At first, the ChoicePoint security breach seemed not only ordinary but almost insignificant. That same month, February, saw stories that had bigger numbers (Bank of America, 1.2 million names and Social Security numbers) and more sex appeal (T-Mobile, Paris Hilton) than the predictable details of the ChoicePoint case. Thousands of victims, compromised Social Security numbers, an arrest on charges of identity theft. Yada yada yada. But somewhere along the way, the ChoicePoint saga became the spark that caused an explosion.
Maybe it was the fact that this wasn't a hack. Personal information of nearly 145,000 people wasn't stolen from ChoicePoint. In fact, the company sold the information to inadequately vetted bogus businesses—this when the company itself helps other businesses verify creds. Maybe it was that the people whose information was compromised weren't customers of ChoicePoint, just accidental citizens of the vast databases of the Alpharetta, Ga.-based information broker. Maybe it was the way that ChoicePoint behaved after the breach: from an initial, bumbling response that smacked of marketing, to a changing story about what had happened and how the company was responding, to the revelation that top executives had sold millions of dollars worth of stock between the time the fraud was discovered and when it was announced to the public.
Or maybe it was this last twisted bit of irony: ChoicePoint chairman and CEO Derek V. Smith had recently written two books about how individuals can protect themselves in the information age.
You can't make this stuff up.
"It was like they put a big sign on themselves that said 'Regulate me,'" security maven Bruce Schneier says.
Now that the initial flames are dying down—and lawmakers are trying to figure out how to prevent future fires at ChoicePoint and other information brokers such as LexisNexis and Acxiom
The Unbearable Lightness of Data
Like most Americans, Mary Chapman had never heard of ChoicePoint until one day in February, when she got a letter informing her of "a recent crime committed against ChoicePoint that MAY have resulted in your name, address and Social Security number" being inappropriately viewed. (Go to this article to see a copy of a typical letter sent by ChoicePoint.)
"I was angry as all can be, because the way the letter sounds, it was totally an incident against them, and an
Chapman feels fortunate not to count herself among the 750 people who ChoicePoint says have already become victims of identity theft due to the security breach. But she's seething about the fact that her information was inadequately protected by a company she'd never done business with. She's also mad about how difficult it was for her to sign up for the free credit monitoring service that ChoicePoint is giving all the victims for one year
"I'm going to have to watch my back for the rest of my life," she says. "I'm angry that my rights as a citizen have been violated. I'm angry that a company is out there selling my personal information for monetary gain. Yes, I'm angry. I'm very angry. And I hope to heavens that everybody who's involved in this is just as angry as I am."
Virginia attorney Leonard Bennett of Consumer Litigation Associates is hoping that other victims are angry too. Along with 10 other attorneys in four states, Bennett is preparing to file a class-action lawsuit against ChoicePoint on behalf of citizens whose information was compromised in the breach. As of press time, in fact, nearly 20 class-action suits had been filed, according to the Los Angeles Times.
Meanwhile, the furor seems to have roused other beasts. A dormant 2003 negligence case against the Arizona-based TriWest Healthcare Alliance (more than 500,000 names with personal information stolen) may be sputtering back to life. Others lawsuits are sure to follow. Hard on the heels of the ChoicePoint incident came revelations of a security breach at a competitor, the Reed Elsevier subsidiary LexisNexis (310,000 names with personal information), in addition to news of a database break-in at shoe retailer DSW.
At ChoicePoint, damage control eventually kicked in. The company announced that it would "discontinue the sale of information products that contain sensitive consumer data, including Social Security and driver's license numbers, except where there is a specific consumer-driven transaction or benefit" or law enforcement purpose. Although the company has not been clear about exactly what this business change entails, executives were ostensibly shutting down some of the business and admitting that they simply couldn't reliably verify credentials for some small-business customers. That seemed cold comfort to the privacy community.
"My reaction isn't, 'Gosh, I'm glad to hear that,'" says consultant Richard Purcell, who is CEO of the Corporate Privacy Group. "It's, 'My God, why have you been doing that when there's no reason to?'"
Before, few people had really known about all of the information that ChoicePoint and its brethren amass, from driving records and property deeds to lists of relatives and job history for nearly every adult in the United States. Now, the citizen-cowboys are rounding themselves up. They've found out about the risks to their personal data
Over the past decade, ChoicePoint CISO Rich Baich has become a bold-faced name in the infosec world. When the scandal broke, Baich, a CISSP and Certified Information Security Manager, was with his tribe at the 2005 RSA Conference in California. At a roundtable discussion about the transformation of the security industry, the CEO of Symantec introduced Baich as "a true security professional." This was assumed. Baich was the 2004 Information Security Executive of the Year for Georgia, recognized for his "illustrious career." He has a new book coming out, in late spring, titled Winning as a CISO. In a cover story on the CISO role, this magazine described him as the rare thriving CISO with a budget and clout. (See "Locked Out" at www.csoonline.com/printlinks.)
But the limelight turned scorching. "What a fraud and discredit to the position of the CISO," read an anonymous posting in response to that story at CSOonline.com, including the URL of a ChoicePoint press release about the debacle.
When CSO requested an interview with Baich in early March, ChoicePoint's public relations department said to contact him directly to inquire about his availability. Baich returned our call. Sounding upbeat, he said that he was trying to convince his public relations department to let him set the record straight. "They need to let this happen," he said. "Look, I'm the chief information security officer. Fraud doesn't relate to me." He indicated that he would be doing the CISO community a service by explaining to the media why fraud was not an information security issue. (The company later denied his request to grant the interview.)
The feds, however, are acting as if it's an information security issue. ChoicePoint has indicated that the Federal Trade Commission is "conducting an inquiry into our compliance with federal laws governing consumer information security and related issues."
The security community seems skeptical of Baich's argument too. CISOs have long asserted that their responsibilities ought to encompass all aspects of information protection
"Social engineering to get access to systems is social engineering. It's malicious activity," says Craig Shumard, CISO and senior vice president at insurance company Cigna. Shumard says he definitely considers protecting against social engineering scams to be part of his job. "Any type of trying to penetrate or misuse or access information inappropriately is all within the CISO's job. I would take it even a step further. Where you have trusted users and they misuse their trusted access, I view that within the CISO's job as well."
"Rich is looking at this at a very technical level, saying, None of my security technology would have helped prevent this," says Michael Assante, CSO of American Electric Power. Assante considers Baich a friend, and he thinks the crime is a result of a weakness in ChoicePoint's business processes for vetting customers. "But I believe that the CISO has to be a critical part of looking at weaknesses," he says. "Clearly, as CISO or CSO, we can't discount weak business processes. My view of the CISO's role
Not that the buck necessarily stops with Baich. At ChoicePoint, the information security department was not in charge of verifying the credentials of its customers. But Baich was the company's top security person, and the extent to which fingers are pointed at him speaks volumes about how broadly CISOs have come to be regarded as protectors of information, no matter the threat. Responding to the media glare by disputing the "hack" characterization is a case of splitting hairs; by any name, what happened reflected a wholesale failure of ChoicePoint's approach to security governance.
Funny thing, that CPO moniker: As near as CSO can determine, it was the first time that de Janes donned it—and perhaps the last. De Janes is actually the general counsel for ChoicePoint. His description of responsibilities on the ChoicePoint website does not include privacy. It seems that ChoicePoint just needed a privacy officer, and fast.
As part of its effort to reassure the public that it would prevent future fraud, ChoicePoint quickly announced that it was creating an office of credentialing, compliance and privacy that would report directly to the board of directors' privacy committee. "Recent events where criminals were able to become customers have led us to take this strong action in order to regain the trust of consumers that their information is being used only for their benefit, or the benefit of society at large," said privacy committee chairman John Hamre in a written statement. To lead that effort, the company needed to hire a privacy officer who would do more than just sign letters.
By now, everyone knows about California state law SB 1386, which went into effect on July 1, 2003. It requires businesses to inform residents if their unencrypted personal information—including name along with either driver's license number, Social Security number, or credit card or banking information—has been compromised. This is the law that brought light to the ChoicePoint breach. But what few people have realized is how narrowly that light was cast.
ChoicePoint originally began notifying some 35,000 California residents that their information had been involved in the scam. That wasn't good enough for the attorneys general in 38 other states, who demanded that the company notify all affected U.S. citizens. ChoicePoint quickly announced that more than just California residents had been affected after all, and that the company would send letters to consumers in all 50 states.
But even this broader notification process had a hitch. The nearly 145,000 people nationally that ChoicePoint identified as affected were based on an investigation that went back only as long as the law was in effect. According to public records filed by ChoicePoint, the company investigated "unauthorized access to our information products on or after July 1, 2003, the effective date of the California notification law."
This seems like the final straw for Beth Givens, director of the Privacy Rights Clearinghouse, a national consumer advocacy organization. "What a negligent company," she says, her voice falling, when she hears about the limitations of the ChoicePoint investigation.