Choice Point, a Georgia-based corporation, is a data aggregator that specializes in risk-management and fraud-prevention data. Traditionally, Choice Point provided motor vehicle reports, claims histories, and similar data to the automobile insurance industry; in recent years, it broadened its customer base to include general business and government agencies. Today, it also offers data for volunteer and job-applicant screening and data to assist in the location of missing children.

Choice Point has over 4,000 employees, and its 2007 revenue was $982 million. It was acquired by Reed Elsevier in 2008. In the fall of 2004, Choice Point was the victim of a fraudulent spoofing attack in which unauthorized individuals posed as legitimate customers and obtained personal data on more than 145,000 individuals. According to the company's Web site: These criminals were able to pass our customer authentication due-diligence processes by using stolen identities to create and produce the documents needed to appear legitimate.

As small business customers of Choice Point, these fraudsters accessed products that contained basic telephone directory-type data (name and address information) as well as a combination of Social Security numbers and/or driver's license numbers and, at times, abbreviated credit reports.

They were also able to obtain other public record information including, but not limited to bankruptcies, liens, and judgments; professional licenses; and real property data. Choice Point became aware of the problem in November 2004, when it noticed unusual processing activity on some accounts in Los Angeles. Accordingly, the company contacted the Los Angeles Police Department, which requested that Choice Point not reveal the activity until the department could conduct an investigation.

In January, the LAPD notified Choice Point that it could contact the customers whose data had been compromised. This crime is an example of a failure of authentication, not a network break-in. Choice Point's firewalls and other safeguards were not overcome. Instead, the criminals spoofed legitimate businesses. The infiltrators obtained valid California business licenses, and until their unusual processing activity was detected they appeared to be legitimate users. In response to this problem, Choice Point established a hotline for customers whose data had been compromised. It also purchased a credit report for each victim and paid for a credit-report-monitoring service for one year. In February 2005, attorneys initiated a class-action lawsuit for all 145,000 customers, with an initial loss claim of $75,000 each.

At the same time, the U.S. Senate announced that it would conduct an investigation. Ironically, Choice Point exposed itself to a public relations nightmare, considerable expense, a class action lawsuit, a Senate investigation, and a 20-percent drop in its share price because it contacted the police and cooperated in the attempt to apprehend the criminals. When Choice Point noticed the unusual account activity, had it simply shut down data access for the illegitimate businesses, no one would have known. Of course, the 145,000 customers whose identities had been compromised would have unknowingly been subject to identity theft, but it is unlikely that such thefts could have been tracked back to Choice Point. As a data utility, Choice Point maintains relationships with many different entities.

It obtains its data from both public and private sources. It then sells access to this data to its customers. Much of the data, by the way, can be obtained directly from the data vendor. Choice Point adds value by providing a centralized access point for many data needs. In addition to data sources and customers, Choice Point maintains relationships with partners such as the vital records departments in major cities. Finally, Choice Point also has relationships with the people and organizations on which it maintains data.

Questions

1. Choice Point exposed itself to considerable expense, many problems, and a possible loss of brand confidence because it notified the Los Angeles Police Department, cooperated in the investigation, and notified the individuals whose records had been compromised. It could have buried the theft and possibly avoided any responsibility.

Comment on the ethical issues and Choice Point's response. Did Choice Point choose wisely? Consider that question from the viewpoint of customers, law enforcement personnel, investors, and management.

2. Given Choice Point's experience, what is the likely action of similar companies whose records are compromised in this way? Given your answer, do you think federal regulation and additional laws are required? What other steps could be taken to ensure that data vendors notify people harmed by data theft?

3. Visit www.choicepoint.com. Summarize the products that Choice Point provides. What seems to be the central theme of this business?

4. Suppose that Choice Point decides to establish a formal security policy on the issue of inappropriate release of personal data. Summarize the issues that Choice Point should address in this policy.