Fix It YourselfBy John McCormick | Posted 2005-06-14 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Steven Calderon was into his second week working as a security guard for Fry's Electronics when Anaheim, Calif., police walked in and arrested him. Fry's had requested a background check on Calderon, which was done by The Screening Network, a service of C
Fix It Yourself
ChoicePoint says the building blocks of its business are data, analysis and distribution—and the company's most publicized failing of late has been in data distribution.
California law requires companies to notify residents if their personal information is compromised. ChoicePoint in February sent letters to the 35,000 Californians affected by last year's breach to tell them that someone unauthorized "may" have accessed their data.
One recipient of the letter, a Los Angeles nurse named Elizabeth Rosen, contacted a law professor, a reporter at MSNBC and an attorney with EPIC.
"I had never heard of ChoicePoint," Rosen says. "I didn't know if I should be concerned."
The thieves did not breach ChoicePoint's databases—they signed up for a ChoicePoint service called AutoTrackXP using fake identification and business licenses.
AutoTrackXP is a search service for law officers, collection agents and others looking to track people down. According to the company's Web site, with nothing more than a name or Social Security number, a customer can search for identity information, the names of relatives and associates, property records and deed transfers. AutoTrackXP searches billions of records in national and state databases for summary assets, licenses and criminal records, and compiles the information into reports.
ChoicePoint says it has tightened its procedures for selling products containing sensitive personal data like Social Security and driver's license numbers—for example, the credentials of all small-business customers are being reviewed. As a result, the company expects to lose $15 million to $20 million in revenue this year.
Rosen is not comforted. As of mid-May, she said she still didn't know exactly what, if any, of her data ChoicePoint sold to the Nigerians.
But, to Rosen, perhaps just as shocking as the possible data theft was the number of inaccuracies on her ChoicePoint report. Five of the report's six pages contained repeated errors.
For example, she was incorrectly listed as an officer of a Texas company that went bankrupt and as a deli owner. Her nursing licenses in California and New York were omitted.
"[They told me] to call each source of information, get them to change it and submit the corrected information to ChoicePoint," she says. "I said, 'You've got to be kidding.'"
ChoicePoint itself points out all the errors that can come out of AutoTrack. A sample report posted on its Web site indicates that partial birth dates, typos, bad Social Security numbers and a half-dozen other mistakes are all possible.
ChoicePoint, however, argues that this is a search service—a tool for investigators looking to find out who lives at an address or to locate a witness. The service does not fall under FCRA guidelines. And customers who use the service are aware of its limitations, Curling says.
In May, the California Senate passed a bill that would allow residents to see files kept on them by ChoicePoint and other data brokers, and to correct any inaccuracies and to know who requests information about them. One obstacle for people like Rosen who want to see and correct their data is that ChoicePoint doesn't keep static reports on people—it conducts fresh public records searches as they're requested.
But ChoicePoint's McGuffey adds that the company is thinking about how to accommodate requests like Rosen's. Meanwhile, Congress is also considering several bills, including ones similar to California's notification law.
ChoicePoint's carelessness with Californians' data hasn't stopped the company and the state from doing business, however. On April 22, ChoicePoint announced an $845,500 contract with the California Department of Justice to build a "distributed network" so the state's criminal intelligence analysts can assess information without relying on a central database. The state attorney general's office, which is simultaneously investigating ChoicePoint for the security breaches, says the network will tie together various public and private databases, but ChoicePoint won't be handling the data.
Not Just Security, But Accuracy 'Serious' Errors are Common Data Customers Pay the Costs Collecting Data Without Garbage Filters Records 'Full of Inaccuracies' Crap In, Crap Out Fix It Yourself No Way to Check ChoicePoint Data at a Glance