The Five Most Shocking Things About the ChoicePoint Data Security Breach

At first, the ChoicePoint security breach seemed not only ordinary but almost insignificant.

Before, few people had really known about all of the information that ChoicePoint and its brethren amass, from driving records and property deeds to lists of relatives and job history for nearly every adult in the United States. Now, the citizen-cowboys are rounding themselves up. They've found out about the risks to their personal dataand that may be the most powerful information leak of all.

The Dangers of Narrowly Defining Information Security

Over the past decade, ChoicePoint CISO Rich Baich has become a bold-faced name in the infosec world. When the scandal broke, Baich, a CISSP and Certified Information Security Manager, was with his tribe at the 2005 RSA Conference in California. At a roundtable discussion about the transformation of the security industry, the CEO of Symantec introduced Baich as "a true security professional." This was assumed. Baich was the 2004 Information Security Executive of the Year for Georgia, recognized for his "illustrious career." He has a new book coming out, in late spring, titled Winning as a CISO. In a cover story on the CISO role, this magazine described him as the rare thriving CISO with a budget and clout. (See "Locked Out" at www.csoonline.com/printlinks.)

But the limelight turned scorching. "What a fraud and discredit to the position of the CISO," read an anonymous posting in response to that story at CSOonline.com, including the URL of a ChoicePoint press release about the debacle.

When CSO requested an interview with Baich in early March, ChoicePoint's public relations department said to contact him directly to inquire about his availability. Baich returned our call. Sounding upbeat, he said that he was trying to convince his public relations department to let him set the record straight. "They need to let this happen," he said. "Look, I'm the chief information security officer. Fraud doesn't relate to me." He indicated that he would be doing the CISO community a service by explaining to the media why fraud was not an information security issue. (The company later denied his request to grant the interview.)

The feds, however, are acting as if it's an information security issue. ChoicePoint has indicated that the Federal Trade Commission is "conducting an inquiry into our compliance with federal laws governing consumer information security and related issues."

The security community seems skeptical of Baich's argument too. CISOs have long asserted that their responsibilities ought to encompass all aspects of information protectionwhether a vulnerability stems from insider misuse, an outside hack or (in ChoicePoint's case) a social engineering scam. It seemed an especially convenient moment for Baich to argue, uncharacteristically, that his job description is actually narrower than one would assume.