History of State Actions to Protect Personal Information
States have created many laws to protect personal information. California, for example, has worked hard to make laws that protect the security and privacy of its residents’ data. It was this state’s breach notification laws and a breach at a large corporation that led to the growth of data protection laws in many states.
ChoicePoint Data Breach
ChoicePoint was a data broker that merged public records, credit reports, and demographic data to create individual consumer profiles, which it then sold to the government and private companies. People used the profiles to conduct background checks. ChoicePoint also sold profiles to insurance companies. It collected many different types of personal information, such as names, addresses, and Social Security numbers (SSNs). Its databases also included credit history and DNA information.
In February 2005, ChoicePoint notified 35,000 California residents that their personal data had been exposed in a data breach. California was the only state at that time with a breach notification law, which applied to any business that stored the personal data of California residents. The law required them to notify state residents of any security breach involving their unencrypted personal information.
ChoicePoint said that it discovered the breach in late 2004 after law enforcement officials contacted the company about an identity theft ring. ChoicePoint learned that the criminals pretended to be its customers. In order to become a ChoicePoint customer, applicants had to provide proof of a lawful reason for buying consumer data. At the time of the breach, ChoicePoint had over 50,000 customers, ranging from insurance companies to debt collectors.
NOTE
At the time of the data breach, news media reported that ChoicePoint had collected over 9 billion public records on U.S. residents and had stored 250 terabytes of data.
ChoicePoint’s validation processes did not find the fake customers, some of whom provided suspect documents to ChoicePoint. For example, multiple businesses submitted documents with the same information. This should have raised red flags for more review. ChoicePoint later found over 50 fake accounts that had access to ChoicePoint’s databases.1
At first ChoicePoint notified only California residents affected by the breach, because it was the only state requiring such notification. However, 19 other states were outraged. The state attorneys general wrote a letter to ChoicePoint demanding that it alert all people affected by the breach. ChoicePoint later sent notification letters to over 160,000 people.2
In January 2006, the Federal Trade Commission (FTC) investigated ChoicePoint, alleging that ChoicePoint violated consumer privacy rights. It also charged the company with violating federal laws. ChoicePoint settled with the FTC in December of that year and paid $10 million in civil fines.3
NOTE
ChoicePoint reported that it had many external audits after the 2005 breach. It was audited 80 times in the 24 months after the breach.
ChoicePoint also agreed to pay $5 million to fund a consumer relief program that would pay people who were victims of identity theft because of the breach. The agreement with the FTC also required ChoicePoint to create an information security program. The company is required to get independent audits every year until 2026. At the time, the ChoicePoint settlement was the largest in the FTC’s history.
NOTE
ChoicePoint was purchased by LexisNexis in 2008. To help protect consumer information, LexisNexis offered customers a copy of their consumer file. However, individuals were limited in only requesting their own file, and they needed to provide proof of identity to get a copy of the file. To learn more about this service, you can visit https://consumer.risk.lexisnexis.com/.
In May 2007, ChoicePoint settled a multistate lawsuit over the breach. Forty-three states entered the settlement agreement. As part of that agreement, ChoicePoint promised to improve its process for verifying customers. It also agreed to strengthen how it protects the data that it collects. ChoicePoint also agreed to pay $500,000 to the states involved in the lawsuit.4
ChoicePoint was on the FTC’s radar again in 2009, this time because of a 2008 security incident. ChoicePoint had changed some internal security controls, and the changed controls failed to alert it that someone had unauthorized access to its data. The wrongful access continued for about 30 days. During this time, the data of about 13,750 people—including SSNs—may have been disclosed.
NOTE
Illinois Governor Rod Blagojevich proposed the Personal Information Protection Act just days after the ChoicePoint breach went public. The ChoicePoint breach affected about 5,000 Illinois residents. The Act, which became Illinois’s breach notification law, took effect January 1, 2006.
The FTC alleged that the 2008 incident was a violation of the 2006 agreement. Therefore, ChoicePoint agreed to additional security requirements, such as strengthening its information security program again. It was also required to report to the FTC on its security efforts every 2 months until 2011.5
The ChoicePoint data breach is unique because it spurred the creation of data breach notification laws in many states. If it were not for the California breach notification law, ChoicePoint might not have notified any consumers at all about the data breach. Other states realized that their residents might not be able to protect themselves from identity theft in similar situations without these laws. Thirty-five states considered breach notification laws in 2005. The ChoicePoint case is widely seen as the reason why other states have these laws.