It's axiomatic that to get ahead in business, you have to possess a quality known through the ages as moxie or chutzpah. No one would ever accuse ChoicePoint Inc. of having that quality in short supply.
ChoicePoint is the Georgia-based data broker that has fessed up to having divulged the personal records of at least 162,000 individuals to a gang of Los Angeles identity thieves. Following its initial public disclosure of the breach in February, the company tried to portray itself as the victim in the case, even though its own sloppy procedures led to the information release and the real risk of financial loss was borne by the innocent people whose credit ratings and privacy had been compromised. (A Nigerian national who cadged the data from ChoicePoint, apparently with ridiculous ease, later pleaded guilty to criminal charges.)
If anyone thinks that the cost and obloquy arising from the incident chastened ChoicePoint, which says it's the leading data broker in the country, forget it. In recent months the company has been meeting with officials of the California Department of Motor Vehicles in an effort to add the state's nearly 30 million vehicle registration records to its existing database of 19 billion nuggets of personal information -- a hoard that is already the biggest in the industry.
ChoicePoint says it requested the DMV records for a client, the U.S. Department of Homeland Security. That suggests it may ask the state to waive the normal fee of 10 cents per record, or about $3 million. By state law, government agencies can access DMV records for free.
But the money is a secondary consideration. The primary issue for the DMV has to be this: Given ChoicePoint's history, should it be allowed anywhere near our motor vehicle records?
ChoicePoint is already a poster child for the slipshod handling of private information by data brokers, financial institutions and others. Consider the Los Angeles fiasco: ChoicePoint only disclosed the security breach in the first place because a California law, unique in the country, required it to notify all state residents whose privacy might have been invaded. But the company had learned about the breach five months before it notified the victims; it later attributed the delay to the difficulty of establishing which records had been affected, among other things.
