ChoicePoint has disclosed that fraudulent applicants gained access to records on approximately 145,000 individuals through their information-broker service. The disclosure has produced substantial press coverage, congressional attention, and a meaningful policy conversation. The structural development is the disclosure itself, not the breach.
This is a longer post because the regulatory trajectory matters more than the specific incident.
What happened
ChoicePoint is a US information broker — a company that aggregates personal data from public records, credit headers, and various other sources, and sells access to that aggregated data to subscribers (insurers, employers, law-enforcement agencies, lenders, others).
The disclosed incident: fraudulent applicants applied for ChoicePoint subscriber accounts using forged business credentials. ChoicePoint approved the applications. The fraudulent subscribers then queried records on approximately 145,000 individuals, presumably for identity-theft purposes.
The fraud was eventually detected through pattern analysis. ChoicePoint cancelled the fraudulent subscriptions, notified law enforcement, and — under California's Senate Bill 1386 — notified the affected California residents.
The incident itself is significant. The trajectory it represents is more significant.
What SB 1386 did
California's SB 1386 took effect in July 2003. The law requires any company holding California residents' personal information to notify those residents when their information is acquired by an unauthorised party. Other US states have started passing similar laws; specific federal proposals are circulating.
The structural property: previously, breaches like the ChoicePoint incident would have been handled privately. The affected individuals would have had no notification; the press would have had no coverage; the regulatory response would have been bounded.
SB 1386 forces disclosure. The forced disclosure produces public visibility; the public visibility produces regulatory and reputational consequences; the cumulative effect changes the operator calculation.
Why this matters more than the specific incident
Three observations.
The breach is being disclosed. ChoicePoint had to notify affected individuals. The disclosure process produced press coverage, congressional letters, state attorney-general inquiries, class-action lawsuits. The cumulative cost to ChoicePoint will substantially exceed the direct cost of the breach itself.
Other operators are watching. Other information brokers, other large data holders, other organisations with similar exposure profiles are watching the ChoicePoint response. The structural lesson — that breach disclosure produces substantial cost — will inform their security investment decisions over the coming year.
The disclosure regime is expanding. Other states are passing SB 1386-equivalents. The federal conversation is active. The cumulative regulatory landscape over the next several years will produce broader and stronger disclosure requirements.
The trajectory is a meaningful structural shift in how breaches affect operators.
The defensive implications
Three categories of implication.
Identity verification at the subscriber level. ChoicePoint's failure was at the subscriber-acceptance step, not at the data-protection step. Fraudulent applicants successfully applied for accounts; the verification was inadequate. Operators in similar businesses (information brokers, data aggregators, anyone selling access to sensitive data) need stronger verification.
Pattern detection on subscriber activity. Fraudulent subscribers presumably had query patterns different from legitimate subscribers. Pattern detection that catches anomalous queries — high volume, unusual subjects, geographic anomalies — would have caught the ChoicePoint fraud earlier.
Disclosure-readiness as an operational capability. When breaches happen, disclosure response — investigation, notification, communication, regulatory response — must be operational. Operators without disclosure-response capability will struggle when their incident comes; the investment in capability is worth making before the incident, not during.
For UK operators specifically: the Data Protection Act 1998 and the Information Commissioner's Office provide a structurally different framework, but the trajectory toward stronger UK breach disclosure will likely follow the US lead. Specific operators in regulated sectors are already preparing.
What this teaches structurally
The disclosure regime is a structural defensive mechanism. It does not prevent breaches; it changes the operator incentive structure such that prevention becomes economically rational at higher levels of investment.
The cumulative trajectory, on the available evidence, is toward broader disclosure requirements, stronger regulatory response, larger civil-litigation exposure for breached operators, and corresponding shifts in security-investment incentives.
For my own writing: more on this category as the regulatory trajectory develops. The structural shift is meaningful enough that it will recur in future posts.
What I am paying attention to
Three things over the next 12 months:
Other states passing SB 1386-equivalents. 85% probability of significant expansion. The political momentum is real.
Specific federal disclosure legislation introduced. 70% probability. Multiple proposals are circulating; specific bills will move through congress.
Specific UK regulatory tightening. 50% probability. The UK trajectory is slower; specific incidents in the UK will accelerate it.
For UK organisations: this is the time to be building disclosure-readiness capability. The trajectory points toward you eventually needing it; the investment is bounded.
More as the year develops.