It’s been a year since Choicepoint fumbled their disclosure that Nigerian con man Olatunji Oluwatosin had bought personal information about 160,000 Americans. Bob Sullivan broke the story in “Database giant gives access to fake firms,” and managed to presage much of what’s happened in the opening paragraphs of his story:
Last week, the company notified between 30,000 and 35,000 consumers in California that their personal data may have been accessed by “unauthorized third parties,” according to ChoicePoint spokesman James Lee.
California law requires firms to disclose such incidents to the state’s consumers when they are discovered. It is the only state with such a requirement but such data thefts are rarely limited to a single geographic area.
Lee said law enforcement officials have so far advised the firm that only Californians need to be notified.
I raised the question of other states the next day on a panel at the RSA Conference, and have been getting milage out of Choicepoint and breaches ever since. I’d like to take a moment to look back at what’s happened, what we’ve learned, and yes, to honestly thank Choicepoint for the dramatic changes in international privacy law and norms that they’ve brought about. Derek Smith, Choicepoint’s CEO, had been fond of calling for a national debate. I don’t think he anticipated the answers that debate has produced.
- The first result of the debate is 20 new laws, as summed up by the National Conference of State Legislatures. These new laws, and the breaches that we learn about because of them are an important window into the true and pathetic state of data security.
- Remarkably, we have no new law which is explicitly about limits on collection, use, or accuracy of data held by businesses. When I say explicitly about, I mean a law such as Dan Solove and Chris Hoofnagle have laid out in “A Model Regime for Privacy Protection” and I’ve discussed such things much more briefly in “New American Privacy Law: What Could it Say?
- Those laws, and the new expectation of disclosure have lead to enough data coming out that it can be analyzed. What’s more, analysis, mostly by the Ponnemon Institute, has helped define how to disclose these issues.
- Choicepoint stock has still not recovered, despite a plethora of actions designed to boost it, including stock buybacks. The largest fine ever imposed by the FTC didn’t help. Choicepoint, despite the increased brand recognition, also faces increased scrutiny, as I discussed in “Cost of Breaches,” and the Bode cancellation, mentioned in the November 7th “Choicepoint Roundup.”
- Speaking of stock, the SEC investigation into insider trading by Choicepoint executives continues.
- To improve their reputation, Choicepoint has stepped up their internal audit processes, annoying some customers, as discussed in “CounterTerroristm and Bureauracy.”
- In “Why Choicepoint Resonates,” I analyzed the news story, and am both happy with my analysis, and note that Choicepoint really should have talked to their trademark attorneys when I told them to, in “Cardsystems and Choicepoint.”
- Finally, due to certain irregularities arising from background checks, “Choicepoint’s acquisition of Emergent Chaos” has been cancelled.
And so, for all these things, a hearty thank you to Choicepoint.