|
WITNESSES: KURT SANFORD PRESIDENT/CEO U.S. CORPORATE AND FEDERAL GOVERNMENT MARKETS LEXISNEXIS
DOUGLAS CURLING PRESIDENT/COO CHOICEPOINT, INC.
KERRY: Thank you, Mr. Chairman. I apologize for being late, but we had competing meetings -- as is always the case here.
I apologize to the witnesses.
I've tried to get an update as fast as possible so I'm not overly repetitive or repetitive here, and I know a lot of questions -- good questions -- have been asked.
Obviously, from the participation here today, you can get a sense of the importance, but you already knew that before you came here because of the outcry publicly and the concerns that people are expressing. And the moving sort of (ph) model statewide, beginning with California, of regulation are obviously an indication of people's desire to do something.
I understand your business models, and I understand that the information you provide is obviously often used for very valid purposes; but as we move forward, the question of how to protect this is, needless to say, critical.
During the campaign last year -- and I think it came to fruition yesterday or today -- President Bush and I both talked about e-medical records and the need to try to reduce costs in the medical system, and obviously that's critical.
I wonder if you could share with us a little bit: First of all, what types of personal information currently do you maintain in your product lines? -- including information based on biometrics, DNA and medical records.
Mr. Curling?
CURLING: We don't maintain any data on biometrics, DNA or medical data. The data...
KERRY: Might you as this opens up now, with a certain amount of money? Is this not a lucrative business prospect?
CURLING: I don't know whether it's a lucrative business prospect or not, but it's not an area where we have a lot of expertise or traction.
We do have a DNA laboratory that supports our law enforcement initiatives, but that laboratory -- Bode Labs -- merely takes specimens on behalf of law enforcement agencies, processes the DNA, maintains chains of custody, and turns that back over to them for forensic purposes.
Our scientists have been to Thailand to work on the tsunami. We identified the victims of the World Trade Center tragedy through that laboratory. But it's a forensic science laboratory that's really an extension of the services we do to support law enforcement, not part of our business model that we necessarily embrace. I think it is possible that the identifiers that we all begin to see more used in our society are perhaps biometric identifiers you're seeing today, technological solutions beginning to be deployed, that use authentications exceeding user IDs and passwords and incorporating things like biometrics, but that's not something that, in the industry that I'm in, is heavily in use today.
KERRY: Mr. Sanford?
SANFORD: We don't collect medical information, Senator, or biometrics or DNA either.
KERRY: What about that information, Mr. Curling, that you do collect, in terms of the forensic chain of custody -- is there any intrusive link in there that should be of concern?
CURLING: No, sir. That data doesn't get -- the data repositories in ChoicePoint are generally housed at the product level. None of the information in Bode Laboratories -- which is in Springfield, Virginia -- goes out of the laboratory into other places in ChoicePoint.
KERRY: When you say you changed your business model and essentially tightened procedures, what loopholes did you tighten?
CURLING: Well, I don't know that I would say we tightened loopholes. We made business decisions that we thought were in the best interests of our company, given the experiences that we've had, and they were basically twofold.
One, there are businesses that are hard to credential -- those are small businesses -- and given that the preponderance of our revenue is in large either government contracts or of commercial enterprises, small businesses are simply something that's awful hard for us to adequately credential and ensure that we know exactly who on the other end is buying the information products.
We chose to exit the market of selling sensitive personal information to those businesses, even though they have legitimate business interests to get at -- and, you know, certainly small businesses face many of the challenges that big businesses do.
Secondly, there are products that we sell that, while legal, don't have direct consumer benefit, and so we chose to not sell certain segments of the marketplace sensitive personal data that they're legally entitled to get but they don't fit our business model.
KERRY: Was that small business changed specifically in response to the Nigerian...
CURLING: Yes, it was.
KERRY: It was, okay.
Is it your judgment now that those two problems were the only two problems, or are you taking further steps that we should be aware of? CURLING: Well, our investigations and those of law enforcement continue. We tend to think of security risks in five different categories: basic physical possession risk -- which you can think of as common burglary or just loss of data; secondarily, the hacking potential -- and we have, like most in our industry, monitoring software and extensive tools to try and monitor and track and prevent hacking attempts; you have properly-credentialed customers that have an employee that does a search they're not permitted to do -- you know, the typical scenario of doing a background check on somebody's girlfriend or neighbor; you have properly-credentialed customers that lose track of passwords and user IDs -- of which you've already heard testimony today; and then, lastly, you have customers that get past credentialing procedures, that simply should not have been credentialed as customers -- and that's the experience we most recently had, where the notices were driven by.
KERRY: With respect to the law enforcement agencies, I gather you sell information to about 7,000 agencies? Is that correct?
CURLING: We serve 7,000 agencies. A lot of those don't buy data -- they're buying software or tools from us.
KERRY: So is there any limitation on the sale of that information to law enforcement?
CURLING: Well, we're limited by the type of information we're able to legally obtain from the repositories. The states have laws -- as does the federal government -- about what data can be sold, under what conditions it can be used.
KERRY: So that's established by the states.
CURLING: And by federal government. But, Senator, and as I testified earlier today, largely the federal agencies are turning to us to buy otherwise readily available public record information; they're merely turning to us for convenience and cost...
(CROSSTALK)
KERRY: And to which law enforcement agencies do you currently sell this -- what I assume can be termed -- sensitive consumer information?
CURLING: We sell to a wide variety of federal -- we serve most of the federal law enforcement agencies and many state and local law enforcement agencies.
KERRY: Is there any standard of probable cause?
CURLING: We have circumstances under which they inform us they want to buy data for investigations; but we're not privy -- nor would you want us to be -- to the actual investigations those law enforcement agencies are conducting.
KERRY: So it's an automatic affirmative response for information. CURLING: In most cases, yes, sir.
KERRY: No matter what.
A few years ago you acquired VitalChek, which is a company responsible for handling vital records -- birth, death, marriage, divorce -- in all 50 states. How is that information shared with ChoicePoint?
CURLING: It's not. That's an ordering and payment platform where a consumer orders a vital record directly from a vital records office. We provide a technology infrastructure to those vital records offices. They receive the customer order, they pull the vital record, and they deliver it through secured carrier directly back to the consumer; the records never come through ChoicePoint.
KERRY: So there's no transfer of any of that information outside of VitalChek itself.
CURLING: No, sir.
KERRY: Do both of you accept the premise -- that I think has been bouncing around here today -- that reasonable security standards ought to apply universally to any custodian of sensitive personal information?
SANFORD: Yes, Senator.
KERRY: And Mr. Curling?
CURLING: (OFF-MIKE)
KERRY: I think most of the other questions were touched on.
Let me just ask you, for my own edification: How do you collect and maintain, store and protect the information? What's the process by which you do that? -- if you could go through that. Mr. Curling? How do you collect the information and maintain it and store it, how do you go about that?
CURLING: It varies widely by market. In the largest market we serve -- which is the insurance market -- we gateway directly to states to get motor vehicle records and driver's license records, in most cases, and we deliver those back directly to our insurance customers, an application at a time.
So when an application comes in, we break that application down against some decision rules the insurance companies have given us, and then we begin to buy information products. Sometimes they're products that we database and warehouse; sometimes we go gateway to them.
KERRY: Do you gateway to credit check companies, credit companies?
CURLING: We do. KERRY: Do you see any distinction between the information that you use and sell and the information that's on somebody's credit record?
CURLING: In many cases, from a regulatory standpoint, there's not a difference. We are a consumer reporting agency governed by the FCRA in many of the information products we have. The insurance products would be FCRA products. We would be treated similar to a credit reporting company. The same is true for our preemployment workplace solutions product and our tenant-screening products.
KERRY: Do you think, from a legal point of view, that any individual in America, as a citizen, has a proprietary interest in their own information?
CURLING: I think citizens are obviously very concerned about the data...
(CROSSTALK)
KERRY: Proprietary information, proprietary interest.
In other words, should you be trafficking in their information and they have no participation in the process? *** CURLING: Again, the majority of our transactions that contain sensitive consumer information are initiated directly by consumers, so the transaction would not happen if a consumer hadn't initiated it.
KERRY: Of course, that depends on knowledge standard, right, the knowledge standard? I mean, the opt-in, opt-out, whether they know or don't know...
CURLING: Well, they applied for an automobile insurance policy, and on the application...
KERRY: But they didn't apply to have their information go to you, to be winning you a profit for the transfer of whatever their life is, did they?
CURLING: I wouldn't know, Senator.
KERRY: Mr. Sanford?
SANFORD: I don't believe that a proprietary standard is workable. We use public record information to provide very vital services that actually help the consumer...
KERRY: Is the information of a credit company a public record or is it private, privately held...
SANFORD: We don't collect...
KERRY: ... on a specific kind of contract relationship, the contract between the individual and that particular entity?
SANFORD: We do not collect financial or credit information on individuals, so -- we're not in that business.
KERRY: Mr. Curling, what about that? Is it specifically...
CURLING: I'm not an expert in the Fair Credit Reporting Act, but I believe that a consumer -- a credit reporting agency has opt-in and opt-out -- both -- provisions on it with respect to certain uses of their products, and in many cases our products are regulated by the FTC under FCRA, just as they are.
KERRY: I think one of the things, Mr. Chairman, we're going to have to think through very carefully as we go forward is: What is the level of knowledge and option available to anybody, as to how far and how wide their information goes, and I think that's central to this.
I thank you.
SMITH: Thank you, Senator Kerry.
|