What was the root cause of the data breach? How could this data breach have been prevented? In your opinion, were the fines imposed on ChoicePoint sufficient (high enough) to deter such an incident from happening again? Explain your answer. In your opinion, how effective are the changes implemented by ChoicePoint at deterring or defending against data breaches? Explain your answer.
$55 Million Data Breach at ChoicePoint: ChoicePoint is a leading data broker and credentialing service. It maintains 19 billion public records on more than 220 million U.S. citizens. The company buys personal data, including names, Social Security numbers, birthdates, employment data, and credit histories, and then sells the data to businesses and government agencies. Marketing, human resources, accounting, and finance departments rely on ChoicePoint's data for customer leads, background checks, and verification. Roughly 70 percent of ChoicePoint's revenue is generated by selling consumer records for insurance claim verifications and workplace background screenings. ChoicePoint was exposing the data to risk by ignoring its policy to verify that potential customers were legitimate before selling data. Disaster was foreseeable.
In early 2000, without doing an adequate background check, ChoicePoint provided hackers with customer accounts, which they used to illegally access databases and steal confidential data. By May 2008, that security lapse had cost the company over $55 million in fines, compensation to potential victims of identity theft, lawsuit settlements, and legal fees. Then in June 2008, the company also paid $10 million to settle a class action lawsuit.
Disclosing the Problem Publicly: On February 15, 2005, ChoicePoint reported that personal and financial data of 145,000 individuals had been "compromised." All of the individuals were at risk of identity theft after Olatunji Oluwatosin, a Nigerian national living in California, had pretended to represent several legitimate businesses. Ironically, Oluwatosin's credentials had not been verified, which enabled him to set up over 50 bogus business accounts. Those accounts gave him access to databases containing personal financial data. Oluwatosin was arrested in February 2005, pleaded guilty to conspiracy and grand theft, and was sentenced to 10 years in prison and fined $6.5 million.
The state and federal penalties facing ChoicePoint were much larger. Privacy and antifraud laws required that ChoicePoint disclose what had happened. California's privacy breach legislation requires that residents be informed when personal information has been compromised. Outraged attorneys general in 44 states demanded that the company notify every affected U.S. citizen. At the federal level, ChoicePoint was charged with multiple counts of negligence for failing to follow reasonable information security practices. In 2005, the company was hit with the largest fine in Federal Trade Commission (FTC) history-$15 million. The FTC charged ChoicePoint with violating:
-The Fair Credit Reporting Act (FCRA) for furnishing credit reports to subscribers who did not have a permissible purpose to obtain them and for not maintaining reasonable procedures to verify its subscribers' identities.
-The FTC Act for false and misleading statements about privacy policies on its Web site. On March 4, 2005, in what was a first for a publicly held company, ChoicePoint filed an 8-K report with the SEC warning shareholders that revenue would be adversely affected by the data breach. In January 2006, with the public announcement of the extent of the fines, ChoicePoint's stock price plunged.
The Solution: When a company violates SEC, federal, or state laws, the solution to its problem is going to be dictated to it. The solution to ChoicePoint's risk exposure was mandated by the FTC. The company had to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes. In addition, the FTC ordered ChoicePoint to establish and maintain a comprehensive information security program and to obtain audits by an independent third-party security professional biyearly until 2026. To reassure stakeholders, ChoicePoint hired Carol DiBattiste, the former deputy administrator of the Transportation Security Administration, as chief privacy officer (CPO).
The Results ChoicePoint reformed its business practices and data security measures, which were too lax relative to its risk exposure. The company had to stop putting risky business practices that focused on short-term revenues ahead of long-term profitability. This business decision is a necessary and ethical trade-off. ChoicePoint's data breach brought businesses' security policies to national attention. It signaled the need for improved corporate governance.
Although there is no generally accepted definition, corporate governance refers to the rules and processes ensuring that the enterprise adheres to accepted ethical standards, best practices, and laws. Companies that collect sensitive consumer information have a responsibility to keep it secure. Together with high-profile frauds and malware, data breaches have triggered an increase in laws and government involvement to hold companies and their management accountable for lapses in governance. Yet, since ChoicePoint's record-setting data breach, many other infosec incidents and data thefts of greater magnitude have occurred.
Sources: Compiled from ftc.gov, Gross (2005), Kaplan (2008), Mimoso (2006), and Scalet (2005).