Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

Waterloo

On ChoicePoint (and LexisNexis, and Bank of America and PayMaxx and SAIC and T-Mobile and...) and the overwhelming defeat of security

By

March 15, 2005CSO

Many clichés have surfaced for l'affaire ChoicePoint and the general hemorrhaging of personal data by so many careless companies: It's the straw that broke the camel's back, the perfect storm of privacy violations, the Exxon Valdez of data privacy.

But all of them miss the point. The expression that's most appropriate comes from Claude Rains in Casablanca: "I'm shockedshockedto find carelessness with private data going on in this establishment...." That's IT's dirty little secret, isn't it? Everyone knows about this problem but looks the other way. To be truly surprised that companies, one, could have all this personal data and, two, could lose all this personal data, is to live in a blissful place indeed. For everyone else who's paying attention, these faux pas aren't newsworthy, they're expected.

Let's be clear: Any security professional will tell you that ChoicePoint's recent security lapse was ordinary fraud.

But ChoicePoint's reaction to the breach was not ordinary, or good, for that matter. We'll leave the grisly details to upcoming coverage in CSO magazine. For now, we'll skip right to the piece de résistance: ChoicePoint's spokesperson for this incident was its CMO. A brazen choice, a cynical semaphore that said to customers and shareholders and everyone else, "We're going to spin this."

Reprehensible, perhaps, but it makes sense. It's just the logical extension of marketing's dominance over IT in the first place. Long ago, in an era called the dotcom boom, marketing finally neutered information security. Vendors promised "solutions" to Kool-Aid-drinking marketing veeps. Those veeps in turn promised to alchemize revenue out of consumers' private information. Go, said the CEO. Buy these technologies, collect this data and we shall dominate and our stock prices will soar.

It was that era's intense competition and presumption that IT could create a new economy that redrew security mores. Suddenly, market share snuffed out data safety; corporate progress trumped customer privacy. An entire industry, CRM, rose from the new mindset that personal information was somehow a thing the consumer owed the company and if the consumer decided not to share, they were taxed with higher prices or fewer privileges.

If you disagreed with the new rules, you didn't get it. If you deigned to suggest the company should slow down to evaluate risks, you were old economy. Bricks and mortar. Such a loser. Sometimes fired.

We tend to remember the over-the-top dotcom years with wry reverie, like it was that party in college that got just a little too out of hand. But the dotcom era is now showing itself to have much darker, far more sinister consequences than a few personal bankruptcies and obscene real estate prices. The ethos of the late '90s helped to build the infrastructure that has resulted in this era's gross corporate incompetency and irresponsibility. It was the foundation for tens of millions of identity thefts.

RESOURCE CENTER