To someone who has to spend hours notifying credit agencies and years watching over their shoulder for fraud, the victims of data heists such as that which happened to ChoicePoint are obvious.
Yet until recently, most laws have pointed to businesses, not individuals, as the victims of personal data theft.
The incidents that came to light this month are likely to change that. In fact, future consumers will likely thank ChoicePoint, Bank of America, and other companies for being the poster children for a problem that has gotten some recent attention, but little legislation: The security and integrity of personal data.
While scattered events over the past five years have caused consumers to be increasingly worried about identity theft, companies' collective feet have not been held to the fire. And why should they care?
The information retained by data-aggregators such as ChoicePoint does not hold value for that company or its clients, but only to the people whom it describes. When a fraudster uses the information to open accounts in the victim's name, merchants, banks and the person whom the data describes are harmed, but not the data-aggregator.
Without legislation or market forces holding data-aggregators accountable, is it really any wonder that these companies' security measures are not good enough?