The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Tuesday, November 08, 2005
ChoicePoint's most recent 10-Q filing with the SEC suggests that an additiona 17,000 consumers were affected by the high-profile data breach. See: ChoicePoint filing: 17,000 more may be fraud victims - 2005-11-08.
It's interesting to look at the filing itself, just to get a flavour of the cost of this issue to ChoicePoint and its impact upon their bottom line:
CHOICEPOINT INC (Form: 10-Q, Received: 11/08/2005 15:01:50):Fraudulent Data Access
ChoicePoint’s review of the Los Angeles fraudulent data access described in the Company’s Form 10-K for the year ended December 31, 2004 and other similar incidents is ongoing. The Company currently expects that the number of consumers to which it will send notice of potential fraudulent data access will increase from the approximately 162,000 consumers it has notified to date, but the Company does not anticipate that the increase will be significant.
As previously disclosed in the Company’s Form 10-K for the year ended December 31, 2004, ChoicePoint is continuing to strengthen its customer credentialing procedures and is recredentialing components of its customer base, particularly customers that have access to products that contain personally identifiable information. Further, the Company continues to review and investigate other matters related to credentialing and customer use. The Company’s investigations as well as those of law enforcement continue. The Company believes that there are other instances that will likely result in notification to consumers. As previously stated, the Company intends for consumers to be notified, irrespective of current state law requirements, if it is determined that their sensitive personally identifiable information has been acquired by unauthorized parties. The Company does not believe that the impact from notifying affected consumers will be material to the financial position, results of operations or cash flows of the Company.
On March 4, 2005, ChoicePoint announced that the Company will discontinue the sale of certain information services that contain sensitive consumer data, including social security numbers, except (1) where there is either a specific consumer driven transaction or benefit, or (2) where such services serve as authentication or fraud prevention tools provided to large accredited customers with existing consumer relationships, or (3) where the services support federal, state or local government and law enforcement purposes. The Company cannot currently accurately estimate the future impact that the customer fraud, related events and the decision to discontinue certain services will have on our operating results and financial condition. The Company will review various technology investments in this small business segment as well as other related costs incurred in serving this segment.
ChoicePoint incurred $5.4 million ($3.3 million net of taxes) in the first quarter of 2005, $6.0 million ($3.7 million net of taxes) in the second quarter of 2005, and $4.0 million ($2.5 million net of taxes) in the third quarter of 2005 for specific expenses related to the fraudulent data access previously disclosed. Approximately $2.0 million of the $15.5 million total charges through September 30, 2005 were for communications to, and credit reports and credit monitoring for, individuals receiving notice of the fraudulent data access and approximately $13.5 million for legal expenses and other professional fees. The Company currently estimates that it will incur additional incremental expenses as a result of the fraudulent data access of approximately $3 to $5 million in the fourth quarter of 2005. In addition, the publicity associated with these events or changes in regulation may materially harm the business and ChoicePoint’s relationship with customers or data suppliers.
The Company is involved in several legal proceedings or investigations that relate to these matters, as described in “Legal Proceedings” of this Form 10-Q. ChoicePoint is unable at this time to predict the outcome of these actions. The ultimate resolution of these matters could have a material adverse impact on the financial results, financial condition, and liquidity and on the trading price of the Company’s common stock. Regardless of the merits and ultimate outcome of these lawsuits and other proceedings, litigation and proceedings of this type are expensive and will require that substantial Company resources and executive time be devoted to defend these proceedings.
Security Breaches and Misuse of Information Services
Security breaches in the Company’s facilities, computer networks, and databases may cause harm to ChoicePoint’s business and reputation and result in a loss of customers. Many security measures have been instituted to protect the systems and to assure the marketplace that these systems are secure. However, despite such security measures, the Company’s systems may be vulnerable to physical intrusion, computer viruses, attacks by hackers or similar disruptive problems. Users may also obtain improper access to the Company’s information services if they use stolen identities or other fraudulent means to become ChoicePoint customers or by improperly accessing ChoicePoint’s information services through legitimate customer accounts. If users gain improper access to ChoicePoint’s databases, they may be able to steal, publish, delete or modify confidential third-party information that is stored or transmitted on the networks. A security or privacy breach may affect ChoicePoint in a variety of ways, including but not limited to, the following ways:
- deterring customers from using ChoicePoint’s products and services or resulting in a loss of existing customers;
- deterring data suppliers from supplying data to the Company;
- harming the Company’s reputation;
- exposing ChoicePoint to litigation and other liabilities;
- increasing operating expenses to correct problems caused by the breach;
- affecting the Company’s ability to meet customers’ expectations;
- causing inquiry from governmental authorities; or
- legislation that could materially affect the Company’s operations.
The Company expects that, despite its ongoing efforts to prevent fraudulent or improper activity, in the future it may detect additional incidents in which consumer data has been fraudulently or improperly acquired. The number of potentially affected consumers identified by any future incidents is obviously unknown. "
Labels: breach notification, choicepoint, information breaches
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.