ChoicePoint's error sparks talk of ID theft law

David Bernknopf, a ChoicePoint spokesman, disagreed that the California law is the only reason potential victims learned of the problems. The company first notified the sheriff's office in Los Angeles County in October of the possible data leak because ChoicePoint believed the problem started there, he said.

In November, California law enforcement authorities asked the company not to publicize the problems because of an investigation, and it wasn't until January that investigators identified potential victims in California, Bernknopf said. This month, California authorities notified the company that additional victims outside California existed, and the company then began notifying those people, he added.

It's still not entirely clear how the ID thieves got access to ChoicePoint's data, Bernknopf said. Authorities believe it was the work of a group of people who used IDs stolen from legitimate businesspeople to set up phony businesses that contracted with ChoicePoint for ID checks, Bernknopf said. Among other services, ChoicePoint provides background check documents for businesses and government agencies hiring workers.

"They didn't use their own names as chief executive officers of these companies," Bernknopf said of the fake company scam.

The ID theft "fraudsters," as ChoicePoint calls them, sought names, addresses, Social Security numbers, driver's license numbers, credit reports and public information such as bankruptcies, liens and professional licenses, according to the company.

ChoicePoint remains unsure of how many people will be affected by the scam because the company doesn't know the extent of the thieves' ability to use the personal data, Bernknopf said.

ChoicePoint welcomes congressional hearings about protecting consumer data, Bernknopf added. Company Chairman and Chief Executive Officer Derek Smith, in two books published in 2004, argues that U.S. residents can achieve an acceptable balance between security and civil liberties, although he has also criticized privacy advocates as being paranoid.

"Each of us has a right to privacy; however, none of us have a right to absolute anonymity," Smith said in a statement on his company's Web site.

Smith and his company have also suggested a national debate on privacy and ID theft is needed. "ChoicePoint has brought attention to this issue, because it's the right thing to do," Bernknopf said.

But EPIC has long criticized ChoicePoint for its massive collection of information of innocent people. In December, EPIC called for a U.S. Federal Trade Commission investigation of ChoicePoint, saying the company has skirted Fair Credit Reporting Act rules designed to ensure that credit reports are accurate. EPIC contends that many of the records ChoicePoint sells to law enforcement agencies and financial services companies should fall under the fair-credit rules and be subject to review by the people who are the subject of those records.

Smith, in a letter to EPIC, called the group's charges an "inaccurate, misdirected, and misleading attack."