It's official: ChoicePoint, LexisNexis rooted many times
By Thomas C Greene in Washington
Published Thursday 14th April 2005 06:21 GMT
Privacy invasion behemoths ChoicePoint and LexisNexis have lost
control of sensitive data in the past, but deliberately covered it up
because no law required them to come clean, executives from both
outfits confessed Wednesday during Senate Judiciary Committee
hearings on the recent epidemic of ID theft plaguing the USA.
Numerous past breaches went without notification, ChoicePoint
President and COO Douglas Curling admitted under questioning from
Committee Chairman Arlen Specter (Republican, Pennsylvania). Curling
explained that after notifying the relevant law enforcement
authorities, "no one was made aware; law enforcement didn't tell us
anything." The ChoicePoint person in contact with law enforcement
simply didn't appreciate the importance of the situation, he whinged.
Specter wondered aloud how a company official with enough authority
to serve as liaison to law enforcement in such a matter could fail to
appreciate its significance and inform others. "I can't explain it,"
Curling allowed. However, there have been only "45 or 50 breaches,"
in all, he added.
LexisNexis has also experienced a slew of security breaches followed
by a slew of cover-ups, division CEO Kurt Sanford admitted. "All but
4 or 5 of the breaches were due to compromised passwords," he noted.
Speaking of the most recent debacle, in which the personal records of
310,000 victims fell into the hands of potential ID thieves, he said
that the first irregularities surfaced in February of 2004. Specter
wondered why it should have taken until April of 2005 for the public
to be notified, but Sanford, for all his obvious intelligence and
business acumen, was unable to explain this.
The admissions - under oath, finally - that these companies gladly
covered up their blunders and misdeeds, until required by California
law to notify victims, proves that regulation is essential to keeping
them honest.
Unfortunately, when no California residents are affected by such an
incident, the public has no guarantee that the truth will ever
emerge. Vermont Attorney General William Sorrell emphasized that
point, saying that without the California disclosure law, ChoicePoint
and LexisNexis would likely never have notified anyone outside of law
enforcement.
Sorrell observed that ID theft can be especially crippling because
it's an attack on credit availability, and for most Americans, access
to credit is more valuable than their other assets (rather a sad
comment on US economics when you think about it). He urged Congress
follow California's lead in requiring notification of important data
security breaches. But the regs should be crafted to let states be
more protective if they wish. "Federal legislation should be a floor,
not a ceiling," he advised.
The notoriously toothless US Federal Trade Commission (FTC) is the
watchdog apparent for any such regulatory regimen. After all, FTC is
the outfit that discovered in 2003 that 10 million people, or 4.6
percent of the adult population, had become victims of identity theft
in a single year, and has yet to do anything to impede it. Still, FTC
Chairwoman Deborah Platt Majoras advised the Committee to avoid over-
notification. "Consumers will become numb to notices," she said.
Actually, she has a point. When the California disclosure law forced
ChoicePoint to notify victims of its blunders and negligence, most
had no idea that they had a very important, albeit involuntary,
"business relationship" with the outfit, and tossed the notices in
the bin unopened, assuming them to be junk mail.
Clearly, something needs to be done, and Congress appears ready to
get ready to talk about it for a while. Senator Specter even warned
the panel that there will be "some very firm federal legislation
coming out of this issue," although we will withhold judgment until
we see it.
Regulation may be all well and good, but Congress mustn't toss out
the baby with the bath water, industry reps insisted. As Kurt Sanford
explained, commercial spy outfits like LexisNexis play a vital role
in recovering exploited children, and, of course, in fighting
terrorism. The fact that al Qaeda might be crawling all over their
databases is a minor issue when you consider the myriad benefits of
mass privacy invasion, making the lives of every citizen utterly
transparent.
ChoicePoint's Douglas Curling agreed. The company provides services
that create a safer, more secure American society, he boasted.
ChoicePoint helps consumers, and helps the government to protect
citizens while at the same time preventing fraud. Con artists may own
their databases, but they can always tell you if a prospective
employee really has earned the credentials he claims.
How did we ever get along without these guys? ®
---
* Origin: [adminz] tech, security, support (192:168/0.2)
generated by msg2page 0.06 on Jul 21, 2006 at 19:03:52
search: