Sie sind auf Seite 1von 10

UNIVERSITY OF WASHINGTON

Analysis of ChoicePoint
Case Study
Group 10
Amar Kohli, BK Sarthak Das, Dhawal Kumar Lachhwani and Divya Krishnan
12/1/2014

Executive Summary
ChoicePoint being one of the major players in the personal data industry was reveling in its success by
the end of 2004, with revenues of $920 million and a customer base of 100,000. It had used its greatest
asset - data, to create value for its clients using relevant products and services. The clients of
ChoicePoint were able to drive business growth to new heights harnessing the personal data of millions
of citizens in America.
But all was not well with ChoicePoint when they were ambushed by privacy advocates and victims of
identity theft. This was a result of their business model which focused on maximizing profits and was
negligent in protecting its data against people with criminal intent. Identity thieves had got access to
sensitive information on more than 163,000 ChoicePoint customers which led to huge monetary loss.
While investigating an incident of identity theft, ChoicePoint discovered 50 fake client accounts opened
by criminals to extract valuable information about their targets. ChoicePoint was also critiqued heavily
for its data inaccuracies and lack of proper procedure to correct data mismatch especially data
originating from government entities.
After extensive analysis of the case study, we feel that ChoicePoint could have adopted certain
strategies to win over public confidence and prevent monetary loss owing to lawsuits. ChoicePoint could
have reviewed their clients through onsite visit which would have prevented fake accounts from being
created and kept the identity thieves at bay. It was also necessary for ChoicePoint to have an audit
mechanism through which they kept track of client data requests so as to ensure that the data was used
to legitimate purposes. With respect to the issue of data inaccuracies, ChoicePoint could have obtained
the access rights to the source data without independently storing them in their databases. This would
have reduced their IT infrastructure costs and also made the public entities responsible for data
inaccuracy. ChoicePoint could have ensured better transparency by having procedures to notify the
public in case of any data mismatch. ChoicePoint could have also collaborated with the other data
brokers to make the personal data industry more secure and compliant to the privacy rights of American
citizens.
Introduction
ChoicePoint faced numerous problems such as identity theft, privacy violation and data breach.
ChoicePoint showed a pattern of negligence while handling data breach incidents and misinformation. It
also had to face legal implications from the individuals whose data compromised. The purpose of this
report is to provide ChoicePoint with recommendations to improve their information protection
strategies.
Appraisal of ChoicePoints business model
Market opportunity
When Equifax made a transition in their business model, by expanding beyond credit-reporting to data
brokerage, another intention was to provide the business an escape from the laws that restricted the
type and amount of information a credit agency can sell. And thus ChoicePoint was born which being a
data broker company was free from governing laws and restrictions in data collection and sale. With
that added advantage, ChoicePoint acquired various companies that added data and data capabilities to
ChoicePoints existing database; capabilities ranging from data sharing within multiple databases, to
creating electronic maps, to biometrics. The key concept behind ChoicePoints business model was to

consolidate the fragmented personal data markets ranging from insurance, public records, preemployment screening, and drug testing markets (to name a few) (Paine & Phillips, 2008, p. 4).
With an expanded set of data, ChoicePoint became a frontier in data brokerage serving multiple clients
including government bodies, small to large scale business and individuals. The insurance industry
property and casualty (P&C) and life and health insurance (L&H) segments required applicants data to
assess risk and detect fraud; their claims histories and motor vehicle reports; and services such as
properties inspection and audit, surveillance, and fraud investigations. The business customers required
data for pre-employment screening, public-records searches, biometric of their job applicants apart
from business and professional credentialing; collections and recovery; risk management; compliance;
due diligence and fraud protection. ChoicePoint even catered to individuals for their needs such as
ordering birth, marriage, divorce, and death certificates over the internet instead of traveling to the
local courthouse (Paine & Phillips, 2008, p. 3) as well as insurance reports, public-records self-checks,
and background checks on service providers. The largest requirements were from the marketing
businesses which acquired personal data to analyze and target the specific users for marketing. Even
youth organizations used data to screen various service providers specifically to avoid hiring sexoffenders. ChoicePoint harnessed these above mentioned market opportunities in order to comply with
their mission statement which is, To be the premier provider of intelligent information to help our
customers better understand whom they do business with (Paine and Phillips, 2006-2008, p. 2).
ChoicePoint creating value
Paine and Phillips (2006-2008) state the various ways in which ChoicePoint created value for its
stakeholders, namely, its suppliers and clients. It had public and private sources for data collection and
had government bodies, corporate business and individuals as clients. The figure below gives us a brief
idea of the position of the stakeholders in the business:

Figure 1: Information Flow Model of ChoicePoint (Source: Paul N. Otto, Annie I. Antn, David L. Baumer (Author).
(2006). Information Flow Model of ChoicePoint [infographic], Retrieved Nov 30 2014, from:
http://theprivacyplace.org/blog/wp-content/uploads/2008/07/tr-2006-18u.pdf)

As shown in the above figure, ChoicePoint acquired its resources from various government entities such
as the federal government and state government. Private Insurance companies provided ChoicePoint
their claims histories without any cost. Other data was either bought in electronic form or ChoicePoint
hired contractors to gather information by hand. Later on ChoicePoint even acquired more than 50
companies to increase their data capabilities. Quite a few of such stakeholders survived on selling
information to ChoicePoint.
With the advent in collection strategies of different forms of data at ChoicePoint, after the acquisition of
50 technologically and fundamentally diverse companies, ChoicePoint was able to provide DNA
identification, biometrics, and electronic maps to its clients for advanced screening and background
check purposes as well as customer identification, customer behavior, and a focused list of potential
customers for targeted marketing. By 2005, ChoicePoints C.L.U.E Report (Comprehensive Loss
Underwriting Exchange) was the industry standard for over 95% of auto-insurers. With an increasing
demand from law enforcement clients, ChoicePoint had at least $117 million in contracts with the
federal government, $63.4 million of which was a contract with Department of Justice (Paine & Phillips,

2008, p. 3). The law enforcement clients majorly employed the services to trace financial assets and
terrorists. But the sector that majorly gained from ChoicePoints data brokerage is marketing, where
consumer data is analyzed to identify business patterns which helped in targeting specific sets of users
for promotional marketing. This brokerage of data brought in revenue of close to $920 million to
ChoicePoint, with over 100,000 customers by 2004. By 2008, ChoicePoint had grown to an extent that
Reed Elsevier paid $4.1 billion to acquire ChoicePoint.
ChoicePoints beneficiaries
As discussed by Paine and Phillips (2006-2008), we see that ChoicePoint had a varied range of
beneficiaries who utilized its products and services, namely, insurance companies, fortune 1000
companies, employers and landlords, financial institutions, government intelligence firms, law
enforcement agencies and individuals. They also provided services to smaller businesses, journalists, law
firms, private investigators, and even other data brokers. In a 2004 report, it was shown that almost 40%
of ChoicePoint revenue was generated through business services, 40% from their forte that was
insurance services, 9% from government services, and 11% from marketing. The products and services
offered by ChoicePoint benefitted its clients who used data to drive business profits and assist in doing
their job in a more efficient manner.
Assessment of industry criticisms
Charges against the personal data industry
The charges against data brokers such as ChoicePoint and the personal data industry are very serious
and we believe that the concerns about privacy and data security in relation to this industry are valid.
Some of the biggest criticisms against the industry include identity theft and inaccuracy of data.
Several people lost their jobs because of false charges from inaccurate data provided by ChoicePoint. A
Chicago area woman was fired from her job because ChoicePoint records incorrectly stated that she was
a drug dealer and shoplifter (Paine and Phillips, 2006-2008, p. 5). Many individuals were denied job
offers because of the misinformation provided by ChoicePoint. Even though maintaining updated
information is a complicated task for the personal data industry, it is absolutely necessary for them to
provide a disclaimer to their customers, so that individuals do not suffer because of misinformation.
Companies that use the data provided by data brokers expect accurate information so it is the data
brokers job to ensure veridical data. ChoicePoint was sued by a man who was denied a job offer from
IBM because his pre-employment screening showed that he had a criminal conviction, when, in fact, he
had been expunged (Paine and Phillips, 2006-2008). This shows that IBM depended solely on
ChoicePoint for their pre-employment screening, which led to them losing a potential good employee.
Identity theft, another criticism against the personal data industry caused individuals to be mistakenly
identified as felons (Paine and Phillips, 2006-2008, p. 5). Paine and Phillips (2006-2008) show that an
individual named Jeffery Davis was denied a job because he was identified as a felon, whereas he was a
victim of identity theft.
Threat to individuals privacy
The personal data industry poses a major threat to individuals privacy, especially if data brokers such as
ChoicePoint do not keep their data secure and accurate. Personal privacy is of utmost importance to
most individuals in the United States and the U.S. Congress has even passed the Privacy Act, requiring

government agencies to adopt a set of fair information practices for databases containing personal
information. However, companies such as ChoicePoint sold individuals personal data to government
agencies (Paine and Phillips, 2006-2008). This concept was not well received by the public and posed a
threat to their privacy.
Data brokers sold information to marketers and salespeople, who then had access to individuals Social
Security numbers. Thieves could easily get access to this sensitive information by hacking into a data
brokers system. With access to the system, a thief could modify sensitive records and cause a lot of
potential damage to the victim. In fact, ChoicePoints data was breached in 2006 and over 163,000
individuals private information such as credit histories, social security details, etc. was leaked. The
Federal Trade Commission (FTC) charged ChoicePoint $10 million in penalties and $5 million in
consumer redress to settle the charges (ChoicePoint Settles Data Security, 2006).
Data brokers also have access to personal data such as an individuals address, contact details, family
medical history details, income, etc. They even know if an individual is an alcoholic or if he/she suffers
from depression. This personal data, when in the wrong hands, poses a large threat to any individuals
privacy, especially if its not kept secure. People can lose their jobs or even be forced into a divorce
because of inaccurate and insecure information provided by the personal data industry.
Assessment of the situation
ChoicePoints approach to ensure data accuracy
We feel that ChoicePoint did not take enough measures to ensure that their data is accurate especially
considering the fact that it is a company dealing with personally identifiable data of millions of
Americans. Paine and Philips (2006-2008) give the example of Jeffrey Davis who was denied a job as he
was mistaken for a felon and in spite of Daviss dad requesting ChoicePoint to correct the error, Davis
had to let go of a second opportunity of employment. This clearly shows that ChoicePoint is not quick
enough to fix their mistakes and do not realize the negative effects of their inaccurate data on the
victims of mistaken identity.
ChoicePoint, when acquiring data from reliable sources such as government entities, was to assume that
the data is accurate unless contested. Texas Department of Public Safety (DPS), which is one of the
sources for ChoicePoint, is infamous for having incomplete and missing data (Paine and Philips, 20062008). As DPS database had only 60% of all the criminal records, the data provided by ChoicePoint to its
clients had lot of inaccuracies. ChoicePoint relied heavily on the source of the data for accuracy and did
not have any process to check the accuracy of data once it is transferred to the ChoicePoint database.
Another problem in collecting data from government bodies was that their databases were updated
more frequently than ChoicePoint could buy or update the data. For example the DPS updates its
records every hour in some cases whereas ChoicePoint updated their databases only once a month. This
meant that for a month, someones criminal record was not reflected or a wrongly accused person was
still a felon in ChoicePoints databases. It was believed that the expense of collecting or updating data
was much more than ChoicePoint could afford especially in the case of state records where the data was
updated frequently.
ChoicePoint did have some measures to check the integrity of the data received from various sources.
Paine and Philips (2006-2008) suggest that ChoicePoint gave its employees a training manual on
investigatory procedures but there doesnt seem to be any mechanism in which ChoicePoint ensured
that its employees were well-versed in the training manual and that they followed the manual before
giving data out to their various customers like insurance companies and law enforcement agencies.
Another validation performed by ChoicePoint was that it double-checked on the identity of the future

hires showing a criminal record in their database while performing an employee background check for
their clients. But this excludes employees whose criminal records were not discovered as part of the
background screening and whose data was not properly updated. Also, although not perfect, these
validations performed by ChoicePoint were not visible to the outside world which created more mistrust
regarding the services provided by ChoicePoint.
ChoicePoints security measures
We think ChoicePoint had been negligent in maintaining adequate security measures considering that
they have a bundle of personal information about millions of people.
In 2005, there was a case about an identity thief who posed as James Garrett, and who identified
himself as an executive of M.B.S, a Los Angeles based small business company (O'Harrow Jr., 2005). The
thief posed as a potential client of ChoicePoint and requested electronic records of individuals. The
ChoicePoint employee became suspicious of the thief and with the help of police lured the man into a
copy store. When the thief was caught, it revealed a huge identity scam but by then he had already got
access to 145,000 records from ChoicePoint. After the incident, ChoicePoint found out 50 other such
fake accounts created by con-artists and identity thieves. This shows lack of adequate security measures
at ChoicePoint. After this incident, ChoicePoint restricted the sale of its information especially sensitive
consumer data.
OHarrow Jr. (2005) describes the security measures of ChoicePoint for opening a new account - Before
granting service, ChoicePoint typically requires a photocopy of a driver's license and business records on
file with a state or local government agency. A ChoicePoint employee would then verify that such a
person and company exists (p. 3). But Identity thieves used fake ids and created fake companies on
paper and got them registered with government agencies using phony names. Hence the criminals were
easily able to bypass the security measures of ChoicePoint which shows that ChoicePoint was negligent
in verifying data request.
As seen by many legal cases against ChoicePoint, it had a passive security strategy, one that believes in
dealing with a breach after it has occurred. Considering that ChoicePoint is an information-centric
company, it should have been proactive in securing its data and also validating its client requests.
Concerns on the usage of ChoicePoints data
We are very concerned about the sale of ChoicePoint data to clients without probable cause. A lot of
con-artists are using the front of fake small businesses to steal personal records of thousands of people.
With the news of, illegal surveillance done by NSA, being out in the open, people have realized that law
enforcement agencies are not respecting the right of an American citizen to embrace privacy (Gellman,
2013). Also this has made the people more critical of the data collection and data security done by data
brokers such as ChoicePoint. Law enforcement agencies have in the past showed that they have not
conveyed the full details in their reports, allowing them 2776 violations of the rules for the surveillance
of American citizens and foreign nationals.
The United Nations has urged all the countries to protect the privacy of their citizens in this
technological era where the power is dominated by the entity or person having the maximum relevant
data (Sengupta, 2014). In such a scenario it is important that even the government agencies such as the
NSA be given data with caution and care.

Recommendations
After inspection of ChoicePoints business model and the criticisms held out against the data brokerage
industry, we have come up with certain recommendations which could have been followed by
ChoicePoint to regain their reputation in the industry.
Client Vetting - ChoicePoint had been the target of massive data breach which did not include any
technological attack vector, rather it was a proper use of social engineering to perform identity theft
which penetrated ChoicePoints poorly organized business structure. There was no proper vetting of the
clients, who were allowed to request ChoicePoints data for a mere $15 charge (OHarrow Jr., 2005). The
easy access of background information of numerous citizens created a honeypot for identity theft. If the
clients were reviewed by onsite visit and a secure channel was introduced for the data transfer it would
really protect them from identity theft.
Audit trails - It was also noticed that ChoicePoint would just accredit a client through faxed documents
(Otto, Antn, & Baumer, 2006), which is ironical for a company providing background check, not to
check their own clients. Another flaw in their business model was the lack of client accountability and
absence of supervision from ChoicePoint once the data was handed over to the clients. There should
have been an audit trail keeping track of client data requests and the usage of ChoicePoint data. The
creation of audit trail would also help in making ChoicePoint more credible in the government
regulatory acts such as HIPAA, GLB Act and many more, depending on the nature of the data.
Accurate sources - Based on the case study, we found out that ChoicePoint stored data on their systems
resulting in data mismatch. The entities providing the data did not hold any liability if ChoicePoint didnt
update their data. We would suggest a data extraction model which would save money and improve the
accuracy of ChoicePoint products. ChoicePoint should have adopted a service based approach, where
they would have the right to give access to the data source of their suppliers without storing the data on
their servers. This would reduce their IT infrastructure costs of setting up a data center and would also
make the public and private entities responsible for incorrect data being stored by them. Suppose, an
incorrect credit report was stored by the national credit bureau and ChoicePoint reports it, the citizen
should be able to report back to the bureau to initiate a credit freeze on their account and withhold any
wrong inference being made about them through this data.
Transparency - ChoicePoint had created a Big Brother persona for driving a data based decision model
which could make or break anyones life with a single report. Although the motive of their CEO was
much appreciated during its inception, the way it carried out its decisions behind the backs of citizens
whom it was supposed to empower, might have been a possible cause for its downfall. We believe, if
ChoicePoint had made the public more aware by sending out emails about their profiles deficiency it
would create a more empowering image for the company. For example, if Katherine had asked XYZ bank
for a loan and she had a bad credit report which explicitly specified a bad payment history, ChoicePoint
needs to send out a mail to her explaining why she did not get the loan approval as well as the next step
to follow to mend this. This mail should also contain steps for her to approach ChoicePoint if she
thought the report was wrong in any manner. ChoicePoint would then approach the source of the data
with Katherines complaint and get it fixed in an expedited manner. If ChoicePoint would have
performed this kind of service to the citizens it would have been more popular and desirable service
which would absolve them of their corporate monitor image.
Lack of unified Privacy Laws - The wayward behavior of ChoicePoint is also partially due to the lack of
relevant federal regulations and acts in consumer privacy. There are many different acts and policies in
place which address privacy in terms of the type of data being collected, such as Health Insurance

Portability and Accountability Act (HIPAA), Drivers Privacy Protection Act, Fair Credit Reporting Act and
many more. Although all of these legal acts protect citizens by safeguarding certain private details about
them but there is no unifying framework which prevents companies collecting all of these details and
using them for different purpose (United States Government Accountability Office, 2013).
Based on a report by United States Government Accountability Office which was addressed to Chairman
of Committee on Commerce, Science and Transportation of U.S. Senate there have been debate on
creating a unified framework for data collection. According to the report, privacy advocates have
argued that a comprehensive overarching privacy law would provide greater consistency and address
gaps in law left by the current sector-specific approach. Other stakeholders have stated that a
comprehensive, one-size-fits-all approach to privacy would be burdensome and inflexible (United
States Government Accountability Office, 2013, p. 1). Although this might seem to be an onerous task of
consolidating all the acts(refer Appendix) which protect consumer privacy across multiple domains,
there definitely is a need of some kind of governing framework which acts as an umbrella to these
various laws.
Collaboration with other data brokers - Corporations like ChoicePoint would have to pitch in with their
business models and views of making the industry secure. There will be cost associated with compliance
activities once an overarching law has been passed by the government. But the additional cost can be
justified as the previous business model had led to bad reputation and monetary losses owing to legal
issues. ChoicePoint lost nearly $27.3 million for the data breach which included legal fees and auditing
costs (Otto, Antn, & Baumer, 2006). This could have been avoided if ChoicePoint would have set up a
proper compliance plan early on in their business. The result of non-compliance can be heftier as it takes
more time and effort, leading to low operational output. It can also be damaging to companys
reputation which takes years to rebuild and loss of stakeholders confidence in the company (Steinberg,
2011).
Concluding Comments
In conclusion, adopting an active security strategy along with consistent efforts to manage data
protection could have prevented ChoicePoints security breach. Being a data broker is like walking on a
tightrope, one mistake and you can fall flat on your face. Hence, ChoicePoint could have adopted the
better security technologies and robust business model which would have helped them in maintaining
their leadership in the personal data industry.

APPENDIX

Bibliography
1. Company Overview of ChoicePoint, Inc. (2014, November 30). Retrieved November 30, 2014,
from
http://investing.businessweek.com/research/stocks/private/snapshot.asp?privcapId=364405
2. Reed Elsevier to Acquire ChoicePoint, Inc. (2008, February 21). Retrieved November 30, 2014,
from
http://www.reedelsevier.com/mediacentre/pressreleases/2008/Pages/ReedElseviertoacquireC
hoicePoint,Inc.aspx
3. ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million
for Consumer Redress. (2006, January 26). Retrieved December 1, 2014,
from http://www.ftc.gov/news-events/press-releases/2006/01/choicepoint-settles-datasecurity-breach-charges-pay-10-million
4. O'Harrow Jr., R. (2005, March 5). ChoicePoint Data Cache Became a Powder Keg. The
Washington Post. Retrieved November 28, 2014, from http://www.washingtonpost.com/wpdyn/articles/A8587-2005Mar4.html
5. Gellman, B. (2013, August 15). NSA broke privacy rules thousands of times per year, audit finds.
The
Washington
Post.
Retrieved
November
28,
2014,
from
http://www.washingtonpost.com/world/national-security/nsa-broke-privacy-rules-thousandsof-times-per-year-audit-finds/2013/08/15/3310e554-05ca-11e3-a07f-49ddc7417125_story.html
6. Sengupta, S. (2014, November 25). U.N. Urges Protection of Privacy in Digital Era. The New York
Times. Retrieved November 29, 2014, from http://www.nytimes.com/2014/11/26/world/unurges-protection-of-privacy-in-digital-era.html?_r=0
7. Kroft, S. (2014, March 9). The Data Brokers: Selling your personal information. CBS News.
Retrieved November 29, 2014, from http://www.cbsnews.com/news/the-data-brokers-sellingyour-personal-information/
8. Otto, P. N., Antn, A. I., & Baumer, D. L. (2006). The ChoicePoint Dilemma: How Data Brokers
Should Handle The Privacy of Personal Information. Raleigh, North Carolina: The Privacy Place,
North Carolina State University.
9. Steinberg, R. M. (2011). Cost-Effective Compliance Programs. In R. M. Steinberg, Governance,
Risk Management and Compliance It Can't Happen to Us - Avoiding Corporate Disaster While
Driving Success (p. 24). Hoboken: John Wiley & Sons, Inc.
10. United States Government Accountability Office, (2013, September), INFORMATION RESELLERS
Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace.
Retrieved
from
Government
Accountability
Office
Website:
http://www.gao.gov/assets/660/658151.pdf
11. Paine, L., Phillips, Z., & Bettcher, K. (2008). ChoicePoint. Harvard Business School, 9-306-001.