Nearly two months ago, I wrote about movie rental chain Blockbuster Inc.’s plan to eliminate late fees [Loose Cannon: Blockbuster Bets: Will Customers Lose?, Direct Newsline, Dec. 19, 2004]. I suggested that Blockbuster would end up regretting its actions, as the company had not — to my mind — been forthcoming about some of the charges consumers would face.
As it happened, New Jersey Attorney General Peter Harvey agreed with me. Last week, Harvey filed a lawsuit alleging that the company had not disclosed key elements of its policy. I’ll spare you the legalese: Basically, Harvey and I agreed that “restocking fees” as well as an automatic charge to customers’ credit cards were the marks of no-goodniks.
Being able to say “neener, neener” is fun, but normally I’d stick a follow-up to a previous column into a little coda to the week’s missive. I’ve moved it up because the same feeling I had when I wrote the Blockbuster piece was back, accompanied by a sense of imminent dread, when I read about ChoicePoint, Inc.
Last week, data firm ChoicePoint acknowledged that it had sold consumer information to a number of dummy companies that turned out to be part of an identity-theft ring. The thieves gained access to nearly 145,000 consumer records. ChoicePoint has announced that it will re-screen its current customers and implement new security procedures for new clients.
In covering the breach, an Associated Press story filed on Feb. 17 included a damning paragraph. It read, in full: “Alpharetta, Ga.-based ChoicePoint initially only notified 35,000 people in California of the identity theft threat because the state has a law mandating the companies possession [sic] personal information must notify people if it is compromised.”
Somehow the AP got the impression that ChoicePoint was doing the right thing only because it was legally obliged to do so. (Fair’s fair: I haven’t seen this particular claim echoed in other coverage — but I haven’t seen all the coverage, either.) Regardless, that little statement is going to hurt.
At a minimum, count on California being joined by other states in the not-too-distant future. And I’ll take short odds that by the time the current Congress hangs up its spikes in 2006, a federal bill requiring coast-to-coast post-breach notification put forth by Senator Dianne Feinstein (D-CA) is going to have significant wind at its back, thanks to this latest mess.
The timing of the ChoicePoint incident couldn’t have been worse. In January, Washington Post reporter Robert O’Harrow Jr. released “No Place to Hide,” a book that comments extensively on post-Sept. 11 privacy concerns — including sections on consumer data aggregators. Oh, and last week hackers posted Paris Hilton’s cell-phone file of 500 celebrity numbers on the Internet. Count on the under-30 set to suddenly become aware of data protection concerns. Perfect storm, indeed!
Eventually, someone is going to look at the do-not-call list and submit legislation calling for an opt-out option for data aggregation for marketing purposes. When this happens, the compiled data industry will have lost control of the debate, and any points it tries to make, or benefits it tries to tout, will be reactive rather than proactive. With the ChoicePoint incident, compilers may have run out of time.
I look forward to seeing what their next move will be. I wish I had more confidence.
To respond to the opinions in this column, please contact [email protected]