Tell me if you think you already know this: An Atlanta area company with a horde of sensitive personal information lands on the hot seat for letting bad guys get consumers’ secrets.
Consumers complain the company waited too long to warn them, didn’t have its act together when it finally did and then offered inadequate protections. Federal investigators dig into questions of insider trading because top executives sold company stock after the breach was discovered but before it was disclosed. State attorneys general talk sternly about getting to the bottom of things. The CEO, last name Smith, is called before a Congressional panel to explain what the heck is going on.
Ring a bell? I’m not talking about Equifax, the Atlanta-based credit reporting agency that was looted of private details on 143 million Americans.
No, I’m referring to ChoicePoint, a former Alpharetta business phenom that, like Equifax, profited by selling information on consumers.
Knowing what happened with ChoicePoint 12 years ago might make you even more steamed at Equifax now. Because Equifax and its CEO Rick Smith wandered into the same missteps and pr bungling after its breach was discovered. Speed in notifying customers is key. If you don’t notify consumers right away, at least be excellent in communicating with consumers when you do fill them in. Be more transparent.
The not-so-tasty icing on the cake: ChoicePoint was once a unit of Equifax.
ChoicePoint’s saga makes clear who will probably come out OK in this scenario: the entity that didn’t fully protect our data.
Normally, we don’t blame victims of theft. Unless we suspect they left a wallet full of somebody else’s valuables (ours) on the dashboard, failed to roll up the car window (Equifax apparently didn’t fully patch a known software vulnerability) and told everyone where it parked the vehicle.
Then, of course, Equifax waited to tell us the bad news, hindering out ability to protect ourselves. We may learn that some or even all of the delay was reasonable. But with all that extra time, how is it that Equifax bumbled so badly when it finally did share the news?
Back in the day, I helped cover the fallout at ChoicePoint, where executives had boasted that the company stood for trustworthiness as it helped protect against fraud. (Equifax, which had spun off ChoicePoint years before the identity thieves struck, is also fond of the “trust” label.)
Lots of organizations that have private data about us have been hacked.
But some companies stand out for the breadth and sensitivity of their holdings. Like Equifax, ChoicePoint gathered a huge trove of information that criminals would love to have a piece of.
ChoicePoint’s system was leaky. Identity thieves went to a copy shop and faxed ChoicePoint what turned out to be fake business licenses so they could buy access to the company’s storehouse of data. (That’s far different than the straight-up hacking that apparently occurred at Equifax and put far more people at risk.)
In ChoicePoint’s case, the bad guys got the goods on more than 160,000 people, including some Social Security numbers and credit reports. One guy was caught and sent to prison. Investigators worried that others got away.
It took ChoicePoint more than four months to publicly disclose the problem after it learned about it. The company said law enforcement urged them to hold off during the investigation, but an officer suggested it was the company that really pushed for the delay.
ChoicePoint CEO Derek Smith and president Doug Curling started selling nearly the $21 million in stock before the crisis was disclosed. The company said neither had been aware of the breach until sometime later, as goofy as that sounds. (Equifax has said the same about its executives who sold shares after its breach was discovered.)
ChoicePoint’s CEO said he should have been notified sooner.
The SEC investigated but didn’t bring charges over the stock sales.
The Federal Trade Commission, though, citing the breach itself, issued what was then its largest civil fine ever: $10 million. ChoicePoint also ponied up another $5 million in the settlement. A pile of other lawsuits apparently added millions more.
ChoicePoint executives had to put more attention to pesky issues like privacy, security, transparency and apologies. To their credit, they really did improve policies and practices, according to outside privacy watchers.
I tried getting in touch with Smith and Curling, but didn’t hear back from either.
In a speech at the University of Georgia a few year ago, Curling told business students that it can be smart to settle with regulators and plaintiffs’ lawyers and move on. “Time is your most precious resource. Money is not. You will make more money. You will not make more time.”
He also warned that a growing array of outsiders want to tell business leaders how to run companies.
“You can’t allow them to distract you or drain your energy,” Curling said. He suggested four options: ignore them, distract them, control them or convince them that you’re right.
Maybe there should be a fifth option: Consider that they might have a point.
At least initially, ChoicePoint and Equifax suffered from a similar tone deafness: an inability to fully anticipate, listen to and appreciate broader frustrations of the public.
As it turns out, ChoicePoint’s most senior leaders survived the bruising. The company’s stock regained much of its price losses, at least until the company ran into broader troubles with its position in the industry.
Eventually, ChoicePoint agreed to be bought by Reed Elsevier, which includes LexisNexis. It went for just over $4 billion, which valued shares higher than they were before the crisis. ChoicePoint’s CEO and president had heaps of stock to cash in.
Good things come to those who wait it out.
Which might also be the case for the identity thieves who recently got around Equifax’s defenses.
They may hold that precious data until consumers drop their guards — and Equifax’s offers of free credit monitoring and credit freezes expire.
Then it’ll be showtime again for the real victims.