Law Prompts Company To Disclose Data BreachLaw Prompts Company To Disclose Data Breach

In its privacy statement, ChoicePoint Inc. says it's "dedicated to protecting the privacy of individuals," which includes "strict standards regarding the use and dissemination of personal information."

Yet such dedication is exceeded only by the determination of identity thieves who, by setting up some 50 fictitious businesses, duped the data-aggregation company into granting them access to 145,000 consumer-data profiles it maintains among its store of roughly 19 billion records.

In Los Angeles County Superior Court last week, a Nigerian national who participated in the scheme was sentenced to 16 months in state prison. ChoicePoint was alerted of the breach in October. But some 35,000 California consumers didn't realize they were potential victims until they received a letter about the breach from ChoicePoint last week.

Disclosure of the incident was required under California's SB-1386, which took effect July 1, 2003. According to the law, any person or company that does business in California and owns electronic data that includes personal information is required to disclose any data security breach to California residents whose unencrypted personal information may have been accessed by an unauthorized person. While the extent of the fraud arising from the incident may not be known for months, ChoicePoint said it would send out 110,000 more notifications to individuals outside California.

"That's certainly good practice, and most responsible companies are going to do that, if for no other reason than to mitigate any damages that might result," says Kevin Lyles, partner in the privacy practice at law firm Jones Day. Another privacy-related law, the Health Insurance Portability and Accountability Act, requires organizations to ameliorate damages as a result of security breaches, and there are similar provisions in the Gramm-Leach-Bliley law, Lyles says.

ChoicePoint has since intensified its privacy efforts, a company spokesman says. "We're being much more stringent in our requirements about who customers are, and making them prove they're a legitimate business," he says.

The incident and its required disclosure should serve as a wake-up call to IT departments, says Randolph Kahn, a consultant in IT-related legal compliance issues. While ChoicePoint's IT systems weren't broken into, companies that do business in California would have to follow similar legal steps if a security breach resulted from unencrypted information or unsecured systems. "The only [entity] that can correct or prevent the problem is the IT department," Kahn says.

Consumers Union, a nonprofit testing and information organization that publishes Consumer Reports, is pushing for laws that would require all companies to inform customers nationwide of data breaches. "That will help consumers to protect themselves but also will create a business environment that encourages more investment in security," says Gail Hillebrand, senior attorney for Consumers Union.

Many oppose a legislative approach to the problem. California state Sen. Debra Bowen's effort last year to expand the data-breach notification requirement to cover disclosures of data in any form, not just electronic data, was voted down amid lobbying by business groups such as the California Chamber of Commerce and the American Electronics Association.

While data breaches often lead to calls for federal legislation, companies such as ChoicePoint already have a strong incentive to protect data, says Quinn Jalli, director of privacy and ISP relations at E-marketing company Digital Impact Inc. "As we saw with spam, legislation isn't going to solve the problem."