The recent disclosure that criminals illegally obtained personal information from ChoicePoint Inc. is prompting the company to take action to improve the security of its insurance databases.Although no insurance-related information was stolen, ChoicePoint executives say, the Alpharetta, Ga.-based company intends to establish new auditing procedures and implement other measures to ensure that a similar policy breach will not occur for databases that house insurance information.
ChoicePoint executives are confident that the company's current procedures are adequate-given the fact that no insurance data has been pilfered since the company began collecting auto claims data in 1987.
Richard Collier, ChoicePoint's vice president and market leader for personal lines, says the company will implement new data security policies and procedures that he declined to disclose to INN. The company also will spend $1 million on an SAS 70 audit that will examine the company's data management processes and procedures. Collier expects the audit to be completed by mid-year.
"We have been in the insurance business for 17 years and we never have been compromised," he says. "We continue to look for ways to strengthen our tools and our procedures, but I can say that our customers' data is probably more secure than before this incident because we have audited all polices and reaffirmed our polices and procedures."
Last month, the company announced it no longer would sell information products that contain "sensitive" consumer data, including Social Security and driver's license numbers, except when there is a specific benefit to consumers, or for federal, state and local government and criminal justice purposes.
ChoicePoint's new policy "will not affect our insurance underwriting customers," Collier says. "They will continue to receive all the data they previously received, including driver's license numbers and Social Security numbers."
Insurers contacted for this article say they are confident that ChoicePoint will take the proper steps to ensure their databases are secure.
"When the story initially broke, it caught our eyes and ears because ChoicePoint is a company that we do business with," says Frank McConnell, assistant vice president, personal lines, with Safeco Insurance, Seattle. "But now that we understand the problem, it does not unduly concern us."
That sentiment was echoed by Allstate Insurance, Northbrook, Ill. Allstate and other insurers warehouse some policyholder data with Choice-Point as part of ChoicePoint's Current Carrier database.
"We are not impacted by the events," says William Mellander, an Allstate spokesperson. "My understanding from ChoicePoint is that no insurance data was compromised, and ChoicePoint told us that none of our data was compromised."
Data in, data out
More than 700 property/casualty insurers purchase ChoicePoint's data to underwrite new business or to renew existing policies, according to Collier.
ChoicePoint's C.L.U.E. (Comprehensive Loss Underwriting Exchange) Personal Auto database contains information on 98% of all automobile claims filed in the United States during the last five years. C.L.U.E. Personal Property houses information from 95% of all homeowners' claims filed in the last five years.
Only those carriers that submit claims files to C.L.U.E. can extract data for underwriting and rating purposes, Collier says. Data provided in the reports includes a policyholder's name, date of birth, policy number, claim information (date of loss, type of loss and amounts paid), and vehicle information (for auto policies).
"One step that we've taken to protect this information is that we only grant access to the information to those insurance companies that give us data and they must have a verifiable A.M. Best number," Collier says.
ChoicePoint's Current Carrier database contains information on current policies. Insurers use this information to verify if an applicant currently has coverage and whether there have been any lapses in coverage over time.
Collier estimates that information from 75% of all active policies is contained in this contributory database, which only can be accessed by carriers that supply information.
The scheme
Insurance represents about 35% of ChoicePoint's annual revenue, which totaled a record $918.7 million in 2004. By contrast, the personal records business, which was pilfered, represents just 2% of annual revenue.
Last September, ChoicePoint alerted the Los Angles County Sheriff's Department after the company suspected that individuals had established 50 bogus accounts to purchase personal information from ChoicePoint.
"These criminals were able to pass our customer authentication due diligence processes by using stolen identities to create and produce documents needed to appear legitimate," according to a ChoicePoint statement.
For a fee of $100 to $200 per account, the criminals obtained names, addresses, and a combination of Social Security numbers and/or driver's license numbers and, in some cases, abbreviated credit reports, according to ChoicePoint.
After Los Angeles police confirmed ChoicePoint's suspicions, the company in January notified 35,000 California residents by letter-in accordance with state law-that their records may have been compromised. Investigators later determined that the security breach was much wider and ChoicePoint began sending notification to an additional 110,000 consumers across the United States.
In February, a Nigerian native from North Hollywood pleaded no contest in California state court to felony identify theft in connection with the incident.
In March, ChoicePoint said law enforcement officials identified and notified approximately 750 consumers nationwide that some of their identity information had been compromised.
Business as usual
At press time, no insurers have cancelled their relationship with ChoicePoint, according to Collier. Carriers contacted for this article say they are encouraged by ChoicePoint's reaction to the breach.
"It appears that ChoicePoint is taking the appropriate steps that a responsible company would do to safeguard its data," Safeco's McConnell says. "What you want to look for is how are they conducting a crisis review, and it appears that what they are doing is prudent and diligent."
Allstate's Mellander says Choice-Point executives contacted the carrier to explain the breach "and that they are investigating the matter to our standards to ensure that their internal procedures and policies meet the standards of Allstate. Our focus now is to make sure we are aware of all of the facts and to make sure that the vendor meets our high standards for protecting personal information."
It remains to be seen whether there will be any fallout from the incident and its aftermath on insurers. ChoicePoint revealed in an 8-K filing with the Securities and Exchange Commission that the Federal Trade Commission is looking into ChoicePoint's compliance with federal laws governing consumer information security and related issues.
"This may be a situation where perception is just as important as reality," says Craig Weber, an analyst with Celent Communications Inc., Boston.
"The truth is that no insurance data was stolen, but any tie you have to a company that doesn't protect data is a public relations problem, especially in this environment where regulatory bodies and state attorneys general are really looking closely at the industry."
