ChoicePoint Security Breach Will Lead To Increased Regulation

Executive Summary: ChoicePoint made headlines this past week when it began the incident disclosure and notification process of a security breach that compromised the personal information of at least 145,000 people. Criminals, through fraudulent means, posed as small businesses to gain access to individuals’ personal data aggregated by ChoicePoint. The company is not alone in breaches and disclosure of this nature. However, the headlines made with this breach are driving legislatures to open hearings, and it will further increase data privacy legislation along with the possibility of regulating data brokerage firms.

Research Catalyst: U.S. government reaction to the ChoicePoint security incident, in which personal information of at least 145,000 Americans was breached.¹

The Staw that Broke the Data Broker’s Back

As a result of California Civil Code 1798 (commonly known as California Senate Bill 1386), organizations must disclose security incidents that involve private information about California residents, such as the ChoicePoint breach. Further California legislation – in what is knows as California Assembly Bill 1950 – has recently gone into effect that requires “reasonable security” controls around California resident data within organizations and their business partners.²

At first, the ChoicePoint disclosure was only to California residents, but it soon changed course to include 145,000 US citizens.

Disclosure under the California Civil Code is not new. It has been in effect for nearly two years; several entities, including large banks, have disclosed security breaches of California residents’ data. Wells Fargo has made at least three of these disclosures in the past year and a half.

What is interesting about the ChoicePoint breach is that it has made a big enough news splash to assist legislators in moving legislation forward. The US Senate Committee on the Judiciary has already begun the process to set up hearings regarding this breach and others. Senator Dianne Feinstein (D-Calif.) is one notable participant; she has had draft legislation floating around Capitol Hill for the past two years, modeled off of California Senate Bill 1386.

Congress, and perhaps other legislatures (for example, states), is showing it is ready to move on this. Forrester expects two outcomes:

1. Broad data privacy protection legislation. The US is fragmented in its approach to data privacy protection. Currently, data privacy protection has been handled via targeted industry regulation in the Health Insurance Portability and Accountability Act (healthcare), and the Gramm-Leach-Bliley Act (financial services). Forrester expects that broader privacy legislation will be enacted to protect individual information – some of this will be modeled after Feinstein’s Database Security Breach Notification Act. Feinstein has been looking for a platform to move her legislation forward for the past two years; that platform has now been handed to her.
2. Regulation of data brokers. Forrester expects legislation to be enacted that will govern the data broker industry – the industry that ChoicePoint is in. This most likely will fall under the responsibility of the Federal Trade Commission. The FTC responds as a consumer advocacy arm for US citizens, enforces the Fair and Accurate Credit Transactions Act (FACT Act), and is the agency that regulates nontraditional financial services firms. All of these elements are points of pressure that the FTC can bear down upon organizations like ChoicePoint.

As with the enactment of the Sarbanes-Oxley Act in light of the Enron and WorldCom scandals, Congress is set to move quickly on this issue while it is hot. Forrester expects legislation and increased regulation to move through Congress in 2005.

A Security Breach Is A Security Breach

One other interesting item to note in the ChoicePoint breach is the company’s position that this was not a network security breach, or a “hack.” Technically, this may be true, but the paths into corporate networks are many and include social engineering processes and individuals. This line of reasoning is confusing on the part of ChoicePoint – if it had a weak link that enabled others to compromise personal information, then it had a weak link. It does not matter if it was a technical hack or someone hacking the business process.

Recommendations: Be Prepared

Organizations must follow the Scout Motto: “Be Prepared.”

• Establish your incident disclosure policy. Do not get caught off guard when a breach of personal information is identified. Organizations should establish their disclosure policies before anything happens so they know when and how they will disclose breaches of personal information in compliance with laws and to minimize liability.
• Review your privacy policy. Make sure that your privacy policy is up-to-date and that you are following it. Claims of security and privacy that are false or misleading can open wide the doors of liability.
• Document your security architecture. Understand how you are securing your systems – from both the process and technology views. Security is not just about firewalls, but it also needs to cover the security of business processes and the awareness of individuals. A well-documented security architecture goes a long way in understanding how well your security is holding up.
• Classify personal information. Organizations should update their classification policies to include personal and nonpublic information. Minimum security controls – again, policy and process as well as technical controls – should be defined to protect personal information.

Alternate View: What About the Consumer?

Another twist we could see on the legislative front revolves around who owns personal information. The European Union has taken a completely different stance than the US has, in which EU residents are the masters of their personal information. In the US, organizations own personal information. You have limited rights into this data; the organization owns and controls it. This is what makes data brokerage firms so powerful and scary. As a US consumer, you have very limited rights into how your data is collected and used.

For the consumers who will bear the brunt of the ChoicePoint breach, the primary path for them at this point is litigation. It would not be surprising to see a class-action suit come against ChoicePoint. As for legislation, do not expect the US to follow the EU model of personal ownership of data – large business in America depends too heavily on the control and use of this information, and it will lobby effectively against such measures.

Endnotes

¹ Official information on the ChoicePoint breach can be found in the companys Response to Customer Fraud Litigation .

² California likes to be a leader, and when the federal government is slow to move, the California legislature is quick to step in and establish new laws in the interest of its residents. This is particularly true in areas of information security and privacy. See the December 3, 2004, Quick Take California Law Establishes Duty Of Care For Information Security.