Right of Reply: LexisNexis
Response to our recent article on database breaches
Washington Correspondent Thomas Greene's recent story, "It's official: ChoicePoint, LexisNexis rooted many times" (April 13, 2005) alleges that LexisNexis "covered up" previous database breaches because there was as yet no law requiring that individuals be notified. The story contains a number of substantial inaccuracies and Mr. Greene's interpretation of the events seem designed to imply something sinister was afoot, rather than report the facts.
These facts are reflected in the written and oral testimony before U.S. Senate hearing mentioned in the story and contained in a public statement by Reed Elsevier, which is the parent company of LexisNexis and publicly listed. It's appropriate to set the record straight so that anyone who read the information in your report knows the truth.
First, "a cover up" cannot occur if a company is unaware of the very incidents it is alleged to have covered up. Nor is there a "cover up"; if the incidents discovered are announced publicly and voluntarily within a matter of weeks of identifying and confirming the events occurred.
On March 9, 2005, Reed Elsevier, announced that a review of our recently acquired Seisint unit revealed in February 2005 (not February 2004 as reported by Mr. Greene) some incidents of potentially fraudulent access to information about U.S. individuals. In response, LexisNexis notified approximately 30,000 individuals in March 2005 that their information may have been fraudulently accessed and the company is providing them with services, at no charge to them, to monitor for and prevent identity theft.
Also on March 9, Reed Elsevier publicly indicated LexisNexis was going to continue its review "to determine the extent of any other incidents" in Seisint business.
On April 11, LexisNexis and Reed Elsevier issued a statement that it had completed its review of search activity going back to January 2003. It had found that unauthorized persons, primarily using IDs and passwords of legitimate Seisint customers, may have acquired personal-identifying information of 280,000 individuals in the U.S. in other incidents over the prior two years. LexisNexis has begun notifying these individuals.
In my testimony I acknowledged some of these incidents pre-dated the California statute (which went into effect July 2003) reported in the story. Therefore, the information that Mr. Greene believes was "covered up" by LexisNexis at some point in the distant past was not in fact known by LexisNexis until the review of the last several weeks. LexisNexis acquired Seisint in September 2004.
Finally, Mr. Greene writes, "Unfortunately, when no California residents are affected by such an incident, the public has no guarantee that the truth will emerge." However, the record should reflect that LexisNexis indicated in March 2005 that we would notify individuals in all U.S. states even though there are no statutes requiring this.
It's difficult to see how Mr. Greene's interpretation of these events could possibly be correct or how he got so many things so wrong in his story. In fact, his false characterization of LexisNexis as dishonest is libelous per se.
Finally, let me add that though we have only recently purchased Seisint, as its new owners, we accept that it is our responsibility to address any questions about its security. We are doing so swiftly and decisively to prevent any future incidents.
The Register observes the Press Complaints Commission Code of Practice. If you want an opportunity for reply to inaccuracies, please contact Drew Cullen