The value of disclosure requirements

Bruce Schneier notes that only a California information privacy statute forced Choicepoint to disclose the fact that it shared consumers’ personal information with a group of criminals. Schneier on Security: ChoicePoint

This story would have never been made public if it were not for SB 1386, a California law requiring companies to notify California residents if any of a specific set of personal information is leaked.
ChoicePoint’s behavior is a textbook example of how to be a bad corporate citizen. The information leakage occurred in October, and it didn’t tell any victims until February. First, ChoicePoint notified 30,000 Californians and said that it would not notify anyone who lived outside California (since the law didn’t require it). Finally, after public outcry, it announced that it would notify everyone affected.

Wired News reports on a lawsuit filed against ChoicePoint: California Woman Sues ChoicePoint : “According to the filing, Goldberg seeks to hold ChoicePoint responsible for negligence in protecting the private data of consumers from scam artists who purchased it from the company. The scam continued for a year before ChoicePoint discovered what the thieves were up to.”