Personal information and data warehouser ChoicePoint was forced to admit, red-faced, that it screwed up with some of its “due diligence” practices when credentialing customers in its small business segment. At the heart of the information it disclosed in a shocking, and quite embarrassing, company statement, organized criminals, who include a Nigerian citizen that plead no contest in California state court in connection with the elaborate fraud and was subsequently sentenced to sixteen months in prison, that had previously stolen identities of U.S. citizens formed corporations using the stolen names, presumably either as principles or officers of the companies. Using these newly-formed companies, which masqueraded as payday loan and cheque cashing outlets as well as debt collection agencies, it applied to become small business customers of ChoicePoint to gain access to ChoicePoint’s massive collection of consumer data and personal information, including U.S. Social Security/state drivers’ license numbers, credit reports, and public record information such as court records, bankruptcies, liens, property titles, and other professional licenses. ChoicePoint said that because the companies operated by criminal fraudsters used the stolen names of good standing U.S. citizens, they were able to get by ChoicePoint’s “stringent” customer credentialing processes, such as bypassing its criminal record and background checks of its customers’ senior employees.
ChoicePoint says that it believes files on up to 145,000 U.S. consumers in 50 states and three territories (Guam, Puerto Rico, and the U.S. Virgin Islands) may be potentially compromised and some 750 people were victims of some form of identity theft and fraud based on, at least some of, the compromised information. It’s sent out detailed notices to those nearly 145,000 people and also said it will pay for one-year of free credit monitoring with the credit reporting agencies, Equifax, Experian, and TransUnion. It’s also advised everyone, not just those consumers affected, to regularly check their credit report with one of the aforementioned agencies and if, when reviewing their report, people find discrepancies it, such as credit applications the consumer did not request, to notify the credit reporting agency immediately to begin the process of correcting the report and also to place a fraud alert on the account. (Fraud alerts are a good tool to have in the shed in terms of preventing, or at least monitoring for, identity theft as they require the agency to call you to confirm businesses’ requests for copies of your credit file when applications for credit are made with such businesses. Plus, when you place a fraud alert with any one of the three agencies, it’s automatically forwarded to the other two. To learn more about such a process, visit ChoicePoint’s special Web page they have set up.)
Such advice is good advice, but it provides little consolation to those who have had their identity stolen and used for nefarious purposes as a result of such disclosure. Moreover, it raises some ethical questions. Should personal information and data warehousing suppliers, such as ChoicePoint, continue to operate virtually unregulated? And, as a supplementary to that question, should the U.S. Federal Trade Commission draft and adopt tough government regulations on the collection and dissemination of consumers’ personal information and credit files? Why do U.S. Social Security numbers (and Canadian Social Insurance numbers, for that matter) need to be included on credit reports and in the massive datastream of companies like ChoicePoint?
There’s no doubt we need credit reporting agencies and data collection companies, as they serve to provide issuers of credit, like banks, private-label credit card organizations, retailers, and others, a sort of guarantee that a person is likely going to be able to pay off their debt and in a manner consistent with the agreement between the lender and borrower. However, absolutely no useful purpose is served by providing U.S. SS/Canadian SI numbers to such corporations. Sure, these companies will argue that they require these numbers as they provide a unique identifier for each person, to properly sort the data into customer profiles. However, this is a red herring and a fallacy. Companies can simply sort customer profiles in the order of “Last Name, First Name, Middle Initial”.
Our government identification numbers are uniquely personal to us. They are who we are, what we’re about, and contain records of our earned income right from the first high school job to retirement pension, taxes paid, and other things of the sort. No individual, and no companies, need these numbers.
Footnote: It is worth noting that in the above referenced company statement, ChoicePoint was quick to point out that the incident was not caused by computer “hacking” and that it is working to make its so-called “due diligence” processes in signing up new customers of its small business product segment much stricter. It will now mask, or at least truncate, personally-sensitive information like drivers’ licenses and U.S. Social Security numbers. However, it stopped short of giving out this information entirely — governments and publicly-traded companies, or small businesses sponsored by publicly-traded companies, can access these numbers. It’s true that governments and large Nasdaq, NYSE, and TSX listed companies have strict privacy policies and employee codes of conduct, but by still allowing all publicly-traded companies access to these numbers, it raises the necessary question of, is that good enough? Many companies trade on the far less regulated over-the-counter boards, such as Pink Sheets, and could just as easily operate as nefariously as organized crime running closely-held companies. While it’s a start, it does nothing to address the fact that companies should not be collecting these numbers at all. It’s completely unnecessary.