The Five Most Shocking Things About the ChoicePoint Data Security Breach

At first, the ChoicePoint security breach seemed not only ordinary but almost insignificant.

By Sarah D. Scalet

Page 7

Sound like Sarbanes-Oxley compliance?

Not quite. Section 409 of Sarbanes-Oxley does require that the "issuer must disclose to the public information on material changes in the financial condition or operations of the issuer on a rapid and current basis." Both events seemed to meet the requirement. But that rule has not yet taken effect, and the feds are still trying to hammer out "real-time" and other vagaries of the law. These two disclosures seem to be more preemptive than anything else.

"It's Sarbanes-Oxley, only indirectly," says Arthur Miller, the Harvard Law School professor who is known for his attention to privacy issues. "What it really is is corporate accountability. After the Enron and WorldCom fiascos, companies are much more sensitive about what they have to tell shareholders. The companies don't want to be caught in the bind of, if their stock goes down, somebody bringing a class-action lawsuit against them, saying that there was a material piece of information [the company] didn't disclose to them"which had already happened to ChoicePoint.

"This is very prophylactic," Miller continues, "and from a social point of view I suppose it's desirable, because there hasn't been enough corporate accountability. This is a recognition of the fact that privacy is material. Privacy fiascos can move the stock."

"The fact that it was done voluntarily is key," says Howard Schmidt, chief security strategist of eBay and former national cybersecurity adviser. "Myself and others have tried to stay away as much as possible from government regulations. The companies felt it was significant enough that they went ahead and filed this on a voluntary basis." Now, Schmidt is hopeful that the next time a company has a significant security breach, that company "might be more inclined to file an SEC report because it's already been done."

Epilogue: The One Point That's Not Shocking

Anyone who's been in this business very long knows an explosion like ChoicePoint doesn't necessarily change the world. The hard work is just starting now, as CSOs and CISOs try to make the most of the newfound attention that consumers, lawmakers and boards of directors are paying to information security. The biggest failure could be yet to come, if the ChoicePoint scandal ends up as yet another footnote in the troubled narrative of our failed attempts at information security, early 21st century. Sasser. U.S. Department of Interior. PayPal phishing. Los Alamos. ChoicePoint.

"It does have a potential" to be a tipping point, Schmidt says. "My only fear is that it makes a splash for a week or two weeks, and then it calms down, and the fire in the belly, so to speak, wanes. We see that in post-9/11 life."