You've probably never heard of ChoicePoint Inc.
But that doesn't mean ChoicePoint — the world's largest data broker — doesn't know you.
Filed away in its 19 billion records is a treasure trove of information about nearly every American, and millions of Canadians too. ChoicePoint, or one of its competitors, almost certainly knows if you've ever been convicted of a crime, sold a house, been caught speeding, borrowed money or filed for bankruptcy. It may even have shared that information with law enforcement authorities and companies that you deal with, including banks, insurers and credit card companies.
But the company's low-profile may have come to an end. A massive security breach earlier this month at ChoicePoint, based in Alpharetta, Ga., has prompted calls for tighter regulation of the fast-growing data mining industry, which critics say isn't doing enough to protect the privacy of individuals as it tries to satisfy business and government demand for this kind of information.
“To my mind, what bank robbery was to the Great Depression era, identity theft is to the information age,” said New York Senator Charles Schumer, who sits on the Senate banking and judiciary committees.
“Everyone's susceptible.”
ChoicePoint has acknowledged that it unwittingly sold the records of 145,000 people in 50 states to organized criminals, who then used the data to create hundreds of fake identities.
The company and the rest of the data mining industry is now the target of probes by U.S. federal and state authorities, plus two Congressional committees.
Major consumer credit rating agencies, such as Equifax, are covered by strict privacy laws in both Canada and the United States. But the dozens of companies that buy and sell consumer information and resell it to corporate and government clients in the United States and Canada, such as ChoicePoint, currently operate in a bit of a legal vacuum. While some of their activities are regulated, most are not, including their dealings with governments.
Complicating matters is a patchwork of sometimes conflicting national and local U.S. laws.
And because data brokers are virtually unknown to most consumers, potential victims have few options, privacy experts warned.
“Companies like ChoicePoint are trafficking in peoples' detailed information — information that can harm them,” complained Daniel Solove, a privacy law expert at George Washington University and an adviser to the Washington-based Electronic Privacy Information Center.
“For a long time, the industry has skirted under the radar screen. But now people want answers and it's going to be hard for Congress to ignore.”
The Senate judiciary committee has announced hearings into the ChoicePoint incident. In the House, energy and commerce committee chairman Joe Barton has ordered his staff to investigate the entire storage and security practices of the data mining industry.
Other industry players include Axium International, LexisNexis and WestLaw, a division of Toronto-based Thomson Corp.
Mr. Schumer, for example, singled out WestLaw for making available the social security numbers of millions of Americans, including those of U.S. Vice-President Dick Cheney and reality TV celebrity Paris Hilton, to certain corporate and government clients.
WestLaw insists that it closely guards social security numbers and that “fewer than 10” of its non-government clients might have access to this kind of information. It also pointed out that its internal controls exceed federal law and industry standards.
But privacy experts, such as Mr. Solove, said that even tighter regulation is needed.
The ChoicePoint case, for example, might never have come to light. But California law requires data brokers to notify consumers of potential problems. U.S. Senator Dianne Feinstein of California is sponsoring a bill that would make the requirement effective nationally.
ChoicePoint is voluntarily notifying 145,000 individuals in all 50 states whose information wound up in the hands of criminals. The company has also pledged to “recredential” all of its small business customers and limit access to social security and drivers' licence numbers.
Another bill sponsored by Florida Senator Bill Nelson would put all data brokers under the umbrella of the Fair Credit Reporting Act and the Federal Trade Commission.
Mr. Schumer and others are pushing for much broader regulation.
Right now, Mr. Solove argued, consumers are at a distinct disadvantage. Their data is being shared between parties without their knowledge, there's lax security and they have no ability to correct mistakes.
Any new law should make notification of security breaches mandatory, limit use of social security numbers, impose controls on brokers and provide compensation to victims of ID theft, said Mr. Solove, author of the book, The Digital Person.
“We're living in a world where companies are assembling digital dossiers about our lives, complete with patterns of behaviour, and then making judgments about us,” he said.
