ChoicePoint, the embattled data broker, has announced it is suspending most sales of data to small businesses. The action affects the company’s 17,000 small business customers.
The announcement is designed to re-assure investors and regulators that it is taking action to combat recently revealed lapses in data security. But the announcement raises more serious issues about ChoicePoint’s actions and internal controls — or lack thereof.
ChoicePoint is in the business of gathering personal data about consumers that it sells to insurance companies, banks, government agencies, and businesses. Buyers of that data use it to determine insurance premiums and interest rates, do pre-employment screening, etc.
It turns out that scammers have been posing as small businesses to improperly access data about individuals. The scammers would open accounts with ChoicePoint masquerading as small businesses and then improperly use the sensitive personal data for identity fraud.
The most recent announcement comes a few weeks after earlier news that 145,000 American consumer records at ChoicePoint were compromised.
When I first read the latest news report, it sounded like using a sledgehammer to swat a fly. Why cut off all small businesses, many of whom have a legitimate need for data, just because of a few bad apples?
But then I read the company’s announcement more closely.
It seems that two things are going on, both of which highlight lapses in ChoicePoint’s procedures.
- Vetting small businesses - Small businesses now are being vetted to make sure they really are small businesses. Apparently ChoicePoint did a poor job of checking the credentials of the “small businesses” it sold data to, in the first place.
That’s rather ironic for a company that is in the business of checking people out. ChoicePoint is “re-credentialing” those small businesses.
- Limiting use of sensitive data - ChoicePoint has decided to limit data sales to certain purposes, including “consumer-driven” transactions.
A literal reading of the company’s announcement suggests that small businesses should still be able to obtain data for pre-employment screening, tenant-screening and other “consumer-driven” transactions. In other words, if the consumer wants a transaction to happen, and the screening is a condition to that transaction, the information will be given out.
In my view those are probably the most common uses small businesses have for sensitive personal data of individuals, anyway. Typically a small business needs to conduct a background check when hiring someone or renting out premises. In these situations acquiring sensitive information serves a legitimate need.
But here is the bigger question. If ChoicePoint is now limiting the use of data to certain consumer-driven transactions (and a few other needs), for what other purposes were they selling data before now? What were they doing before that they no longer consider legitimate?
Was it for sales of direct marketing data? If so, why give out sensitive data such as social security numbers for direct marketing purposes, anyway?
ChoicePoint could have done a better job limiting the use of sensitive personal data to legitimate “consumer-driven” transactions in the first place. If it had done that, and vetted its business customers with the same level of detail as the individuals it reports on, there would be no need to take the action it is now announcing.
By the way, as an individual you may be concerned about the data that is on file about you. Go here to opt out of having personal information included in databases.