In August, the police in Corona, Calif., got a surprising phone call. The caller said an auditor needed to examine the department's facilities...
In August, the police in Corona, Calif., got a surprising phone call. The caller said an auditor needed to examine the department’s facilities and take pictures inside.
To the security-conscious police, the photo demand seemed ridiculous, especially given its source: the data broker ChoicePoint, one of the department’s information suppliers. A Corona crime analyst refused the request and asked to speak to a ChoicePoint supervisor.
She never heard back.
The episode reveals the delicate balance ChoicePoint is trying to strike as it recovers from a staggering identity-theft scandal in which con artists posing as customers accessed personal information on 145,000 Americans.
Most Read Stories
- Anthony Bourdain brought 'Parts Unknown' to Seattle — here's where he ate
- Residents fight Seattle rules allowing apartment developers to forgo parking
- Seattle’s crazy restaurant boom | PNW Magazine VIEW
- Cleveland Browns waive Kasen Williams, could a return to Seahawks be in the offing?
- UW's Azeem Victor suspended indefinitely after arrest
As it seeks to show iron resolve against fraud, the data giant is struggling not to alienate key customers in the process.
Indeed, the Alpharetta, Ga.-based company has cut off some customers entirely, including debt collectors and other small businesses that once were able to obtain full background reports on people from ChoicePoint.
Other customers — including news organizations such as The Associated Press — are finding the last four digits of Social Security numbers masked in ChoicePoint reports.
Such moves — which have won praise — are expected to trim company revenue by up to $20 million a year and earnings by up to 12 cents per share. (Overall, ChoicePoint earned $1.62 per share in 2004 on sales of $884 million.)
Meanwhile, customers who still get access to the most sensitive data, including driver’s license numbers, are being subjected to site visits and other audits to ensure they are who they say they are — even if those customers are the police.
In fact, the company recently discovered that an unauthorized Miami police officer had used someone else’s log-in and password to mine ChoicePoint records. The officer was relieved of duty.
Law enforcement accounts for 5 percent of ChoicePoint’s revenue — most sales come from companies that use ChoicePoint to assess job, insurance or other consumer applications — but it is a high-profile segment, often touted by the company as proof that society benefits from its amassing of so much data on individuals. The FBI alone queried ChoicePoint files 1.2 million times last year.
Private investigators also are being subjected to new scrutiny.
ChoicePoint stumbled early in the crackdown when representatives called many private eyes and asked them to fax over personal and professional information about themselves, according to Brian McGuinness, a Miami investigator who heads the National Council of Investigation and Security Services.
“That was kind of ill-conceived,” he said. “You’re asking these investigators who are very aware of scams to send this sensitive information to some number,” without first sending a letter or other confirmation the call was legitimate.
Some riled private eyes called for a ChoicePoint boycott. But ChoicePoint responded by clarifying the process, McGuinness said.
Other investigators see the aggressive audits as an overreaction or a public-relations ploy.
Cynthia Hetherington, a private investigator in New Jersey, had to send ChoicePoint a copy of her investigator’s license twice. The company agent also wanted bank-account information “and stuff that has nothing to do with my credentials or the nature of my business.”
“It’s absolutely intrusive,” she said.
Hetherington remains a ChoicePoint customer, but she and many other investigators are quick to note rival providers with fewer hassles.
Indeed, when ChoicePoint stopped selling detailed background reports to debt collectors, there were plenty of other options, said Ramona Featherby, who runs a San Diego collection firm and is president of the California Association of Judgment Professionals. She cited such names as Merlin Information Service, LexisNexis’ Accurint, LocatePlus and Westlaw.
“They have taken a sledgehammer to the ant … [by] cutting off databases from one industry entirely, no matter how long they’ve been in business, no matter how pristine their record,” Featherby said of ChoicePoint.
After ChoicePoint called for interior pictures of the Corona police department, discussion ensued in an online forum frequented by law-enforcement personnel.
Carol DiBattiste, ChoicePoint’s new privacy and compliance officer, responded to the group in a message that dismissed the story.
“While the requirement for site visits is true, contrary to rumors, ChoicePoint is not performing site visits that require photographs or access to sensitive facilities,” she wrote.
But the photo request was no mere rumor. DiBattiste acknowledged that ChoicePoint’s checklist for site inspectors did include internal photos.
But she said she ordered it not apply to customers in government and law enforcement because photos could endanger the offices’ security.
Apparently, she said, the Corona police got their call before the policy had been rescinded. She said she did not believe any police agencies actually had the inside of their offices photographed, though she added: “I can’t guarantee that 100 percent.”
After the breach
ChoicePoint had inspected some customers who got personal data in the past, but stepped up the system after February’s identity-theft disclosure, one of many high-profile data breaches to surface this year. That fraud — which resulted in at least 750 identity-theft cases — sent ChoicePoint’s stock tumbling 24 percent in the ensuing weeks. About two-thirds of that lost value has been regained.
Many ChoicePoint customers now get inspections when they open a new account or re-sign a contract for sensitive data, DiBattiste said.
Making the visits is necessary because “an identity thief could make believe he’s the local sheriff in a town of 2,000 people,” she said.
The inspector does not access customers’ computers or databases, she said. The auditor spends less than an hour confirming that the customer is legitimate and appears to have reasonable security practices.
DiBattiste wouldn’t give specifics. But one thing the Corona police were told was that the inspector would need to ensure that workstations where ChoicePoint databases were accessed were not left unmonitored.
Although ChoicePoint contends that few, if any, customers have defected rather than submit to inspections, DiBattiste acknowledged that the auditing is a work in progress.
For one, ChoicePoint now lets customers apply for a waiver, which DiBattiste must approve, if they have a long relationship with ChoicePoint or already have been contacted recently by someone from the company.
As senior counsel with the Electronic Privacy Information Center, Chris Hoofnagle has been a ChoicePoint critic. He says the company deserves credit for its inspections, though he wants them to go further.
“I think ChoicePoint should randomly audit users of the database,” he said, “and make them show why they pulled a file of an individual.”