It's axiomatic that to get ahead in business, you have to possess a quality known through the ages as moxie or chutzpah. No one would ever accuse ChoicePoint Inc. of having that quality in short supply.
ChoicePoint is the Georgia-based data broker that has fessed up to having divulged the personal records of at least 162,000 individuals to a gang of Los Angeles identity thieves. Following its initial public disclosure of the breach in February, the company tried to portray itself as the victim in the case, even though its own sloppy procedures led to the information release and the real risk of financial loss was borne by the innocent people whose credit ratings and privacy had been compromised. (A Nigerian national who cadged the data from ChoicePoint, apparently with ridiculous ease, later pleaded guilty to criminal charges.)
If anyone thinks that the cost and obloquy arising from the incident chastened ChoicePoint, which says it's the leading data broker in the country, forget it. In recent months the company has been meeting with officials of the California Department of Motor Vehicles in an effort to add the state's nearly 30 million vehicle registration records to its existing database of 19 billion nuggets of personal information -- a hoard that is already the biggest in the industry.
ChoicePoint says it requested the DMV records for a client, the U.S. Department of Homeland Security. That suggests it may ask the state to waive the normal fee of 10 cents per record, or about $3 million. By state law, government agencies can access DMV records for free.
But the money is a secondary consideration. The primary issue for the DMV has to be this: Given ChoicePoint's history, should it be allowed anywhere near our motor vehicle records?
ChoicePoint is already a poster child for the slipshod handling of private information by data brokers, financial institutions and others. Consider the Los Angeles fiasco: ChoicePoint only disclosed the security breach in the first place because a California law, unique in the country, required it to notify all state residents whose privacy might have been invaded. But the company had learned about the breach five months before it notified the victims; it later attributed the delay to the difficulty of establishing which records had been affected, among other things.
Nor was ChoicePoint entirely candid about its history of data breaches. Its chief executive, Derek Smith, claimed that the Los Angeles leak was the first in its history; in fact, three years earlier the company had experienced a nearly identical -- and undisclosed -- breach involving 7,000 identity records and leading to an estimated $1 million in fraudulent purchases.
The company's handling of motor vehicle records hasn't inspired confidence, either. In 2000, Pennsylvania terminated ChoicePoint's access to its drivers' license records and fined the company nearly $1.4 million because some records had been sold to unauthorized purchasers. ChoicePoint, characteristically, blamed one of its own customers for violating its rules. Pennsylvania authorities reinstated the contract a year later, with stringent conditions, because the company so dominated the business of providing motorist data to insurance companies that the insurers could barely function without it.
Along with several other data brokers, ChoicePoint has been accused in Florida of violating the federal Drivers Privacy Protection Act by selling motor vehicle records to marketers and other inappropriate buyers. (The act was designed to keep burglars and stalkers from obtaining motorists' home addresses based on license plates they spotted on the road.) A request for class-action certification is pending in federal court.
The California DMV says it first heard from ChoicePoint in October 2004, when the company requested access to all drivers' license records. The state rejected the request out of hand, says Armando Botello, a DMV spokesman.
Further conversations culminated in a meeting in September between ChoicePoint executives and Candy Wohlford, deputy director of the DMV's communications programs division. By then, the company was seeking only vehicle registration data, including vehicle identification numbers, owners' names and license plates but not, apparently, addresses. ChoicePoint was instructed to file its request in writing, and the company says it plans to comply.