President, COO and Director
April 13, 2005
Testimony of Douglas C. Curling,
President and Chief Operating Officer
Before the U.S. Senate Committee on the Judiciary
April 13, 2005
Chairman Specter, Senator Leahy and Members of the Committee:
Good morning, I'm Doug Curling, President and Chief Operating Officer of ChoicePoint.
At ChoicePoint, we recognize that in an increasingly risky world, information and technology can be used to help create a safer, more secure society. At the same time, we know, and have been painfully reminded by recent events, that there can be negative consequences to the improper access to personally identifiable data.
On behalf of ChoicePoint, let me again offer our sincere apology to those consumers whose information may have been accessed by the criminals who perpetrated this fraud. As a result of these experiences, we've made fundamental changes to our business model and products to prevent this from happening in the future. I will share details of these actions in a moment.
First, however, I'd like to share with you a little background about our company. ChoicePoint is a leading provider of identification and credential verification services to businesses, government, and non-profit organizations. We have 5,000 associates in 60 locations. We serve more than 7,000 federal, state and local law enforcement agencies, as well as a significant number of Fortune 500 companies, more than 700 insurance companies and many large financial services institutions.
The majority of transactions our business supports are initiated by consumers. Last year, ChoicePoint helped over 100 million American consumers secure home and auto insurance. We also helped more than 7 million Americans get jobs through our workplace pre-employment screening services. We helped more than one million consumers obtain expedited copies of their vital records - birth, death and marriage certificates.
In addition to helping consumers, we're also proud of our role in helping law enforcement officials solve crimes, including the identification of the D.C.-area snipers. ChoicePoint helps agencies at all levels of government fulfill their mission to safeguard our country and its citizens.
Our products and services are also used by many non-profit organizations. For example, we have identified 11,000 undisclosed felons among those volunteering or seeking to volunteer with the nation's leading youth organizations. In addition, using information and tools supplied by us, the National Center for Missing and Exploited Children has helped return more than 800 children to their loved ones.
Mr. Chairman, apart from what we do, I also understand that the Committee is interested in how our business is regulated by federal legislation as well as various state regulations, including the Fair Credit Reporting Act (FCRA) and the recently enacted companion FACT Act, the Gramm-Leach-Bliley Act (GLB), and the Drivers Privacy Protection Act (DPPA).
? Approximately 60 percent of ChoicePoint's business is driven by consumer initiated transactions, most of which are regulated by the FCRA. These include pre-employment screening, auto and home insurance underwriting services, tenant screening services, and facilitating the delivery of vital records to consumers.
? Nine percent of ChoicePoint's business is related to Marketing Services, none of which include the distribution of personally identifiable information. Even so, we are regulated by state and federal "do not mail" and "do not call" legislation and, for some services, the FCRA.
? Five percent of ChoicePoint's business is related to supporting law enforcement agencies in pursuit of their investigative missions through information and data services.
? Six percent of our business supports law firms, financial institutions and general business to help mitigate fraud through data and authentication services.
? The final 20 percent of our business consists of software and technology services that do not include the distribution of personally identifiable information.
Financial and identity fraud is a rapidly growing and costly threat to our nation's economy. While we offer a wide range of tools to help avoid fraud, no one is immune to it, as we and other companies and institutions are learning.
ChoicePoint has previously provided Congress with information about how identity thieves in California were able to access our products. As you know, California has been the only state that requires consumers to be notified of a potential breach of personally identifiable information. We not only followed California law, we built upon it and voluntarily notified consumers who may have been impacted across the country, and we did that before anyone called upon us to do so. We've also taken other steps to help assist and protect the consumers who may have been harmed in this incident.
First, we've arranged for a dedicated Web site and toll-free number for affected consumers where they can access additional information and take advantage of a range of tools not required by any federal or state law;
Second, we're providing, free of charge, a 3-bureau credit report; and
Third, we're providing, free of charge, a one year subscription to a credit
In addition to helping those affected consumers, we've taken strong remedial action and made fundamental changes to our business and products:
? ChoicePoint has decided to discontinue the sale of information products that contain personally identifiable information unless those products and services meet one of three tests:
1. The product supports consumer driven transactions such as insurance, employment and tenant screening, or provides consumers with access to their own data;
2. The product provides authentication or fraud prevention tools to large accredited corporate customers where consumers have existing relationships; or
3. When personally identifiable information is needed to assist federal, state or local government and criminal justice agencies in their important missions.
? Second, we've strengthened ChoicePoint's customer credentialing process. We are requiring additional due diligence such as bank references and site visits before allowing businesses access to personally identifiable information. We're re-credentialing broad sections of our customer base, including our small business customers.
? Third, we've created an independent office of Credentialing, Compliance and Privacy that will ultimately report to our Board of Directors' Privacy Committee.
This office will be led by Carol DiBattiste, the out-going deputy administrator of the Transportation Security Administration and a former senior prosecutor in the Department of Justice with extensive experience in the detection and prosecution of financial fraud.
? Fourth, we've appointed Robert McConnell, a 28-year veteran of the Secret Service and former chief of the federal government's Nigerian Organized Crime Task Force, to serve as our liaison to law enforcement officials. In this role, he will work aggressively to ensure that criminal activities are investigated and prosecuted to the fullest extent possible. He will also help us ensure that our security and safeguards procedures continue to evolve and improve.
Let me close by speaking about the issues that must be addressed as we seek to balance the security of consumer information against the legitimate needs of business and government.
Let me be clear and unequivocal:
1. We support increased resources for law enforcement efforts to combat identity theft and stronger penalties for the theft of personally identifiable data.
2. We support independent oversight and increased accountability for those who handle sensitive personal data, including public record data;
3. We support a preemptive national notification law;
4. Finally, we support providing consumers with the right to access and question the accuracy of public record information used to make decisions about them.
I appreciate the opportunity to appear before you today and would be pleased to answer any questions that you might have.