In April, shortly after the news of the data theft became public, CEO Kurt Sanford was called before Congress to testify on securing personal data. He told the Senate Judiciary Committee that LexisNexis had provided a consolidated credit report and credit monitoring services to the people whose names were stolen from the Accurint database. They are also offering credit counselors and $20,000 worth of identity theft insurance to anyone who ultimately becomes a victim of fraud as a result of the theft. "We have learned a great deal," Sanford told Congress.
Less than a month after the theft took place, the company rolled out a new initiative called the LexisNexis Customer Security Program. The program is designed to push more of the burden for the security of LexisNexis' information out to its customers. It consists of four relatively simple changes: stronger log-in requirements, monthly user verification, IP address restriction (allowing access from predesignated IP addresses only), and restricted access to full Social Security numbers and driver's license information. (See "Four-and-a-Half Million Fingers," page 48.)
Some of the changes are mandatory for all LexisNexis customers, while others, such as IP address restriction, are voluntary. Some are already in place. Others roll out later this year. For the most part, the impact on customers has been minimal. (This magazine, which uses the LexisNexis newspaper and periodical database, was asked to change its password and to add a security question and answer as part of the effort. It took less than five minutes to complete the change.) "We want to make it as painless as possible," says Wright. "Security hasn't always been this big a part of the job, but once it crossed the line outside of our walls and to our customers, that's when I got involved."
Many of LexisNexis' customers are already well aware of the threat of identity theft, either through the constant media coverage the topic receives, or because of the nature of their businesses. Ron Morano is a collections strategist at Creditor's Interchange Inc., a third-party collection agency based in Buffalo, N.Y. He uses LexisNexis to get phone numbers, home addresses and mortgage information on people who are behind on their loan payments, and he often finds himself trying to collect on accounts that are overdue because their owners have been the victims of identity theft. "I'm more than aware of it," Morano says.
But even with his intimate knowledge of identity theft, Morano still finds the additional security to be a nuisance. "We've limited our Accurint searches to one IP address, and that disables access from any other computer," he explains. "It has become more of an inconvenience."
Wright downplays the effects of asking customers to tighten security on LexisNexis' behalf. "A lot of our customers are already required to do this stuff because of the regulated industries they're in," she says. "The majority of our customers are delighted, and some have even gone to great lengths on their own." LexisNexis is even considering helping them take the next step. The company is currently working with antivirus and antispyware companies to potentially provide some kind of bulk discount to its customers. An effort of this kind would not cost LexisNexis a great deal of money, says Cronin, given the eagerness of software vendors to gain new business.