"At least it wasn't us this time."
That was a common, if private, reaction among government officials to fraudulent use of data held by private-sector data aggregator ChoicePoint. According to company statements, it holds 19 billion records with personally identifiable information about almost every adult in the United States -- a subset of which was used in identify theft scams by unscrupulous customers.
Disclosure of the breach has been fodder for congressional hearings, an inquiry by the Federal Trade Commission, an investigation by the U.S. Securities and Exchange Commission, and a class action lawsuit charging that the company knew its internal controls were inadequate.
"This may be the first mass disclosure of personal information that triggers congressional action," said Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC), in published reports.
Indeed, the incident has renewed efforts to model federal legislation after the Security Breach Information Act, the California law that was a catalyst for disclosure in the ChoicePoint case.
Calls for reform will confront the complexity of relationships that rely on data aggregators for digital due diligence -- doing quickly and cheaply what would have been prohibitive under other circumstances. Digital due diligence is now the default choice for validating information in greasing the skids on huge volumes of routine economic transactions, including but not limited to closing on a house, transferring title on a car or hiring an employee.
Pragmatic policy-makers will surely struggle with the prospect of slowing down the real-time economy.
This is not just a private-sector problem. Government is the supplier of the unique, authoritative public record on identity to aggregators as both allowed and required by law. Even as government serves as a wholesale provider of public records, it is also a large-scale buyer of refined records from aggregators.
As is often cited in this debate, law enforcement -- including the federal departments of Homeland Security and Justice -- is increasingly reliant on third-party aggregators for identity verification. In the current environment, it's reasonable to expect exemptions for law enforcement in the name of national security in any new regulations.
Government reliance on aggregators goes much further. In addition to law enforcement, the ChoicePoint Web site details how the company has become an integral part of entitlement eligibility, child support enforcement, health care and housing -- even though most of us never knew its name. Add to the mix real-time background checks on medical professionals, clinics and other providers.
The value of all this has been to help "manage risk exposure, and reduce fraud and abuse" in the administration of public programs. Who would have argued with that, at least until there was a problem with a practice that suddenly seemed to operate outside of public view?
Exposing industry practices to sunlight will also shed light on practices internal to government as stewards of the authoritative public record.
We may not like what we see.
Still, it is a vital public conversation to have because it goes to the heart of public trust in institutions -- private and public. Make no mistake -- for government, it really is about us this time too.