The Five Most Shocking Things About the ChoicePoint Data Security Breach

At first, the ChoicePoint security breach seemed not only ordinary but almost insignificant.

"Social engineering to get access to systems is social engineering. It's malicious activity," says Craig Shumard, CISO and senior vice president at insurance company Cigna. Shumard says he definitely considers protecting against social engineering scams to be part of his job. "Any type of trying to penetrate or misuse or access information inappropriately is all within the CISO's job. I would take it even a step further. Where you have trusted users and they misuse their trusted access, I view that within the CISO's job as well."

"Rich is looking at this at a very technical level, saying, None of my security technology would have helped prevent this," says Michael Assante, CSO of American Electric Power. Assante considers Baich a friend, and he thinks the crime is a result of a weakness in ChoicePoint's business processes for vetting customers. "But I believe that the CISO has to be a critical part of looking at weaknesses," he says. "Clearly, as CISO or CSO, we can't discount weak business processes. My view of the CISO's roleand I think we're very early in this maturity curvebut my view is that the CISO can't just work in the tech space. They have to start looking at business processes.

"I think for anyone to try and say 'it's not my responsibility' is a dangerous thing. More and more we need to recognize that it is our responsibility," Assante says.

Not that the buck necessarily stops with Baich. At ChoicePoint, the information security department was not in charge of verifying the credentials of its customers. But Baich was the company's top security person, and the extent to which fingers are pointed at him speaks volumes about how broadly CISOs have come to be regarded as protectors of information, no matter the threat. Responding to the media glare by disputing the "hack" characterization is a case of splitting hairs; by any name, what happened reflected a wholesale failure of ChoicePoint's approach to security governance.

The Dizzyingly Short Tenure of the First CPO

Back to that letter that Chapman and the other ID theft victims received. It had the signature line of a real person: "J. Michael de Janes, Chief Privacy Officer."

Funny thing, that CPO moniker: As near as CSO can determine, it was the first time that de Janes donned it—and perhaps the last. De Janes is actually the general counsel for ChoicePoint. His description of responsibilities on the ChoicePoint website does not include privacy. It seems that ChoicePoint just needed a privacy officer, and fast.