12 Questions for ChoicePoint

ChoicePoint became a household name in 2005 when a data breach case involving 163,000 consumer records made headlines around the world. Prominent and controversial, ChoicePoint's database of 17 billion public records is used for background checks, insurance applications and tenant screening.

Recently, Credit.com had the chance to ask a ChoicePoint insider a few burning questions about the consumer data industry. Read what Matthew Furman, Vice President Corporate Communications for ChoicePoint, had to say about identity theft, data privacy and consumer security issues.

Many people don’t understand what ChoicePoint does. Would you give us a quick “average Joe” explanation?

ChoicePoint is an interesting company in that it combines state-of-the-art technology with up-to-date data in a way that helps make people safe, save money or get a job.

For instance, we do millions of pre-employment background checks every year (with the applicant’s prior knowledge and permission) and last year helped more than 6 million Americans get the job they wanted.

At the same time, we work with non-profit organizations around the country to screen their volunteers and paid staff. When we went back and looked at a three year period of non-profit background checks we found more than 85,000 people had applied to work with children or at-risk populations who had an undisclosed criminal conviction. Some crimes were relatively minor but many were not, including the 500 sex offenders looking to work with kids.

We save families money by providing the insurance industry the tools it needs to price a policy to the applicant’s specific circumstances, an effort that industry estimates saves money for as many as 70% of home and auto insurance applicants.

We also work with nonprofits and law enforcement agencies to provide them the technology and data they need to stop crime and capture criminals. This work has brought us into a close partnership with the National Center for Missing and Exploited Children and given ChoicePoint the opportunity to participate in the resolution of thousands of cases of missing children over the last 8 years.

Let me also tell you what we don’t do. We don’t purchase, hold or sell medical data. We don’t have records on everyday purchases nor do we know what your daily activities are like. We don’t give sensitive, personal information about you to just anyone who asks. Our customers have to demonstrate what we call “permissible purpose” and we audit them to ensure that they are, indeed, using our data in an appropriate fashion. Additionally, we also have no intention of purchasing taxpayer information from a tax provider as might be allowed under proposed IRS rule changes.

How does ChoicePoint verify that the information that they have about a consumer is correct?

First, it should be said that nearly half our products and services are devoted to verifying for our customer information already provided to them by the consumer. Much of what ChoicePoint uses to do this verification comes from public sources like court documents and property records. Though clearly most of that information is accurate we know full well that mistakes or inaccuracies can occur.

Unfortunately, we have no way of knowing that a public record is wrong until the consumer tells us and we can’t actually make the change ourselves. The record, after all, is the consumer’s and not ours.

As for other data we purchase or use, some of it is commonplace, like addresses found in telephone books, and others typically more reliable, like name and date of birth found on a credit record. For much of it we have a quality assurance program that reviews the data, looks for errors, duplications and anomalies and corrects the information before it is used by our customer.

The bottom line is that much of our business is governed by the Fair Credit Reporting Act (FCRA) and ChoicePoint’s responsibilities to the consumer are clearly spelled out and closely followed. They include the right of a consumer to challenge any unfavorable finding and a requirement that we provide assistance in pursuing a correction. If any information is subsequently proven to be incorrect we are required under law to issue a new report and will, obviously, do so.

How can a consumer access their ChoicePoint records? Do consumers have the ability to see who has accessed their files? Is there a dispute process?

Americans are more and more interested in seeing what companies like ChoicePoint and insurers, creditors and potential employers around the country have access to about them. We encourage that trend and look to make it easy and often free on our website www.ChoiceTrust.com. You can go there and, once a year, get free copies of what we call your C.L.U.E. Report, a five year history of loss claims associated any personal property (home and auto) you’ve had insured. Additionally, if we’ve ever conducted a pre-employment or tenant history report on you can also get a free copy of that, once a year.

In addition to services described above, all of which relate to the Fair Credit Reporting Act, we also make available to customers public record search products. These searches are often referred to as reports and it’s important to note that the word “report” is a bit of a misnomer. These public record database searches are akin to a Google or Yahoo search. Like a web search they capture a wide range of information, some of which may not apply directly to you. A good example is finding a previous owner of your home listed on your public records search. Nevertheless, they are a good starting point and well worth any consumer’s time. Once again, you can get a free one every year.

Given that people don't have a way to opt-out of your database and in most cases might not know that they are even in your database, how does ChoicePoint assure the general public that it has the consumer’s best interest at heart? What is the benefit to the consumer of being in the ChoicePoint database?

One of the most common misconceptions about ChoicePoint involves “the database.” There is no single database in this company, but rather collections of data that are accessed depending on the customer’s need.

With that said, because of the nature of ChoicePoint’s business the average consumer never knows how we are benefiting them at any given time. But, every time they apply for a credit card, go to buy a car and look to drive it off the lot the same day, price a car or home insurance policy, apply for a job and agree to a background check as a condition of their employment or do something as simple as buy a cell phone and have it activated over the phone -- businesses like ChoicePoint are making that possible. These examples all fall into the category of consumer-initiated transactions and, like more than half of what we do, involve full consumer knowledge that some sort of search or check is being done.

When police departments look to better direct their resources in a manhunt, like the sniper shootings in Ohio and Washington, D.C., they turn to ChoicePoint’s technology. And when you place your trust in a non-profit organization to care for your child you, presumably, feel better if a background check has been conducted on the paid and volunteer staff.

The majority of the work we do is initiated by you and every other American. Opting out, in effect, would cut you off from daily American commerce and foreclose an untold range of options for you and your family.

Last year, ChoicePoint made major news with a data theft where over 160,000 consumer records were stolen by someone posing as a business client. How did this data theft change your company?

Let me begin by saying your initial comment has a significant flaw in that criminals engaging in fraud may have had the opportunity to access approximately 160,000 consumer records; no one knows exactly how many actually were accessed except that the guilty plea made by one of the individuals responsible for the crime referenced 16 victims.

More specific to your question, the most significant thing we recognized was the need for transparency in our business. Fundamentally, the American people don’t understand what we do and we need to do a better job of telling them.

Other lessons we learned included recognizing that thieves are extremely resourceful and that there were a range of things we needed to do to make certain that the events disclosed in early 2005 do not happen again. First, we stopped selling data to certain customers because we believed it represented too great a risk to consumers. Second, we restricted the distribution of sensitive, personal information to certain types of customers: those who have consumer permission to access the most sensitive data and a government agency or a large, accredited institution with which the consumer already has or is establishing a relationship. Even with these customers, the sensitive data may be masked from view and, for all other customers, we “mask” or do not distribute at all certain key, sensitive information.

At the same time we hired a former federal prosecutor and top level law enforcement official in both the Clinton and Bush administrations to serve as our chief compliance officer. She and her staff have instituted industry leading policies all designed to keep thieves from accessing the data. Through this compliance office, we have instituted a number of internal checks, many of which we do not discuss for obvious reasons. They include, however, doing site visits on nearly every customer, with minor exceptions, receiving sensitive, personal information to determine if they are legitimate enterprises.

Our focus has always been on making a safer, more secure society and reducing economic and physical risk through the use of technology but now an equally important job for us is to remain constantly on-guard against those who would misuse your information and mine.

What has ChoicePoint done to ensure that only reputable individuals with a legitimate need can get the information on consumers? Does ChoicePoint conduct audits on people and companies that request consumer data?

As discussed in question five, we do site visits to nearly every customer receiving sensitive, personal information to ensure that they operate a legitimate business. The exceptions include government agencies and large corporations with many branches. For instance, we might go to the corporate headquarters of a large retailer but not every store in the country.

We also perform random audits including verification from consumers where we will contact a consumer to confirm that they gave their permission to have their report released for a specific purpose (e.g., insurance, employment). We also participated in and successfully completed 43 outside audits of our processes and systems last year and will submit to more audits year after year.

How do you think data breach liability issues are impacting the corporate insurance industry? How is this affecting businesses such as ChoicePoint?

I can’t answer that.

What credit and identity theft services did ChoicePoint offer to consumers affected by the 2005 data breach? With consumers suspicious of phishing and other scams, what percentage of people actually participated? What services do you think should ideally be offered to consumers after a data breach?

The ChoicePoint response model has been followed by many of the more than 150 entities that had data incidents last year and the 50 entities that had data incidents thus far in 2006. We had two dedicated call centers to handle consumer issues and launched a website for consumers on the ways in which we could help them. We further arranged for potentially affected people to take advantage of assistance offered by the Identity Theft Resource Center. Additionally, we offered to potentially affected consumers the following, for one year:

• Unlimited access to Experian credit reports and score
• Daily monitoring of all three national Credit Reports
• One free report containing information from all three national credit reporting companies. This three-bureau report helps the consumer understand the information each credit bureau maintains about them and helps more easily identify any possible fraudulent activity on any of their three credit bureau reports.
• Email or SMS Text alerts when key changes are identified on any of their three national credit reports
• $50,000 Identity Theft insurance provided by Virginia Surety Company, Inc.
• Access to Fraud Resolution Representatives
• Services of the ID Theft Resource Center

On PrivacyatChoicePoint.com it mentions that ChoicePoint supports the creation of a national data theft notification law. What are your thoughts about the current bill (HR 3997) which includes a loophole only requiring notification when the breach is “likely to result in substantial harm?”

We support the legislation in principle but what we really want to see happen is a law that would clearly indicate when a company should and should not make notice. We prefer not to be in the business of making that decision on our own. In our view, that is the role of the government.

Does ChoicePoint support allowing consumers to "freeze" their records? It appears that residents of only a few states can currently do this with ChoicePoint.

ChoicePoint does not take a position on proposed consumer credit freeze legislation because, fundamentally, this is not our issue. With that said, we would rather see a national law instead of a patchwork of state regulations. Additionally, we would urge legislators to consider the potentially adverse consequences of an overly broad law – consequences that might well wind up disadvantaging consumers more than it helps them.

Do you think corporations that store personally identifiable information should be held liable when there are security breaches? To what extent?

I think all of us at ChoicePoint believe that wherever sensitive personal information resides it should be zealously protected and, when a breach occurs and actual damage results, those responsible for safeguarding it should be held accountable.

Have you personally experienced identity theft or credit card fraud in the past? If so, what happened and how does this influence your perspective?

I have not but I know many people who have. It is a legitimately difficult and potentially scary situation to be in and there is no one immune from it, including those of us who work at ChoicePoint.

Thank you very much for the opportunity to answer these questions.