updated 10/3/2005 10:50:58 AM ET 2005-10-03T14:50:58

In August the police in Corona, Calif., got a surprising phone call. The caller said an auditor needed to examine the department's facilities and take pictures inside. To the security-conscious police, the photo demand seemed ridiculous, especially given its source: the data broker ChoicePoint Inc., one of the department's information suppliers. A Corona crime analyst refused the request, and asked to speak to a ChoicePoint supervisor. She never heard back.

The episode reveals the delicate balance ChoicePoint is trying to strike as it recovers from a staggering identity theft scandal in which con artists posing as legitimate customers accessed personal information on 145,000 Americans.

As it seeks to exhibit iron resolve against fraud, the data giant is struggling not to alienate valuable customers in the process.

Indeed, the Alpharetta, Ga.-based company has cut off some customers entirely, including debt collectors and other small businesses that once were able to obtain full background reports on people from ChoicePoint.

Other customers — including news organizations such as The Associated Press — are finding the last four digits of Social Security numbers masked in ChoicePoint reports.

Such moves — which have won praise even from privacy activists who generally criticize ChoicePoint — are expected to trim company revenue by up to $20 million a year and earnings by up to 12 cents per share. (That's not a huge hit: ChoicePoint earned $1.62 per share in 2004 on sales of $884 million.)

Meanwhile, customers who still get access to the most sensitive data, including driver's license numbers, are being subjected to site visits and other audits to ensure they are who they say they are — even if those customers are the cops.

In fact, the company recently discovered that an unauthorized Miami police officer had used someone else's log-in and password to mine ChoicePoint records. The officer was relieved of duty.

Law enforcement accounts for 5 percent of ChoicePoint's revenue — most sales come from companies that use ChoicePoint dossiers to assess job, insurance or other consumer applications — but it is a high-profile segment, often touted by the company as proof that society benefits from its amassing of so much data on individuals. The FBI alone queried ChoicePoint files 1.2 million times last year.

Private investigators also are being subjected to new scrutiny.

ChoicePoint stumbled early in the crackdown when representatives called many private eyes and asked them to fax over personal and professional information about themselves, according to Brian McGuinness, a Miami investigator who heads the National Council of Investigation and Security Services.

"That was kind of ill-conceived," he said. "You're asking these investigators who are very aware of scams to send this sensitive information to some number," without first sending a letter or other confirmation the call was legitimate.

Some riled private eyes called for a ChoicePoint boycott. But ChoicePoint responded by clarifying the process, McGuinness said. He now fully supports the company's efforts.

Still, other investigators see the aggressive audits as an overreaction or a public-relations ploy.

Cynthia Hetherington, a private investigator in New Jersey, had to send ChoicePoint a copy of her investigator's license twice. The company agent also wanted bank account information "and stuff that has nothing to do with my credentials or the nature of my business."

"It's absolutely intrusive," she said.

Hetherington remains a ChoicePoint customer because she finds its vehicle records useful. But she and many other investigators are quick to reel off a long list of rival data providers with fewer hassles.

Indeed, when ChoicePoint stopped selling detailed background reports to debt collectors, there were plenty of other options, said Ramona Featherby, who runs a San Diego collection firm and is president of the California Association of Judgment Professionals. She cited such names as Merlin Information Service, LexisNexis' Accurint, LocatePlus and Westlaw.

"They have taken a sledgehammer to the ant ... (by) cutting off databases from one industry entirely, no matter how long they've been in business, no matter how pristine their record," Featherby said of ChoicePoint.

After ChoicePoint called for interior pictures of the Corona police department, discussion ensued in an online forum frequented by law enforcement personnel.

Carol DiBattiste, ChoicePoint's new privacy and compliance officer, responded to the group in a message that dismissed the story.

"While the requirement for site visits is true, contrary to rumors, ChoicePoint is not performing site visits that require photographs or access to sensitive facilities," she wrote.

But the photo request was no mere rumor.

DiBattiste acknowledged to the AP that ChoicePoint's checklist for site inspectors did include internal photos.

But she said she ordered that it not apply to customers in government and law enforcement because such photos could endanger the offices' security.

Apparently, she said, the Corona police got their call before the policy had been rescinded. She said she did not believe any police agencies actually had the inside of their offices photographed, though she added: "I can't guarantee that 100 percent."

ChoicePoint had inspected some customers who got personal data in the past, but stepped up the system after February's identity-theft disclosure, one of many high-profile data breaches to surface this year. That fraud — which resulted in at least 750 identity theft cases — sent ChoicePoint's stock tumbling 24 percent in the ensuing weeks. About two-thirds of that lost value has been regained.

Thousands of ChoicePoint customers now get inspections when they open a new account or re-sign a contract for sensitive data, DiBattiste said.

Making the visits, even to police, is necessary because "an identity thief could make believe he's the local sheriff in a town of 2,000 people," she said.

The inspector does not access customers' computers or databases, she said. The auditor spends less than an hour confirming that the customer is legitimate and appears to have reasonable security practices.

DiBattiste wouldn't give specifics. But one thing the Corona police were told was that the inspector would need to ensure that workstations where ChoicePoint databases were accessed were not left unmonitored.

DiBattiste said some customers have failed the new credentialing requirements and have been cut off. The company maintains that few, if any, clients have defected rather than submit to inspections.

Even so, DiBattiste acknowledged that the auditing effort is a work in progress.

For one, ChoicePoint now lets customers apply for a waiver, which DiBattiste must approve, if they have a longstanding relationship with ChoicePoint or if they already have been contacted recently by someone from the company.

Also, while internal photos aren't being demanded of government and law-enforcement customers anymore, the rule still applies for private-sector customers. But DiBattiste says ChoicePoint is revisiting that, too.

As senior counsel with the Electronic Privacy Information Center, Chris Hoofnagle has been a frequent ChoicePoint critic. He says the company deserves credit for its inspections — though he wants them to go even further.

"I think ChoicePoint should randomly audit users of the database," he said, "and make them show why they pulled a file of an individual."

Copyright 2005 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.


Discussion comments


Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments