Order Code RS22137
May 5, 2005
CRS Report for Congress
Received through the CRS Web
Data Brokers: Background and Industry
Overview
Nathan Brooks
Legislative Attorney
American Law Division
Summary
Recent disclosures of breaches of the customer databases of LexisNexis and
ChoicePoint have raised interest in the business and regulation of data brokers,
companies that collect personal information from public and private records and sell this
information to public and private sector entities. The growth of this industry has
generally tracked the post-9/11 increase in government and private sector interest in
quickly accessing personal information. The broad access to personal information that
data brokers offer, however, has spurred concern as to the dangers of identity theft. This
report provides an overview of the data brokerage industry and more specific
background on LexisNexis and ChoicePoint.
Introduction
In the first few months of 2005, two leading data brokers, LexisNexis and
ChoicePoint, announced that unauthorized individuals had breached their security
measures and obtained personal information (e.g., Social Security numbers, addresses)
about hundreds of thousands of individuals. These companies and others like them – so-
called “data brokers” – operate largely free from federal and state regulation.1 The recent
scandals have led to calls for tighter regulation of the data brokerage industry, creating the
need for more complete information on the types of businesses that make up this industry,
and the types of services they provide. This report provides an overview of the industry
and specific case studies of ChoicePoint and LexisNexis.
The Data Brokerage Industry
Personal information for background checks is of course essential for employers and
criminal investigators. Businesses that have been able to use the Internet to quickly
provide such information have grown tremendously over the past five years, as the events
of September 11, 2001, and the subsequent war on terror have put a premium on accurate
1 See CRS Report RS22087, Information Brokers: Federal and State Laws, by Angie A. Welborn.
Congressional Research Service ˜ The Library of Congress
CRS-2
identification of individuals in both the public and private sectors.2 “Data brokers” –
companies like ChoicePoint, LexisNexis, Axciom, Experian, US Search, and Information
Search – have prospered by fulfilling this need.3 Law enforcement, in particular, has
found data brokers useful, as these private companies maintain and organize personal
information on individuals in a manner that may not be legally available to government
actors.4 The Privacy Act, for example, requires federal agencies to limit the amount of
information on American citizens that these agencies maintain and disseminate.5
Most data brokers sell data that they collect from public records (e.g., driver’s license
records, vehicle registration records, criminal records, voter registration records, property
records, occupational licensing records) or from warranty cards, credit applications, etc.6
In addition, data brokers purchase so-called “credit headers” from credit reporting
agencies. Information on a credit header generally includes a person’s Social Security
number, address, phone numbers, and birth date.7 While the release of certain
information, such as data associated with a credit report, is subject to federal law, data
brokers are largely free from state and federal regulation.8
Generally, companies or government agencies purchase from data brokers
information about an individual – including his or her Social Security number – in order
to conduct background checks or otherwise verify someone’s identity. The vast majority
of these transactions are conducted via the Internet, rather than person-to-person.9 Of
course, the anonymity of most data brokerage transactions has opened the door for
criminals to pose as legitimate businesses and obtain vital information about an individual
– usually a Social Security number – and steal his or her identity. It has been reported in
the past, for example, that identity thieves – using stolen credit card numbers – have
obtained information about victims and transferred funds from the victims’ accounts,
written phony checks against those accounts, etc.10 As the following case studies show,
2 Tite III of the USA PATRIOT Act (P.L. 107-56), for example, mandated “Know Your
Customer” requirements – and stiff penalties for failing to comply – on a wide array of financial
institutions. See CRS Report RL31208, International Money Laundering Abatement and Anti-
Terrorist Financing Act of 2001, Title III of P.L. 107-56 (USA PATRIOT Act), by M. Maureen
Murphy.
3 See Robert O’Harrow, Jr., In Age of Security, Firms Mine Wealth of Personal Data, Washington
Post, January 20, 2005, at A1.
4 For a discussion of how, in light of these limitations, agencies find data brokers useful, see
Glenn R. Simpson, FBI’s Reliance on the Private Sector Has Raised Some Privacy Concerns,
Wall Street Journal, April 13, 2001.
5 5 U.S.C. § 552a.
6 See Note, The Internet: Privacy Lost, Identities Stolen, by Stephanie Byers, 40 Brandeis L.J.
141, 144 (2001).
7 Id.
8 See CRS Report RS22087, Information Brokers: Federal and State Laws, by Angie A. Welborn.
9 For information on the Internet and identity theft generally, see CRS Report RS22082, Identity
Theft: The Internet Connection, by Marcia S. Smith.
10 See, e.g., Robert O’Harrow, Jr., Identity Thieves Thrive in Information Age, Washington Post,
(continued...)
CRS-3
the danger of identity theft remains, despite the implementation of tighter safeguards by
data brokers.
Case Studies: ChoicePoint and LexisNexis
While the growth of companies that gather and sell information has tracked the rise
of personal computers since the early 1980's, two events led to the exponential growth of
data brokerage firms since 2000: (1) The explosion of the Internet throughout the 1990's;
and (2) the development by Florida-based programmer John Asher of parallel
programming software allowing a researcher to use bits of information about an
individual (e.g., name, Social Security number, etc.) to search several databases
simultaneously and find more information about that person within seconds. Asher built
two companies on this technology, and later sold the companies to ChoicePoint and
LexisNexis, who have used the technology to become two of the most successful data
brokers in the world.11
ChoicePoint. One of the largest and most profitable data brokers in the United
States is Georgia-based ChoicePoint. ChoicePoint sells data to a wide variety of entities,
from insurers to law enforcement.12 Originally formed as a spin-off of credit reporting
agency Equifax in 1997, ChoicePoint has grown to dominate the data brokerage market
by purchasing a number of smaller, more specialized data brokers and operating several
subsidiaries in various states.13 ChoicePoint’s total annual revenue has grown in this time
period from $585 million in 2000 to nearly $1 billion in 2004.14
The products ChoicePoint offers reflect the sophistication in the data brokerage
industry that demand and competition have created. ChoicePoint not only groups
personal information together according to what type of background check is being
conducted – e.g., pre-employment screenings – but also “Soundex” searches that allow
customers to search for personal information based on how names sound, rather than how
10 (...continued)
May 31, 2001, at A1 (recounting the story of Rita Johnson, who was the victim of identity theft.
Criminals stole credit card statements and other documents containing personal information from
Mrs. Johnson’s mailbox. They used this information to pose as legitimate employers and obtain
from data brokers various Social Security numbers, which the criminals then used to order more
credit cards and raid bank accounts).
11 See Stephen Pounds, Identity Complex: Data Brokers Files Are Extensive, As Are Their
D e s t i n a t i o n s , P a l m B e a c h P o s t , A p r i l 1 0 , 2 0 0 5 , f o u n d a t
[http://www.palmbeachpost.com/business/content/business/epaper/2005/04/10/a1f_data_0410
.html] (last visited May 4, 2005).
12 See, e.g., Chris Jay Hoofnagle, Big Brother’s Little Helper: How Choicepoint and Other
Commercial Data Brokers Collect and Package Your Data for Law Enforcement, 29 N.C. J. Int’l
L. & Com. Reg. 595 (2004).
13 Id. at 602.
1 4 Choicepoint 2004 Annual Report, found at [http://library.corporate-
ir.net/library/95/952/95293/items/143458/2004ar.pdf] (last visited May 4, 2005).
CRS-4
they are spelled.15 In addition, ChoicePoint allows law enforcement to link suspects to
former addresses, neighbors, etc.16
As mentioned above, the data brokerage industry has grown increasingly close to law
enforcement agencies in the last few years, and ChoicePoint’s relationship with law
enforcement agencies is indicative of this fact.17 ChoicePoint has a multi-million dollar
contract with the Department of Justice, and the company maintains federal agency-
specific websites to facilitate searches by officers from those agencies.18
Up until recently, ChoicePoint guarded access to its information by requiring
customers to provide business records on file with government agencies, copies of
drivers’ licenses, and other information identifying customers as legitimate businesses.
Unfortunately, at least one criminal ring began creating sham businesses and identities in
order to get around these requirements, and a Los Angeles-based sting operation in 2004
uncovered evidence leading authorities to conclude that the ring had accessed
ChoicePoint’s information on roughly 145,000 people.19 As the scandal unfolded,
ChoicePoint drew heated criticism for refusing to notify many of those whose personal
information had been accessed. At first, ChoicePoint only notified victims residing in
California, as that is the only state with a law requiring such notification when personal
information is compromised.20 Only after a public outcry did ChoicePoint agree to notify
victims outside of California.
LexisNexis. LexisNexis has been one of the leading information research engines
for over two decades. In August, 2004, LexisNexis’ parent company, London-based Reed
Elsevier, purchased data broker Seisint (an Asher creation) for $775 million and made it
a unit of LexisNexis. Among other things, Seisint provides data for Matrix, a crime and
terrorism database that, until recently, was funded by the federal government.
Very soon after the ChoicePoint scandal, LexisNexis reported that unauthorized
individuals had accessed the personal information of about 32,000 customers of the
company’s data brokerage unit by entering in the passwords of legitimate customers. A
few weeks later, that estimate had risen to over 300,000.21 These individuals somehow
15 See Hoofnagle, supra note 12, at 601-602.
16 Id. A complete list of Choicepoint’s products and services can be found at
[http://www.choicepoint.net/business/all/all_products.html] (Last visited May 4, 2005).
17 See, e.g., Glenn R. Simpson, FBI’s Reliance on the Private Sector Has Raised Some Privacy
Concerns, Wall Street Journal, April 13, 2001.
18 The Drug Enforcement Agency’s access point, for example, is [http://www.cpdea.com] (Last
visited May 4, 2005).
19 See Robert O’Harrow, Jr., Choicepoint Data Cache Became a Powder Keg, Washington Post,
March 5, 2005, at A1.
20 Cal. Civ. Code §§ 1798.82, 1798.29. In the wake of the Choicepoint and LexisNexis scandals,
s i m i l a r l e g i s l a t i o n h a s b e e n i n t r o d u c e d i n s e v e r a l s t a t e s . S e e
[http://www.ncsl.org/programs/lis/cip/priv/breach.htm] (Last visited May 4, 2005).
21 See Associated Press, LexisNexis Theft Much Worse Than Thought, April 12, 2005, found at
(continued...)
CRS-5
acquired passwords of paying customers of Seisint’s “Acurint” service, which generally
charges $4.50 for packaged information about an individual. Using the legitimate
passwords, the hackers were able to access personal information ranging from social
security numbers to home addresses to drivers’ licenses numbers.
Conclusion
As the market for personal information has grown – particularly in light of the war
on terror – so too has grown the data brokerage industry. The ChoicePoint and
LexisNexis scandals, however, have spurred debate over the security of data brokers’
databases. In March, 2005, the House Energy and Commerce Committee’s Subcommitee
on Commerce Trade and Consumer Protection held hearings on the issue, and one month
later the Senate Judiciary Committee held hearings focusing on the ChoicePoint and
LexisNexis scandals. In prepared testimony for the Senate hearing, Douglas Curling,
COO and Director of ChoicePoint, announced some new safeguards that the company has
introduced in order to protect personal information from identity thieves. These include
narrowing the types of businesses to which ChoicePoint will sell information, and
strengthening ChoicePoint’s credentialing process to ensure that the company can
accurately identify its customers.22
While other data brokers are likely to follow ChoicePoint’s lead and install
additional safeguards, some believe that federal legislation is also required. Senator
Feinstein has introduced S. 751, a bill modeled after the California law discussed above,
which would require notification of individuals whose identities are compromised. In
addition, several other bills have been introduced to fight identity theft related to data
brokers or to require disclosure in more limited contexts.23
21 (...continued)
[http://msnbc.msn.com/id/7475594/] (Last visited May 4, 2005).
22 The hearing testimony is available at [http://judiciary.senate.gov/hearing.cfm?id=1437] (Last
visited May 4, 2005).
23 See, e.g., H.R. 1069, S. 115, S. 500, S. 768.