Embattled personal data vendor ChoicePoint said on Friday that it will stop selling sensitive consumer data to many of its customers, except when that data helps complete a consumer transaction or helps government or law enforcement, the company said in a statement.
The company decided to stop selling sensitive data, such as Social Security numbers and driver's license numbers after being tricked into divulging personal information on about 145,000 people to identity thieves who posed as customers, according to a statement attributed to ChoicePoint Chairman and Chief Executive Officer (CEO) Derek V. Smith.
"These changes are a direct result of the recent fraud activity, our review ... of our experience and products, and the response of consumers who have made it clear to us that they do not approve of sensitive personal data being used without direct benefit to them," Smith said in the statement, which was posted on ChoicePoint's Web site.
From now on, ChoicePoint will only sell sensitive personal information to customers when the data is necessary to complete a transaction, to accredited corporate customers that will use the data for user authentication or fraud prevention, or to help federal, state and local government and criminal justice agencies, ChoicePoint said.
The move, which should be complete within 90 days, will eliminate a number of "information products" that the company now sells to its customers, especially small businesses, the company said.
ChoicePoint also said it is creating an independent office of credentialing compliance and privacy. The office will oversee ChoicePoint's overhaul of the company's customer credentialing process, which was blamed for allowing identity thieves to register as legitimate customers and order personal information, the company said in its statement.
Among other things, ChoicePoint is considering increasing the number of on-site visits it conducts when verifying customers, the company said.
ChoicePoint, of Alpharetta, Georgia, has access to about 19 billion public records, and the company reportedly has information on virtually every adult living in the U.S.
The company has been the focus of intense scrutiny and criticism since it acknowledged last month that identity thieves gained access to records and personal information on individuals in the 50 U.S. states, the District of Columbia, Puerto Rico, Guam and the U.S. Virgin Islands. Information provided by ChoicePoint has since been used in about 750 identity theft scams, according to the company.
Since disclosing the security breach, the company has been the focus of a U.S. Federal Trade Commission inquiry into its compliance with federal information security laws, a U.S. Securities and Exchange Commission (SEC) investigation into possible insider stock trading violations by its CEO and chief operating officer and lawsuits alleging violations of the federal Fair Credit Reporting Act and California state law, ChoicePoint disclosed in a filing to the SEC on Friday.
The mishap has also prompted calls for new federal legislation to protect consumers. U.S. Senator Dianne Feinstein, a California Democrat, introduced legislation called the Notification of Risk to Personal Data Act, which would require businesses and government agencies to notify victims when there is reason to believe a criminal obtained personal information.
Information on the ChoicePoint data theft became public only last month, after the company was compelled by California law to notify about 35,000 of the state's residents that their data had been exposed to identity theft. However, ChoicePoint has known about the theft since last September, but did not notify consumers, citing an investigation by law enforcement.
Public outcry forced ChoicePoint to strike a deal with 19 state attorneys general to notify the remaining 110,000 people whose data could have been exposed.
ChoicePoint supports a national dialogue about how public records information should be used and supports increased penalties of intentional misuse of personal information, said Kristen McCaughan, a company spokeswoman.
The company also warned investors on Friday that the expected changes to its business, and continued fallout from the identity theft revelations, will hurt its bottom line in 2005.
ChoicePoint expects the changes to cut between US$15 million and $20 million of revenue ($0.10 to $0.12 per share) in 2005, not including $2 million that the company will spend purchasing credit reports and monitoring services for consumers affected by the theft, as well as legal, consulting and technology expenses related to the incident, the company said.
ChoicePoint's error sparks talk of ID theft law, Feb. 23, 2005
US officials push ChoicePoint on ID theft notifications, Computerworld (US online), Feb. 18, 2005