TMCnet News
ChoicePoint recovery(Atlanta Journal-Constitution, The (KRT) Via Thomson Dialog NewsEdge) Feb. 12--At first it was just an intriguing headline from California: Scammers had used fake names and posed as small-business owners to buy consumer data from a suburban Atlanta company called ChoicePoint. The firm initially said only Californians' records were exposed. But it quickly had to admit the scammers could have accessed records, including driver's license and Social Security numbers, of more than 145,000 people nationwide. That's the sort of information identity crooks use to get loans or credit cards. The revelations instantly turned ChoicePoint into a poster child for concern over the security of personal data that flows through the American economy in ever-growing quantities. A year later, Alpharetta-based ChoicePoint is quietly trying to put the episode in the past and keep growing its business of collecting and selling data for background checks and other verification purposes. Its sales pushed past $1 billion in 2005, although profit fell on costs related to the episode. ChoicePoint says the only business it lost was from small clients it no longer serves as part of internal changes to prevent future scams. Late last month, it agreed to a $15 million settlement with the Federal Trade Commission over issues raised by last winter's disclosures. The company gets at least grudging praise from some former critics -- although they still voice concerns over the general issue of data security. "Before these breaches, [ChoicePoint] set a low bar for membership," said Chris Hoofnagle, senior counsel for the Electronic Privacy Information Center. Even before last year's revelations, his group had filed federal complaints about ChoicePoint's client screening. Now, he said, "ChoicePoint has made reforms that other companies have been unwilling to make. For instance, ChoicePoint has restricted the sale of Social Security numbers. ChoicePoint's competitors still sell full SSNs. It's also apparent that ChoicePoint is more carefully screening its clients." Larry Ponemon, who runs an information security group called the Ponemon Institute, said ChoicePoint looked bad a year ago as details of the scam shifted and executives initially appeared non-responsive. "There was a lot of disorganization in the beginning and floundering about," he said. "I kept wondering why the stories coming out of the company were so inconsistent." But he agreed that ChoicePoint has changed. "It's not because of altruism," he added. "They can't afford to have a brand meltdown over this again." Other observers, from the Georgia attorney general to financial analysts, say much the same. They also say the episode served notice to other firms that collect consumer data, either to resell or simply in the course of doing business. "I think companies are going to be more careful about information leaks and who they sell data to because of all that," said Steven Biggs, who follows ChoicePoint for Zack's Investment Research. A personal view Bruce Chilumuna's view of ChoicePoint is a little more personal. The Atlanta man was one of the 145,000 or so consumers, including about 2,800 Georgians, who got notices from the company that their records were exposed to the scammers. He was more disappointed than angry, he said. "Someone came to me about a class-action lawsuit against them, and I said I wasn't interested." Still, things aren't better as far as he is concerned. After the ChoicePoint notice he got four others that consumer records had been exposed to criminals. One was from DSW Shoe Warehouse, a company whose credit card database was compromised after the ChoicePoint episode. "I think things have actually gotten worse," he said. "I think we have gotten complacent again. I just trashed a letter that said my information was compromised. This is happening on a regular basis. It's becoming like normal." Chilumuna had a credit alert put on his account, but he said it's never come up when he's made purchases, including when he took out a $30,000 car loan. Hoofnagle agrees that problems remain. He said some companies have found ways to avoid new laws in almost two dozen states -- including Georgia -- that require consumers be notified if records are illegally accessed. At the time of the scam against ChoicePoint, only California had such a law, and only when the company notified consumers in that state did the media and public learn of the matter. "There are some tricks that a business can employ to avoid the legal definition while not eliminating the risk of identity theft," Hoofnagle said. Most state laws call for notification after criminals get records including three things: name, driver's license number and Social Security number. "By keeping the Social Security numbers, driver's licenses and names in completely separate databases, a breach of one doesn't trigger the notice requirement," Hoofnagle said, "despite the fact that stealing a database of SSNs should be considered a security risk." Privacy chief added ChoicePoint doesn't use such tactics, said Carol DiBattiste, chief privacy officer. Hiring DiBattiste, formerly deputy administrator at the federal Transportation Security Administration and a former federal prosecutor, was one of ChoicePoint's first moves after the database breach became public. Privacy experts say it was a good start. She said the timing gave her a lot of internal clout to tighten up practices. "But -- and this is repeatedly misunderstood out there -- the company had already put many of the security measures in place" before her hiring, she added. Derek Smith, ChoicePoint's chief executive officer, admits that the year has been a trying one personally and for the company. In a 10-minute interview last week at ChoicePoint headquarters, he said he believes the company is better for it. "It gave us an opportunity to find out who we are going to be, to be a leader in the industry, to do the right thing for consumers," he said. "Today, ChoicePoint is a substantially better company than it was." Smith also noted that the company's customers stuck with it during hard times, and its financial results bear evidence. ChoicePoint had record sales of $1.1 billion for 2005, up 15 percent from 2004. For the fourth quarter of 2005, it had a profit of $27.7 million, or 30 cents a share. That's 29 percent lower than year-before earnings of $39.2 million, or 43 cents a share. Most of that 29 percent change came from one-time costs related to the database breach. The FTC settlement includes the agency's largest-ever civil penalty -- $10 million -- and a pledge to create a $5 million fund that will be used to reimburse consumers who lost money because of the crime, and to fund further security measures. The FTC said the fine's size resulted in part from the fact that ChoicePoint had earlier warnings that its data marketing might make it vulnerable to illicit purchases. ChoicePoint did not admit wrongdoing as part of the settlement. Some questions remain. Other issues remain open. Both Smith and Doug Curling, the company president, still face a Securities and Exchange Commission investigation into their stock sales between the time the company learned of the scam in late 2004 and the time it became public in February 2005. ChoicePoint contends there was nothing improper about the transactions, which were carried out on a preset schedule approved by the company's board. They involved some $20 million worth of shares. The company's stock sold for close to $45 a share when last winter's revelations hit. It quickly dropped into the high $30s for a time and then gradually rebounded. Shares closed Friday at $43.50. The company also is on probation imposed by the Georgia insurance commissioner's office, which last winter ordered it to institute internal reforms to better safeguard its database. Failure to comply could have barred ChoicePoint from doing business with insurance companies in Georgia, a significant business segment. ChoicePoint representatives recently said the company believed the probationary period had ended after a recent meeting with John Oxendine, the commissioner. However, Oxendine said last week that "probation has not been lifted ... they are anticipating, they are hoping." Oxendine said his legal staff is considering a request from ChoicePoint to lift the probation order, adding: "I think ChoicePoint has pretty well set an industry standard for security of this data. I think they've completely reformed." Some of the open questions go back to the scam, which took place in the Los Angeles area. Both ChoicePoint and the L.A. County district attorney's office have maintained that several scammers were involved in the original incident. But only one person, Oluwatunji Oluwatosin, has been arrested. He pleaded guilty in December to conspiracy and grand theft. ChoicePoint said it knows of only 16 people who were actual victims of the scam, although FTC officials suggest that number could be several hundred, and prosecutors in California say the scam cost banks millions as they protected consumers from bogus credit card charges. Oluwatosin on Friday was sentenced to 10 years in state prison. Jane Robinson of the L.A. district attorney's office said authorities still think more people were involved in the crime. "It could be a while before we make a case, but we will make a case," she said. |