Monday, February 28, 2005

Commentary on ChoicePoint

Scott Bradner (a consultant with Harvard University's University Information Systems) recounts in NWFusion what are, in his view, the failings of ChoicePoint brought to light in the latest incident and hopes that it will lead to national mandates to protect personal information:

Dumber decisions - safer world?:
  • "The company's validation procedures for permitting access to its databases was clearly inadequate. Maybe the company decided that it was too expensive to do things correctly - for example, by visiting all companies before granting access?
  • ChoicePoint didn't tell any of the people whose data was stolen that that they were at risk for identity theft for almost five months. The company said it was the cops who didn't give a hoot about warning people that their good names were in eminent danger and told ChoicePoint not to tell anyone. Maybe, but ChoicePoint's later actions indicate that it was not exactly eager to do what was right.
  • When ChoicePoint finally admitted that something had happened, the company downplayed it and said that the only people who were at risk were 35,000 or so Californians. Perhaps not coincidentally, California by law is the only state where people whose private information is exposed by such breaches must be notified .
  • Only after considerable pressure, including a letter from 38 state attorneys general demanding that people at risk in their states also be notified, did ChoicePoint belatedly say it would send letters to 110,000 additional people. (One wonders if the attorneys general of the other states think that identity theft is OK.) Since that expansion, there have been news reports that the number of people whose data was accessed might exceed 500,000.
  • ChoicePoint includes information that it doesn't need to in the reports it provides - such as a Social Security number in its personal property and personal auto reports (samples of which are on the company's Web page ). I understand the company might want to include the ability to look someone up using a Social Security number, but I don't understand why "

No comments: