The Five Most Shocking Things About the ChoicePoint Data Security Breach

At first, the ChoicePoint security breach seemed not only ordinary but almost insignificant.

1 2 Page 2
Page 2 of 2

Going forward, though, companies may not be so lucky in how they limit an investigation. The U.S. Federal Reserve Board has since announced new rules requiring financial institutions to notify customers "as soon as possible" if their personal information has been breached. A bill that Sen. Dianne Feinstein (D-Calif.) reintroduced to the Senate on Jan. 24, 2005, has been gaining traction. Similar to the California disclosure law, Feinstein's bill would require businesses and government agencies to notify individuals when there is a "reasonable basis to conclude" that a criminal has obtained their unencrypted personal data. The FTC supports this type of notification law, and also a possible expansion of the Gramm-Leach-Bliley Act, which currently affects how financial institutions protect their customers' privacy. Also, Sen. Bill Nelson (D-Fla.) is introducing legislation that would empower the FTC to regulate the information industry. Those are only the more prominent laws introduced on both the federal and state levels.

Cigna's Shumard expects some kind of national disclosure law as a likely outcome. "And if you have a couple other high-profile incidents while that legislation is being debated, that will have an impact," he says. The end result? The further we get from July 1, 2003, the longer the time span of an investigation will need to beand the harder it will be to hide the true scope of a security breach.

The SEC's Emergence as a Confession Booth

Consumers whose information was compromised in the scam weren't the only ones to hear the bad news straight from ChoicePoint. On March 4, 2005, in what may be a first for a publicly held company, ChoicePoint filed an 8-K with the Securities and Exchange Commission, warning shareholders that revenue would be affected by the fallout from the security breach, to the tune of an estimated $15 million to $20 million decline by Dec. 31, 2005, and another $2 million in expenses from the incident. A spokeswoman downplayed the disclosure, saying it was a routine SEC filing done because ChoicePoint was exiting one of its lines of business due to the security breach.

But the confession must have looked cathartic for Reed Elsevier, the London-based parent company of ChoicePoint competitor LexisNexis. Less than a week after ChoicePoint filed its 8-K, Elsevier filed a 6-K (the equivalent filing for a non-U.S. company), as a way of announcing its own news. The personal information of 32,000 individuals in its databases may have been fraudulently accessed in a similar scheme in which criminals stole legitimate business credentials. Elsevier sought to reassure shareholders: "The financial implications are expected to be manageable within the context of LexisNexis's overall growth." (Access both reports at www.csoonline.com/printlinks.)

Sound like Sarbanes-Oxley compliance?

Not quite. Section 409 of Sarbanes-Oxley does require that the "issuer must disclose to the public information on material changes in the financial condition or operations of the issuer on a rapid and current basis." Both events seemed to meet the requirement. But that rule has not yet taken effect, and the feds are still trying to hammer out "real-time" and other vagaries of the law. These two disclosures seem to be more preemptive than anything else.

"It's Sarbanes-Oxley, only indirectly," says Arthur Miller, the Harvard Law School professor who is known for his attention to privacy issues. "What it really is is corporate accountability. After the Enron and WorldCom fiascos, companies are much more sensitive about what they have to tell shareholders. The companies don't want to be caught in the bind of, if their stock goes down, somebody bringing a class-action lawsuit against them, saying that there was a material piece of information [the company] didn't disclose to them"which had already happened to ChoicePoint.

"This is very prophylactic," Miller continues, "and from a social point of view I suppose it's desirable, because there hasn't been enough corporate accountability. This is a recognition of the fact that privacy is material. Privacy fiascos can move the stock."

"The fact that it was done voluntarily is key," says Howard Schmidt, chief security strategist of eBay and former national cybersecurity adviser. "Myself and others have tried to stay away as much as possible from government regulations. The companies felt it was significant enough that they went ahead and filed this on a voluntary basis." Now, Schmidt is hopeful that the next time a company has a significant security breach, that company "might be more inclined to file an SEC report because it's already been done."

Epilogue: The One Point That's Not Shocking

Anyone who's been in this business very long knows an explosion like ChoicePoint doesn't necessarily change the world. The hard work is just starting now, as CSOs and CISOs try to make the most of the newfound attention that consumers, lawmakers and boards of directors are paying to information security. The biggest failure could be yet to come, if the ChoicePoint scandal ends up as yet another footnote in the troubled narrative of our failed attempts at information security, early 21st century. Sasser. U.S. Department of Interior. PayPal phishing. Los Alamos. ChoicePoint.

"It does have a potential" to be a tipping point, Schmidt says. "My only fear is that it makes a splash for a week or two weeks, and then it calms down, and the fire in the belly, so to speak, wanes. We see that in post-9/11 life."

Timothy Williams, CSO of Nortel Networks, seems to agree. ChoicePoint can be a watershed moment, he says, but only if CSOs use it to get support for their jobs and make a good case for why companies shouldn't approach risks within the narrow confines of "IT security" or "fraud" or "investigations."

"We can take a bad situation and build some good processes around it," Williams says. "Then we're seizing the opportunity."

Copyright © 2005 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful cybersecurity companies