Commentary

Liability, Not Overregulation

This article originally appeared in the San Francisco Examiner on March 15, 2005.
A new court case in Los Angeles may help to determine if companies are liable for damages when they fail to protect sensitive data. The ChoicePoint scandal may ultimately establish that holders of sensitive data have a legal responsibility to protect individuals they hold data on. When a company fails to protect this information, when its security practices are sloppy and lax, it may be held responsible for the consequences.

ChoicePoint is a consumer data company, part of a growing industry that collects and analyzes information about people’s lifestyles, wealth, and habits. This data is used in marketing, transaction verification, and credit scoring. Some of the data that the company collects is compiled into dossiers to help law enforcement circumvent the federal Privacy act of 1974.

As we all know from the headlines, criminals recently defrauded ChoicePoint into revealing information about thousands of consumers.

Despite its Information Age trappings, the incident appears to be a classic case of corporate negligence. The crooks set up bogus companies to appear like legitimate clients and siphoned off the personal information of more than a hundred thousand Americans. They used this information to commit an as-yet-untold number of identity frauds.

Some politicians have used this massive identity fraud as an opportunity to argue for legislative action; maintaining that the government should plug “loopholes” or sew up the “patchwork of laws” that supposedly allowed this to happen.

In a Los Angeles courtroom this month, a 41-year-old Nigerian man named Olatunji Oluwatosin pled no contest to unlawful use of personal identification in a Los Angeles courtroom. He was sentenced to 16 months in state prison for his role in the ChoicePoint affair.

More importantly, a victim has filed suit in Los Angeles Superior Court, alleging that ChoicePoint was negligent. If she was harmed, she has a good case. The company probably violated a duty to protect her.

A California law requiring consumer notice of data breaches has been given too much credit in this case. It was ChoicePoint’s compliance with this law that broke the story, but it’s more a case of the law mandating what makes sense to do.

In August 2003, another data company called Acxiom suffered a data breach that was far less severe than the ChoicePoint theft. The company announced the breach publicly because it knew it should do so, not because of the California disclosure law which was just a month old at the time and not yet applicable to the company.

Politicians are using consumer concerns to vilify the data collection industry in an attempt to bring it under further political control. But what the ChoicePoint incident really calls for is clear recognition that data holders are liable when they allow sensitive information to fall into the wrong hands.

Jim Harper is director of information policy studies at the Cato Institute.