According to ChoicePoint's most recent 8-K filing:
Based on information currently available, we estimate that
approximately 145,000 consumers from 50 states and other territories
may have had their personal information improperly accessed as a result
of the recent Los Angeles incident and certain other instances of
unauthorized access to our information products. Approximately 35,000
of these consumers are California residents, and approximately 110,000
are residents of other states. These numbers were determined by
conducting searches of our databases that matched searches conducted by
customers who we believe may have had unauthorized access to our
information products on or after July 1, 2003, the effective date of
the California notification law. Because our databases are constantly
updated, our search results will never be identical to the search
results of these customers.
Catch that? ChoicePoint actually has no idea if only 145,000 customers were affected by its recent security debacle.
But it's not doing any work to determine if more than 145,000 customers
were affected — or if any customers before July 1, 2003 were affected
— because there's no law compelling it to do so.
I have no idea why ChoicePoint has decided to tape a huge “Please
Regulate My Industry” sign to its back, but it's increasingly obvious
that it has. There's a class-action shareholders' lawsuit, but I don't think that will be enough.