ChoicePoint Data Stolen By Imposters

swight1701 writes "Criminals posing as legitimate businesses have accessed critical personal data stored by ChoicePoint Inc., a firm that maintains databases of background information on virtually every U.S. citizen. The incident involves a wide swath of consumer data, including names, addresses, Social Security numbers, credit reports and other information. ChoicePoint notified between 30,000 and 35,000 consumers in California that their personal data may have been accessed by "unauthorized third parties." No obvious notice appears to be on their website."

Ineptness to the point of being evil

[Eric+Smith]

The MSNBC article quotes the consumer notification:

You should continue to check your credit reports frequently for the next year.

If I get the notification, I'm going to request that ChoicePoint pay the costs for me to subscribe to unlimited credit report access from all three credit bureaus. IIRC, that costs about $100/year for each bureau. Since it's ChoicePoint's screwup, I shouldn't have to pay the costs necessary for early detection of fraud in my credit report.

The article further quotes ChoicePoint spokesman Chuck Jones:

But ChoicePoint has no way of knowing whether anyone's personal information actually has been accessed

Why the hell are they allowed to keep a dossier on me if they don't have any mechanism in place to allow them to track how it is used and by whom? This is insane!

The correct solution to this problem, IMNSHO, is for the courts to determine that personal, financial, and credit records relating to an individual are the COPYRIGHTED PROPERTY OF THAT INDIVIDUAL, and may not be provided to any other party without the owner's explicit consent. Not a blanket consent to provide the data to anyone inquiring, but specific consent to provide it to XYZ Corporation.

Re:Ineptness to the point of being evil

[LostCluster]

The correct solution to this problem, IMNSHO, is for the courts to determine that personal, financial, and credit records relating to an individual are the COPYRIGHTED PROPERTY OF THAT INDIVIDUAL, and may not be provided to any other party without the owner's explicit consent. Not a blanket consent to provide the data to anyone inquiring, but specific consent to provide it to XYZ Corporation.

Courts aren't going to help you with that at all. The copyright on information belongs to the writer, not the subject of the piece. Just think what your copyright concept would do to the news media...

Re:Ineptness to the point of being evil

[yog]

This is really scary.

The thing that bothers me is that some data is unchangeable, e.g. US social security #, date of birth, and mother's maiden name. Once it's out there, you're screwed.

Once someone has this data they can really do a number on you because that's all most commercial sites seem to require in terms of validation. They can take out credit cards in your name, perhaps even access your bank account if they have access to your checking account number.

I think that eventually, and unfortunately, there's gonna have to be a law. No organization except the social security administration should be allowed to store our SS #, for example. Heck, at the rate things are going, they may have to start allowing people to change their SS # to start fresh.

A friend never allows her SS # to be used for anything. Not banks, not schools, not health insurance. They squawk and scream and threaten and she stands firm. No, she says, you can't have it. It's only for her retirement, not for generic identification purposes. So far she has successfully evaded spreading her most precious identifying information all over the internet in god knows how many incompetently coded and poorly safeguarded databases. Massachusetts also allows one to use a generated code instead of SS # on drivers licenses.

This thing is really out of hand. Of course, it's going to cost credit card companies millions of dollars when bogus bills start bouncing, and that's probably when the powers that be finally wake up and address the problem.

Re:Ineptness to the point of being evil

[Riddlefox]

Very insightful, and I agree that we need a legal principle that personal information belongs to the individual--but I think we should go farther. I think we should require that the personally-identifiable personal information only be stored on the computer of the person who owns it--and that the authorities need to show probable cause and get a search warrant before they have any acces to it. However, a lot of it should be covered under the Fifth Amendment, too.

Just out of curiousity, how do you propose that I store personally identifiable information such as my name and address on a computer owned by me when I wish to make a purchase online? How can I have my paycheck electronically deposited into my banking account if my employer can't store my personal information? How is H&R Block going to prepare my taxes for me if they can't enter any of my information on a computer that I don't own? Am I going to have to tell Netflix my name and address and credit card info every single time I want another movie?

if i *accidentally* ...

[GNUALMAFUERTE]

Run over someone with my car, i am responsable, and it's a crime. Even if i didn't mean to.

Companys should be held responsable for the data they hold.

Re:if i *accidentally* ...

[ScrewMaster]

More importantly, they should be held responsible for what happens to people when that stored information is stolen or otherwise misused. And if the punishing of that company for its negligence forces it out of business ... tough. It simply isn't enough to say, "Sorry, and oh, by the way, we've implemented some new security policies so this shouldn't happen again. We hope. Once again, sorry for the inconvenience." Really, it's more akin to collecting all kinds of flammable and explosive materials and storing them in a rickety old warehouse in the middle of a populated area. You shouldn't be able to get off with an apology and a promise to do better when that warehouse explodes, flattens the nearby buildings and kills a bunch of people.

Does that sound like an extreme example? Perhaps it is. But lives can be shattered in other ways besides being blown to bits. And I'm sure there will be a few deaths involved, as people with medical conditions suddenly find themselves without means, because some identity thief just bought himself a brand new house at their expense. No, the Information Age is proving to carry some serious risks, and those risks are largely due to cavalier treatment of personal data.

I'm not sure what it will take before some standards are put in place, with appropriate penalties for failure to maintain them. Probably won't happen now, with "tort reform" on the way and limits being placed on class-action lawsuits. Certainly not in the corporate-friendly period we find ourselves in. Hell, the government can't even enforce quality-of-service standards on the damn phone companies anymore. But at some point, enough people (enough voters) are going to get hurt by this problem that something will have to be done. The only question is whether the cure will be worse than the disease.

The real problem here isn't the break-in...

They say "Criminals posing as legitimate businesses have accessed critical personal data stored by ChoicePoint Inc."

If the data was that critical and personal, why was it available to "legitamate businesses" in the frist place?
Are a set of articles of incorporation and a pile of money all I need to 'legitimately' access "databases of background information on virtually every U.S. citizen"?

Re:So who ELSE is affected!?

[LostCluster]

They're only telling the California residents because only California has a state law that requires notification... sound like a law that needs to be passed in 49 other states.