distaste for "loyalty cards" and customer affinity programs, noting that he doesn't want Budweiser knowing how often he buys a six-pack.

The president of the world's most notorious data brokerage company expressing his concerns over the lack of privacy in modern society seems odd, but as Curling put it, "Americans are schizophrenic about privacy. They like the convenience of having all of this information at their fingertips, but don't like the idea of it coming back to them."

Curling may be right, but Americans also don't like the idea of bad data collection practices leading to the loss of a job, being confused with a criminal, or having to spend months monitoring all of your financial transactions for identity theft.

The cost is both personal and professional. According to the information technology magazine Baseline's report on ChoicePoint from 2005, the Data Warehouse Institute estimated the aggregate costs of data errors or mistakes at $600 billion yearly.

That same report quoted IT executive Randy Bean as saying that data brokers and aggregators need "the greatest sensitivity�because people very willingly share their information with these organizations, be it when they make retail purchases or open bank accounts or medical record ... And the organizations that capture that data ... ultimately must have responsibility for how that data is used and where it goes."

The Watchers

As I prepared to leave, I wondered if, now that I had sat down and talked with these people face-to-face, it would be harder to write an article blazingly critical of their business practices.

I hope so, because while media criticism may be an annoyance to companies like ChoicePoint, the use of inaccurate data or false analysis by a potential employer or creditor can be a disaster for individual consumers.

At ConsumerAffairs.com, our editors constantly remind us in extremely vivid language that we are always to put consumers' interests first. That's not the same as being anti-business, it simply means that when competing interests clash, it's our job to represent the individual, not industry or government.

Curling claims his company has a less than 1/10th of 1 percent error rate, but that's still plenty of room for damage to a good number of people, who may or may not have the time, energy and know-how to get things straightened out.

ChoicePoint's humbling at the hands of Nigerian data thieves and the drubbing handed to them by the press and public has pushed them to pay much more attention to consumer concerns and data security needs, instead of focusing solely on client and shareholder desires.

But there is still something of a laissez faire attitude towards the reams of data the company collects, repurposes, and resells. As long as that's the case, their work can do as much damage as good.

Any company that is a leader in its field takes more heat by advocates looking out for consumers and other special interests. ChoicePoint seems to realize that and is aware that, as long as the data brokerage industry exists, critics will demand greater accuracy, oversight, and transparency.

As I left, vice president of governmental affairs David Davis told me to "keep testing us." And I will. As long as companies are building data profiles of us that may determine our fates, we'll be watching them for every potential mistake they make.

Comments? Visit Martin Bosworth's Blog, Private Intelligence, to discuss privacy issues.

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.

Back to the top |