A Miami-Dade police officer allegedly peeked at thousands of private consumer records in what database giant ChoicePoint described as illegal use of its information. The company also announced three other incidents of improper access, two involving private investigators.
The incidents were discovered in February, said ChoicePoint marketing director James Lee, when the company was investigating a systematic electronic break-in by a crime ring that managed to steal some 145,000 records from the firm’s massive database. The Alpharetta, Ga.-based firm maintains records on nearly every adult in the United States.
ChoicePoint is sending out notice of the privacy breach to all those affected and offering a year of free credit monitoring. The letters state that Social Security numbers, addresses, dates of birth, and other personal information might have been accessed by rogue employees at legitimate agencies, the firm said. The company waited until now to notify consumers at the request of the various law enforcement agencies conducting their own investigations, Lee said.
In the biggest single incident, 4,689 people's records may have been improperly accessed by an officer of the Miami-Dade Police Department in Florida. Department spokeswoman Detective Mary Walters said the officer had been suspended and an investigation was ongoing. She declined to identify the officer and said no charges had been filed.
The three other incidents announced Friday were:
Two California-based private investigators, Kenneth Beck and Robert Starr, allegedly used ChoicePoint’s data to hunt for possible identity theft victims, Lee said. A Texas-based firm named RPM was found to have improperly accessed data. An employee of an "accredited insurance” company that ChoicePoint would not name, citing contracts with the firm, was also alleged to have improperly accessed records. In total, the three incidents resulted in 547 warning notices being sent to victims, Lee said.
ChoicePoint also announced Friday it will send out an additional 4,667 notices to newly-discovered victims of the high-profile data theft revealed in February. Those consumers will also get a year of free credit monitoring.
In the wake of that incident, ChoicePoint began taking a closer look at how its databases were being accessed.
"We identified some unusual search patterns," Lee said. "We have the ability for certain law enforcement customers to track the usage and report when there are anomalies."
The firm passed the information on the U.S. Secret Service and other law enforcement agencies, which are conducting their own investigations.
-Access without accountability-
Privacy rights advocate Chris Hoofnagle of the Electronic Privacy Information Center said the revelations highlight a serious problem with the use of electronic investigation tools such as ChoicePoint’s database: Law enforcement officials might abuse such systems to conduct personal searches.
"One concern is the problem of law enforcement having access without accountability," he said. Hoofnagle said he warned of this problem four years ago in a law journal article titled “Big Brother’s Little Helper."
"This clearly raises the question of whether or not anyone is overseeing law enforcement users of ChoicePoint," he said.
But Hoofnagle did praise the ability of Choicepoint auditors to uncover these incidents.
"That's a good thing, that ChoicePoint found these errant users of the system and that the public has received notice of them," he said.
Lee said ChoicePoint does all it can to make sure its service is used legitimately, but he said the firm’s clients also need to guard internally against misuse.
"We are using our technology to the degree that we can ensure searches are proper, but with any customer there has to be internal controls," he said.
Congress is currently debating legislation that would make customer notifications when private data is leaked mandatory nationwide, imitating a state law that protects California residents.
However, currently it's not clear which firm would have the responsibility to send the notifications: ChoicePoint, which owns the data, or the companies with the rogue employees that allegedly stole the data. While ChoicePoint was not necessarily legally obliged to send the notifications, the company chose to do so "to avoid arm-wrestling" with the other firms, Lee said.
So far this year, nearly 50 million consumers’ data has been reported lost, stolen, or exposed to hackers. ChoicePoint's data theft, first reported Feb. 14 on MSNBC.com, began a string of reported incidents that has highlighted the fragility of systems used to protect consumer data.