Order Code RS22137
Updated January 12, 2007
Data Brokers: Background and
Industry Overview
Gina Marie Stevens
Legislative Attorney
American Law Division
Summary
Disclosures of breaches of the customer databases of LexisNexis and ChoicePoint
have raised interest in the business and regulation of data brokers, companies that collect
personal information from public and private records and sell this information to public
and private sector entities. The growth of this industry has generally tracked the post-
9/11 increase in government and private sector interest in quickly accessing personal
information. The broad access to personal information that data brokers offer, however,
has spurred concern as to the dangers of identity theft. This report provides an overview
of the data brokerage industry and more specific background on LexisNexis and
ChoicePoint.
Introduction1
In the first few months of 2005, two leading data brokers, LexisNexis and
ChoicePoint, announced that unauthorized individuals had breached their security
measures and obtained personal information (e.g., Social Security numbers, addresses)
about hundreds of thousands of individuals. These companies and others like them — so-
called “data brokers” — operate largely free from federal and state regulation.2 The recent
scandals have led to calls for tighter regulation of the data brokerage industry, creating the
need for more complete information on the types of businesses that make up this industry,
and the types of services they provide. This report provides an overview of the industry
and specific case studies of ChoicePoint and LexisNexis.
The Data Brokerage Industry
Personal information for background checks is of course essential for employers and
criminal investigators. Businesses that have been able to use the Internet to quickly
1 This report was originally prepared by Nathan Brooks, Legislative Attorney.
2 See CRS Report RS22087, Information Brokers: Federal and State Laws, by Angie A. Welborn.
CRS-2
provide such information have grown tremendously over the past five years, as the events
of September 11, 2001, and the subsequent war on terror have put a premium on accurate
identification of individuals in both the public and private sectors.3 “Data brokers” —
companies like ChoicePoint, LexisNexis, Axciom, Experian, US Search, and Information
Search — have prospered by fulfilling this need.4 Law enforcement, in particular, has
found data brokers useful, as these private companies maintain and organize personal
information on individuals in a manner that may not be legally available to government
actors.5 The Privacy Act, for example, requires federal agencies to limit the amount of
information on American citizens that these agencies maintain and disseminate.6
Most data brokers sell data that they collect from public records (e.g., driver’s license
records, vehicle registration records, criminal records, voter registration records, property
records, occupational licensing records) or from warranty cards, credit applications, etc.7
In addition, data brokers purchase so-called “credit headers” from credit reporting
agencies. Information on a credit header generally includes a person’s Social Security
number, address, phone numbers, and birth date.8 While the release of certain
information, such as data associated with a credit report, is subject to federal law, data
brokers are largely free from state and federal regulation.9
Generally, companies or government agencies purchase from data brokers
information about an individual — including his or her Social Security number — in
order to conduct background checks or otherwise verify someone’s identity. The vast
majority of these transactions are conducted via the Internet, rather than person-to-
person.10 Of course, the anonymity of most data brokerage transactions has opened the
door for criminals to pose as legitimate businesses and obtain vital information about an
individual — usually a Social Security number — and steal his or her identity. It has
been reported in the past, for example, that identity thieves — using stolen credit card
numbers — have obtained information about victims and transferred funds from the
3 Title III of the USA PATRIOT Act (P.L. 107-56), for example, mandated “Know Your
Customer” requirements — and stiff penalties for failing to comply — on a wide array of
financial institutions. See CRS Report RL31208, International Money Laundering Abatement
and Anti-Terrorist Financing Act of 2001, Title III of P.L. 107-56 (USA PATRIOT Act), by M.
Maureen Murphy.
4 See Robert O’Harrow, Jr., “In Age of Security, Firms Mine Wealth of Personal Data,”
Washington Post, January 20, 2005, at A1.
5 For a discussion of how, in light of these limitations, agencies find data brokers useful, see
Glenn R. Simpson, “FBI’s Reliance on the Private Sector Has Raised Some Privacy Concerns,”
Wall Street Journal, April 13, 2001.
6 5 U.S.C. § 552a.
7 See Note, The Internet: Privacy Lost, Identities Stolen, by Stephanie Byers, 40 Brandeis L.J.
141, 144 (2001).
8 Id.
9 See CRS Report RS22087, Information Brokers: Federal and State Laws, by Angie A. Welborn.
10 For information on the Internet and identity theft generally, see CRS Report RS22082, Identity
Theft: The Internet Connection, by Marcia S. Smith.
CRS-3
victims’ accounts, written phony checks against those accounts, etc.11 As the following
case studies show, the danger of identity theft remains, despite the implementation of
tighter safeguards by data brokers.
Case Studies: ChoicePoint and LexisNexis
While the growth of companies that gather and sell information has tracked the rise
of personal computers since the early 1980’s, two events led to the exponential growth
of data brokerage firms since 2000: (1) The explosion of the Internet throughout the
1990’s; and (2) the development by Florida-based programmer John Asher of parallel
programming software allowing a researcher to use bits of information about an
individual (e.g., name, Social Security number) to search several databases simultaneously
and find more information about that person within seconds. Asher built two companies
on this technology, and later sold the companies to ChoicePoint and LexisNexis, who
have used the technology to become two of the most successful data brokers in the
world.12
ChoicePoint. One of the largest and most profitable data brokers in the United
States is Georgia-based ChoicePoint. ChoicePoint sells data to a wide variety of entities,
from insurers to law enforcement.13 Originally formed as a spin-off of credit reporting
agency Equifax in 1997, ChoicePoint has grown to dominate the data brokerage market
by purchasing a number of smaller, more specialized data brokers and operating several
subsidiaries in various states.14 ChoicePoint’s total annual revenue has grown in this time
period from $585 million in 2000 to nearly $1 billion in 2004.15
The products ChoicePoint offers reflect the sophistication in the data brokerage
industry that demand and competition have created. ChoicePoint not only groups
personal information together according to what type of background check is being
conducted — e.g., pre-employment screenings — but also “Soundex” searches that allow
customers to search for personal information based on how names sound, rather than how
11 See, e.g., Robert O’Harrow, Jr., “Identity Thieves Thrive in Information Age,” Washington
Post, May 31, 2001, at A1 (recounting the story of Rita Johnson, who was the victim of identity
theft. Criminals stole credit card statements and other documents containing personal
information from Mrs. Johnson’s mailbox. They used this information to pose as legitimate
employers and obtain from data brokers various Social Security numbers, which the criminals
then used to order more credit cards and raid bank accounts).
12 See Stephen Pounds, Identity Complex: Data Brokers Files Are Extensive, As Are Their
Destinations, Palm Beach Post, April 10, 2005, found at [http://www.palmbeachpost.com/
business/content/business/epaper/2005/04/10/a1f_data_0410.html] (last visited May 4, 2005).
13 See, e.g., Chris Jay Hoofnagle, Big Brother’s Little Helper: How Choicepoint and Other
Commercial Data Brokers Collect and Package Your Data for Law Enforcement, 29 N.C. J. Int’l
L. & Com. Reg. 595 (2004).
14 Id. at 602.
15 Choicepoint 2004 Annual Report, found at [http://library.corporate-ir.net/library/95/952/
95293/items/143458/2004ar.pdf] (last visited May 4, 2005).
CRS-4
they are spelled.16 In addition, ChoicePoint allows law enforcement to link suspects to
former addresses, neighbors, etc.17
As mentioned above, the data brokerage industry has grown increasingly close to law
enforcement agencies in the last few years, and ChoicePoint’s relationship with law
enforcement agencies is indicative of this fact.18 ChoicePoint has a multi-million dollar
contract with the Department of Justice, and the company maintains federal agency-
specific websites to facilitate searches by officers from those agencies.19
Up until recently, ChoicePoint guarded access to its information by requiring
customers to provide business records on file with government agencies, copies of
drivers’ licenses, and other information identifying customers as legitimate businesses.
Unfortunately, at least one criminal ring began creating sham businesses and identities in
order to get around these requirements, and a Los Angeles-based sting operation in 2004
uncovered evidence leading authorities to conclude that the ring had accessed
ChoicePoint’s information on roughly 145,000 people.20 As the scandal unfolded,
ChoicePoint drew heated criticism for refusing to notify many of those whose personal
information had been accessed. At first, ChoicePoint only notified victims residing in
California, as that is the only state with a law requiring such notification when personal
information is compromised.21 Only after a public outcry did ChoicePoint agree to notify
victims outside of California.
In 2006, ChoicePoint agreed to pay $10 million in civil penalties and $5 million in
consumer redress to settle Federal Trade Commission charges that its security and
record-handling procedures violated consumers’ privacy rights and federal laws. The
settlement requires ChoicePoint to implement new procedures to ensure that it provides
consumer reports only to legitimate businesses for lawful purposes, to establish and
maintain a comprehensive information security program, and to obtain audits by an
independent third-party security professional until 2026.22
16 See Hoofnagle, supra note 12, at 601-602.
17 Id. A complete list of Choicepoint’s products and services can be found at
[http://www.choicepoint.net/business/all/all_products.html] (Last visited May 4, 2005).
18 See, e.g., Glenn R. Simpson, “FBI’s Reliance on the Private Sector Has Raised Some Privacy
Concerns,” Wall Street Journal, April 13, 2001.
19 The Drug Enforcement Agency’s access point, for example, is [http://www.cpdea.com] (Last
visited May 4, 2005).
20 See Robert O’Harrow, Jr., “Choicepoint Data Cache Became a Powder Keg,” Washington Post,
March 5, 2005, at A1.
21 Cal. Civ. Code §§ 1798.82, 1798.29. In the wake of the Choicepoint and LexisNexis scandals,
similar legislation has been introduced in several states. See [http://www.ncsl.org/programs/lis/
cip/priv/breach.htm] (Last visited May 4, 2005).
22 U.S. v. ChoicePoint Inc. (D. Ct. for the Northern District of Georgia, Atlanta Division), FTC
File No. 052-3069 (Jan. 26, 2006), available at [http://www.ftc.gov/opa/2006/01/choicepoint
.htm].
CRS-5
LexisNexis. LexisNexis has been one of the leading information research engines
for over two decades. In August, 2004, LexisNexis’ parent company, London-based Reed
Elsevier, purchased data broker Seisint (an Asher creation) for $775 million and made it
a unit of LexisNexis. Among other things, Seisint provides data for Matrix, a crime and
terrorism database that, until recently, was funded by the federal government.
Very soon after the ChoicePoint scandal, LexisNexis reported that unauthorized
individuals had accessed the personal information of about 32,000 customers of the
company’s data brokerage unit by entering in the passwords of legitimate customers. A
few weeks later, that estimate had risen to over 300,000.23 These individuals somehow
acquired passwords of paying customers of Seisint’s “Acurint” service, which generally
charges $4.50 for packaged information about an individual. Using the legitimate
passwords, the hackers were able to access personal information ranging from social
security numbers to home addresses to drivers’ licenses numbers.
Conclusion
As the market for personal information has grown — particularly in light of the war
on terror — so too has grown the data brokerage industry. The ChoicePoint and
LexisNexis scandals, however, have spurred debate over the security of data brokers’
databases.
crsphpgw
23 See Associated Press, LexisNexis Theft Much Worse Than Thought, April 12, 2005, found at
[http://msnbc.msn.com/id/7475594/] (Last visited May 4, 2005).