ChoicePoint, whose breach disclosure in 2005 served as a watershed moment, has been acquired by LexisNexis information service patent, Reed Elsevier, for $4.1 billion, the two companies announced on Thursday.
Alpharetta, Ga.-based ChoicePoint, a data aggregator and credentialing service founded in 1997, said that the merger will "create a powerful combination of technology, information and workflow products to meet the growing needs of customers for analytics-based solutions."
News of the merger with Europe-based Reed Elsevier comes less than a month after ChoicePoint agreed to pay $10 million to settle the final bit of pending litigation resulting from the breach, in which criminals, posing as customers, stole the personal information of 163,000 people.
The data-loss event prompted most states to pass notification laws requiring organizations to alert customers about a breach if their personally identifiable information was exposed. At the time of ChoicePoint's revelation, only California had such a law on the books.
According to a prepared question-and-answer document, ChoicePoint said Thursday that it will continue to apply its newly implemented privacy and security controls until the expected close of the deal this summer.
"Reed Elsevier has committed to develop business plans that maintain our privacy principals," ChoicePoint said. "And, we have made commitments to regulators that will maintain certain components of our administrative, physical and technical security requirements for 20 years."
As part of a January 2006 settlement with the Federal Trade Commission over charges that ChoicePoint's record-handling procedures violated consumers' privacy rights and federal laws, the company agreed to pay $15 million in fines and consumer redress. In addition, it consented to biennial audits by an independent, third-party security profession until 2026.
Since the breach, ChoicePoint has served as a poster child for data-loss incidents, and company executives have traveled across the country to chronicle their prior shortcomings and how they have worked to fix them, including implementing better customer verification protocols and discontinuing the sale of some consumer data.
"ChoicePoint has made remarkable progress since the breach incident back in February of 2005," Paul Stephens, director of policy and advocacy at the nonprofit Privacy Rights Clearinghouse. "They have probably become an industry leader in terms of doing good things to protect the security of the data that is entrusted to them."
Roughly 70 percent of ChoicePoint's revenue is generated by providing consumer records for insurance claim verifications and workplace background screenings, according to the company.
"The acquisition of ChoicePoint represents a major further step in the building of Reed Elsevier's risk management business and in the development of our online workflow solutions strategy," said Sir Crispin Davis, Reed Elsevier's chief executive officer. "The market growth in risk information and analytics is highly attractive, and ChoicePoint brings important assets and market positions that fit well with our existing business."
Stephens, though, said he worries that combining the two companies could yield a record payday for data thieves if they were to pull off a heist.
"We would consider any consolidation of two powerhouses in the information field to be a negative thing from the standpoint of consumer privacy," he said. "Each of them has their own set of data. So...the amount of data within one corporate entity is going to be much larger."
Reed Elsevier has not gone without its own security woes. In June 2006, five men were charged with hacking passwords of at least 32,000 LexisNexis users, according to the Privacy Rights Clearinghouse.
A ChoicePoint spokesman on Thursday referred any questions about the acquisition to a Reed Elsevier representative, who did not respond to a request for comment.