February 18, 2005
Douglas C. Curling,
President and COO
1000 Alderman Dr.
Alpharetta GA 30005
Dear Mr. Curling,
We are writing to you regarding the extraordinary news this week that Choicepoint sold personal information on at least 145,000 Americans to a criminal ring engaged in identity theft.
You will recall that we exchanged letters in January after EPIC had urged the Federal Trade Commission to investigate your company and other commercial data brokers. We had specifically raised questions about the adequacy of your auditing procedures. You wrote to me to dispute our charges and to suggest that there was no reason for the FTC to pursue the matter.
We replied, before the news of the past week, that it was clearly appropriate for the Federal Trade Commission to determine whether your company complied with the Fair Credit Reporting Act and also that it would be necessary to update federal law to take account of new business practices.
We understand now, according to the report in the Wall Street Journal today and other sources, that the following events have occurred:
- There was no hack or computer breach. Your company, Choicepoint, sold the data for fees of $100 to $200. The data included addresses, phone numbers, and social security numbers.
- The account holders then made unauthorized address changes on at least 750 people, according to California police.
- Choicepoint was aware in October 2004 of the problem when you found the 50 accounts that were fraudulent
- Investigators believe data on up to 400,000 individuals may have been compromised
You initially notified 30,000 to 35,000 California residents of the heightened risk of identity theft because of the legal obligation established in that state. We understand that you have recently agreed to notify at least 110,000 people outside of the state of California whose information you wrongfully sold to a criminal ring. We support this decision. Even though Choicepoint was not required to make this disclosure, we appreciate the importance of warning American consumers that they are at a heightened risk of identity theft.
Now, we are writing to urge you to make available to the 145,000 people the information that was sold by your company last fall to the crime ring. It is not only a matter of fairness, but also a critical public safety concern that these individuals have in their possession the same information about them that you gave to criminals.
Choicepoint should send letters to all people affected and allow them to obtain copies of their files and find out all of the info Choicepoint has about them. Choicepoint should allow every person to have access to all records and data that you maintain about them and to receive all reports for free by making just one request.
In defense of your business, you wrote to us in your December 29, 2004 letter:We also provide consumers with information about the sources of our reports so they can go to the original source to correct errors. Correction at the source is vital because other information vendors may also collect and report the same records. However, if the error is our responsibility, we correct the error in our records.Given the recent developments, it is obvious that Choicepoint should provide consumers with the information that you provided to criminals. Choicepoint's audit logs should be able to determine what information was sold, and the legal purpose that the criminal cited to access it.
We also urge you to disgorge the funds that you obtained from the sale of the data and make these funds available to the individuals who will suffer from identity theft as a result of this disclosure. At the very least, you could make these funds available to individuals who may be at heightened risk of identity theft so that they can obtain copies of their credit reports.
Finally, we believe that your recent security breach demonstrates the profound importance of having the Choicepoint AutoTrackXP and Customer Identification Programs databases regulated by the Fair Credit Reporting Act.
We look forward to hearing form you regarding these requests.
EPIC Senior Counsel
Prof. Dan Solove
George Washington University Law Center
Cc:FTC Chairwoman Deborah Majoras
FTC Commissioner Orson Swindle
FTC Commissioner Pamela Harbour
FTC Commissioner Jonathan Leibowitz
FTC Commissioner Thomas Leary
House Commerce Committee Chairman Joe Barton
House Commerce Committee Ranking Member John DingellSenate Commerce Committee Chairman John McCain
Senate Commerce Committee Ranking Member Daniel Inouye
EPIC Privacy Page | EPIC Home Page
Last Updated: February 22, 2005
Page URL: http://www.epic.org/privacy/choicepoint/reply1.5.04.html