We need government regulation of personal data warehousing, and we need it now. The recent disclosure that personal data collected on more than 140,000 individuals by Georgia's ChoicePoint has fallen into the wrong hands should be, I think, the last straw. ChoicePoint is in the business of verifying identities, and what they say about you has a lot of impact; if someone tampers with your data, you may be in trouble. If you're among the few not yet concerned with identity theft, you will be, trust me, if you're ever wrongly turned down for a job or denied a mortgage.

Several media accounts described the data breach at ChoicePoint as a computer hack. It wasn't.

Who is ChoicePoint? It is one of several companies that make it their business to obtain (through either public records such as court records, or by purchasing the data from companies you do business with) personal information about each and every one of us. What? You don't want companies like ChoicePoint to do this? Too bad. They have been quietly collecting social security numbers, credit card transaction histories, mortgages, bank loans, divorce proceedings, criminal histories--just about any piece of information they can get to create what they consider to be an accurate profile of you. But in the wrong hands, these profiles are the perfect tools to steal someone's identity.

ChoicePoint was not hacked
Several media accounts described the data breach at ChoicePoint as a computer hack. It wasn't. At this time, details are still emerging on what really happened at ChoicePoint, but the customer data was obtained through fraudulent accounts, and the practice appears to have spanned more than one year. There was no database compromise involved. Instead, it appears that an individual or group of individuals fraudulently created accounts with ChoicePoint, then obtained personal data from those accounts and used it to defraud people whose profiles are stored in ChoicePoint's data warehouse by changing billing addresses, then opening up credit accounts under a victim's name. So far, only one person has been charged in the fraud, a 41-year-old Nigerian man living in Los Angeles named Olatunji Oluwatosin, who now faces six felony counts including identity theft.

Ironically, ChoicePoint is a business that provides identification and credential verification for others, yet initial reports suggest a breakdown in ChoicePoint's own client-authentication process that allowed this fraud to occur.

Thank goodness for California laws
Fortunately, California has an identity theft law on the books, SB 1386. Because ChoicePoint retains information about residents in California, ChoicePoint is required by law to disclose any breach of information, which the company did. In fact, we might not have known about the ChoicePoint breach without SB 1386. Soon after the media learned of the initial breach, ChoicePoint felt compelled to notify as many affected individuals as it could, opening a tidal wave of disclosures that now includes more than 140,000 people in nearly all 50 states and the District of Columbia, and at least one class-action lawsuit.

So why don't more states have these laws? Some state houses across the country are considering identity-theft disclosure laws similar to California's. Then why isn't there a federal law? Good question.

I think the FTC should come down hard and regulate these data warehouses and the individuals who work for them.

After the success of the California law, Senator Dianne Feinstein (D-California) introduced national legislation, SB 115, modeled after the California law, requiring all companies doing business in the United States to notify their customers whenever there's a breach of customer data including first and last names, date of birth, social security number, and address. Unfortunately, the Feinstein bill has no cosponsors in Congress.

As I write, Senate Judiciary Committee chairman Arlan Spector (R-Pennsylvania) has announced plans to hold Senate hearings to examine the privacy, security, and civil liberty implications involved with the sale of personal information. And Senator Bill Nelson (D-Florida) has started studying additional legislation. Nelson should be familiar with ChoicePoint: In 2000, a subsidiary of ChoicePoint, DBT, was hired by the state of Florida to remove felons from the voter registration lists, but the company ended up deleting legitimate voters as well.

Which gets us to next problem: accuracy
If you live in the western United States, you can now request once-a-year free access to your credit history via the big three credit agencies (the Midwest and East Coast will follow suit shortly). The idea is to spot identity theft and also to give you the ability to clarify any errors (yes, the credit agencies sometimes make costly errors). But how do you spot and correct inaccurate information contained by ChoicePoint and others? At the moment, you can't.

Let's regulate before it's too late
If you have been a victim of identity theft, the Federal Trade Commission has a list of helpful contacts for reporting the theft and monitoring your credit reports. But really, shouldn't companies such as ChoicePoint take better care with other people's birth dates, addresses, and social security numbers? Data warehousing is currently like the wild, wild West, with companies harvesting whatever data they can just so that they can sell your good name and reputation to others. I think the FTC should come down hard and regulate these data warehouses and the individuals who work for them. If that doesn't happen soon, you can look forward to my next column on the subject in three months or so.

Are you disturbed that anyone can start collecting personal data about you and provide it to anyone--even criminals? Talk back to me