After the Breach, ChoicePoint Works to Rebuild Its Image and Security

July 19, 2005
Data broker mitigates its risk with voluntary actions, preempting a legislative response

ATLANTA -- The media scrutiny that surrounded ChoicePoint Inc. after it disclosed in February that thieves had accessed its massive database of consumer information has waned as even larger breaches have been exposed at other companies.

The Alpharetta, Ga.-based data broker's profits also have continued to grow, and its major customers seem to be staying put. In fact, the Internal Revenue Service last month awarded ChoicePoint a new $20 million contract to help the agency locate assets owned by delinquent taxpayers.

The company, which reported an 11 percent increase in profits in the first quarter, is expected to report more gains when its second-quarter results are announced Wednesday.

Investors, however, don't seem to be running back in droves - the company's stock price is still down more than 10 percent since the breach was announced. They could be waiting to see what ongoing investigations by the Federal Trade Commission and Securities and Exchange Commission reveal.

"There's an expectation that people be held accountable if they break the law or their fiduciary responsibility," said Bruce Simpson, an analyst with William Blair & Company in Chicago.

He added, "I don't think there's any evidence ChoicePoint broke the law. They are the victims of a fraudulent act. If the SEC comes back and says there's a violation, that's a different story, but as much as we know now, there wasn't any kind of law breaking going on."

ChoicePoint has been trying to regain the public's trust since it announced that thieves posing as small business customers gained access to its database, possibly compromising the personal information of 145,000 Americans. The breach was found in late September, but not publicly disclosed until mid-February. Authorities say at least 750 people were defrauded in the scam.

ChoicePoint collects data on individuals, including Social Security numbers, real estate holdings and current and former addresses. It has about 19 billion records, and its customers include insurance companies, financial institutions and federal, state and local agencies.

The company says it has taken several steps to ensure another breach of its database does not occur.

It has strictly limited the sale of consumer information to small businesses and has started re-screening some customers to make sure they are who they say they are. Since it started that process, it has turned away more than 200 potential customers. The company also plans to improve its procedures for screening prospective employees and it's working on a new consumer notification policy that will apply not only to states that require notification when there is breach, but also to other states.

ChoicePoint also hired Carol A. DiBattiste, former deputy administrator of the Transportation Security Administration, to be its chief compliance and privacy officer.

DiBattiste, who started at ChoicePoint in May, said the company is reaching out to customers to show them ChoicePoint is working to protect its database of information from intrusion.

"I believe the things that ChoicePoint is doing is getting through," DiBattiste said. "Consumers are taking notice. The others in the industry are taking notice."

The former federal prosecutor and Air Force undersecretary said her independence from the company - she reports only to ChoicePoint's board of directors - is a key to regaining public trust.

"I came in from the outside," said DiBattiste, who works out of an office in McLean, Va. "I don't know any of the people here."

While she wouldn't concede mistakes were made by ChoicePoint employees, DiBattiste said the company isn't making any excuses for what happened.

"Is the company sorry for what happened? Absolutely," she said. "Is the company trying to move forward and be an industry leader? Absolutely. Don't think for a minute we're not sorry for what happened."

The public is keeping a watchful eye on ChoicePoint's progress and that of other companies that maintain personal information. In the months since the ChoicePoint disclosure, other companies have also reported data breaches, including Bank of America Corp. and payment-processor CardSystems Solutions Inc. of Atlanta. The CardSystems incident left 40 million credit and debit card accounts vulnerable to hackers.

The ChoicePoint breach has fueled consumer advocates' calls for federal oversight of the loosely regulated data-brokering business, and Capitol Hill hearings were held on the issue. The company also is a defendant in several lawsuits and complaints arising from the breach. Authorities say at least 750 people were defrauded in the scam.

Lawmakers in Washington, too, are keeping an eye on ChoicePoint.

Rep. Ed Markey, D-Mass., a member of the House Energy and Commerce Committee, said he believes ChoicePoint is moving in the right direction, but only tougher laws involving the sale and distribution of personal information will provide consumers the safeguards they need.

"On the one hand it's good they have made some reforms," Markey said. "But ChoicePoint is still providing data such as Social Security numbers that I believe should not be bought and sold as commodities."

Markey noted that ChoicePoint's actions so far have been voluntary.

"They and other similar firms could reverse course," he said. "We need new federal legislation in this area, not merely voluntary policies that can be abandoned once public concerns have subsided."