CHOICEPOINT UPDATE….It turns out that the massive identify theft scam at ChoicePoint happened last October ? but nobody got notified until last week. And even that never would have happened if not for the fact that California has a law requiring disclosure of leakage of personal information. Security expert Bruce Schneier says the same thing is likely to happen again unless economic incentives are brought to bear:

ChoicePoint protects its data, but only to the extent that it values it. The hundreds of millions of people in ChoicePoint’s databases are not ChoicePoint’s customers. They have no power to switch credit agencies. They have no economic pressure that they can bring to bear on the problem. Maybe they should rename the company “NoChoicePoint.”

The upshot of this is that ChoicePoint doesn’t bear the costs of identity theft, so ChoicePoint doesn’t take those costs into account when figuring out how much money to spend on data security….Until ChoicePoint feels those costs ? whether through regulation or liability ? it has no economic incentive to reduce them.

Bruce is right. Unless ChoicePoint feels some pain, why should they care about keeping their records safe? Here’s the pain:

A California woman has sued ChoicePoint Inc. for fraud and negligence after criminals gained access to a database of personal records compiled by the company.

…. The suit seeks to represent anyone whose personal records were maintained by ChoicePoint from October 2004 through the completion of the suit, regardless of whether or not that data was actually released to anyone.

Let’s hope George Bush’s new law restricting class action suits doesn’t force this one into federal court and then into infinite limbo. At the moment, a civil suit is the only way to cause ChoicePoint enough pain to make them take security seriously.