In February 2005, ChoicePoint, of Alpharetta, Georgia revealed that it had inadvertently sold personal information of 145,000 people to identity thieves. ChoicePoint, which was spun off from Equifax Inc. in 1997, had established itself as a data broker in an industry that has become enormously profitable. The news of ChoicePoint’s disclosure of personal information came only two weeks after data broker Lexis Nexis admitted to a similar incident. Data collection companies had become quite popular as companies put greater emphasis on getting to know their customers to enable better product positioning, but government and private investigators had relied on them also to avoid the cost and public scrutiny involved if they had attempted a similar national database. Given the number of people affected by the disclosures and the media attention received, it did not take long for the uproar to reach Capitol Hill. As it turns out, the information broker business is largely unregulated, as much of the current legislation does not apply directly to this business model. Gramm-Leach-Bliley is designed to protect consumers by ensuring that financial institutions protect nonpublic information, but ChoicePoint did not sell credit reports so experts are split on whether the law would apply. The Fair Credit Reporting Act may apply only if ChoicePoint sold employment histories that were used for eligibility purposes, such as in making employment or credit decisions by the companies that purchased the information. However, most experts see the Federal Trade Commision Act as the best bet in regulating businesses such as ChoicePoint since the law gives the FTC broad jurisdiction over nonbanking companies for “unfair and deceptive practices.” In fact, the agency had already sued five companies for “deceptive security claims,” and this could also apply to information brokers. Still, Capitol Hill is busy seeking additional legislation to ensure personal data is kept confidential.
Can new laws be expected to rein in companies and force them to adhere to best practices, or is it the responsibility of the professional manager to ensure proper security measures are enforced?
Can laws be enacted that are applicable to any computer crime without being so vague as to render them meaningless?
Would the scandal at Enron have been prevented if Sarbanes-Oxley legislation had been in effect before the scandal surfaced?