Embattled personal data vendor ChoicePoint said on Friday that it will stop selling sensitive consumer data to many of its customers, except when that data helps complete a consumer transaction or helps government or law enforcement, the company said in a statement.
The company decided to stop selling sensitive data, such as Social Security numbers and driver's license numbers after being tricked into divulging personal information on about 145,000 people to identity thieves who posed as customers, according to a statement attributed to ChoicePoint Chairman and Chief Executive Officer (CEO) Derek V. Smith.
"These changes are a direct result of the recent fraud activity, our review ... of our experience and products, and the response of consumers who have made it clear to us that they do not approve of sensitive personal data being used without direct benefit to them," Smith said in the statement, which was posted on ChoicePoint's Web site.
From now on, ChoicePoint will only sell sensitive personal information to customers when the data is necessary to complete a transaction, to accredited corporate customers that will use the data for user authentication or fraud prevention, or to help federal, state and local government and criminal justice agencies, ChoicePoint said.
The move, which should be complete within 90 days, will eliminate a number of "information products" that the company now sells to its customers, especially small businesses, the company said.
ChoicePoint also said it is creating an independent office of credentialing compliance and privacy. The office will oversee ChoicePoint's overhaul of the company's customer credentialing process, which was blamed for allowing identity thieves to register as legitimate customers and order personal information, the company said in its statement.
Among other things, ChoicePoint is considering increasing the number of on-site visits it conducts when verifying customers, the company said.
ChoicePoint, of Alpharetta, Georgia, has access to about 19 billion public records, and the company reportedly has information on virtually every adult living in the U.S.
The company has been the focus of intense scrutiny and criticism since it acknowledged last month that identity thieves gained access to records and personal information on individuals in the 50 U.S. states, the District of Columbia, Puerto Rico, Guam and the U.S. Virgin Islands. Information provided by ChoicePoint has since been used in about 750 identity theft scams, according to the company.
Since disclosing the security breach, the company has been the focus of a U.S. Federal Trade Commission inquiry into its compliance with federal information security laws, a U.S. Securities and Exchange Commission (SEC) investigation into possible insider stock trading violations by its CEO and chief operating officer and lawsuits alleging violations of the federal Fair Credit Reporting Act and California state law, ChoicePoint disclosed in a filing to the SEC on Friday.
The mishap has also prompted calls for new federal legislation to protect consumers. U.S. Senator Dianne Feinstein, a California Democrat, introduced legislation called the Notification of Risk to Personal Data Act, which would require businesses and government agencies to notify victims when there is reason to believe a criminal obtained personal information.