WHY EUROPE IS SAFE FROM CHOICEPOINT: PREVENTING COMMERCIALIZED IDENTITY THEFT THROUGH STRONG DATA PROTECTION AND PRIVACY LAWS

George Washington International Law Review, The, 2007 by Miller, Maeve Z

INTRODUCTION

Prior to February 2005, most Americans were unfamiliar with ChoicePoint, a data broker that aggregates and sells personal information. In 2005, however, ChoicePoint revealed that identity thieves had purchased personal data on approximately 145,000 Americans.1 For the first time, many Americans became aware of the dangers of "commercialized" identity theft-where identity thieves pose as legitimate companies and simply buy the personal details they need from companies who maintain vast databases of personal information on virtually every U.S. citizen. This type of commercialized identity theft simply is not possible in the European Union, however, due to those countries' stricter data protection and privacy laws.

This Note will explain why the ChoicePoint scandal could not have happened in the European Union by comparing the legal data protection and privacy frameworks in the United States and European Union. This Note will then consider the philosophical underpinnings of the respective privacy protections in the United States and the European Union, and suggest that protecting Americans from commercialized identity theft will require fundamental shifts in the way Americans view their personal information. Finally, this Note will consider the Federal Trade Commission's recent actions against ChoicePoint, and whether these measures adequately address the problem of commercialized identity theft.

I. THE CHOICEPOINT INCIDENT

In February 2005, ChoicePoint, described as "one of the nation's biggest information services,"2 disclosed that it had "inadvertendy" sold personal and financial records to identity thieves.3 These identity thieves posed as officials in legitimate debt collection, insurance, and check-cashing businesses,4 and used these fraudulent business identities to open nearly fifty accounts with ChoicePoint.5 For between $5 and $17 per report, the identity thieves then purchased thousands of reports containing names, addresses, Social Security numbers, financial information and other details.6 Investigators do not know the extent to which the information was used or resold,7 but a similar scam, perpetrated against ChoicePoint in 2000, resulted in at least $1 million in fraudulent purchases.8

A. Identity Theft

Identity theft is defined as "the unauthorized use of a person's name, address, birth date, Social Security number and mother's maiden name to fraudulently obtain credit cards, loans, and open bank accounts."9 Identity theft is not the same as credit card fraud, where thieves gain access to the victim's existing credit card account information and charge purchases to that account.10 With identity theft, the thief opens entirely new accounts using the victim's identity but with different addresses attached to the accounts to prevent the victim from discovering the fraud.11 Whereas a victim of credit card fraud can usually correct any damage by reporting the fraudulent charges and changing her account number,12 an identity theft victim must deal not only with the fraudulent purchase but also with the often catastrophic damage to her credit report.13

Even within the category of "identity theft," identity thieves access the personal information necessary to open fraudulent accounts in a variety of ways. Some are "hackers" who essentially break into company databases to steal the information,14 like a burglar smashing a window to gain access to your house. This Note, however, will focus on what I have termed "commercialized" identity theft, referring to instances where identity thieves pose as legitimate companies and simply buy the personal details they need from data mining companies, such as ChoicePoint, that maintain vast databases containing personal information on virtually every U.S. citizen.15 This is analogous to a burglar being able to legally buy a key to your house. This type of commercialized identity theft is only possible with the existence of these data mining companies who, in turn, can only exist within a legal framework that allows for the collection, aggregation, and sale of personal information by and to third parties.

B. ChoicePoint

ChoicePoint, based in Georgia, maintains what it claims is the largest collection of court records, addresses, and other public data on people in the United States, a collection of nineteen billion records in all.16 Marketing itself as "the leading provider of identification and credential verification services for making smarter decisions in a world challenged by increased risks,"17 ChoicePoint creates "exhaustive dossiers" on individuals by aggregating information from government agencies, including local property records, court records showing bankruptcies, liens, judgments, divorces, and driver records, boating, pilot and professional licenses, real estate deals, and from information purchased from the three major credit bureaus and other information services.18

ChoicePoint describes itself as "a trusted source and leading provider of decision-making information that helps reduce fraud and mitigate risk."19 It has more than 100,000 customers and revenues exceeding $1 billion,20 with a large proportion based on "the resale of details about individuals."21 ChoicePoint customers include insurance companies, banks, state and federal law enforcement agencies, landlords, employers, collection agencies, and private detectives.22