BOSTON – Few companies know as well as ChoicePoint the consequences of failing to secure the personal information of consumers.
A provider of information used in background checks, ChoicePoint was involved in a data breach more than two years ago that compromised the records of 163,000 people — but has since transformed itself into what one analyst called a “role model” in data security and privacy.
On Monday, the organization’s CIO explained how it recovered and offered lessons other enterprises that handle sensitive data can learn from ChoicePoint at the IDC IT Forum & Expo in Boston.
Too often, simple mistakes are the cause of data breaches, Darryl Lemecha, CIO and senior vice president of shared services at ChoicePoint, Listing a person’s Social Security number on a mailing address label, or not securing data on a laptop that is later stolen or lost, are mistakes that have left some companies wishing they had thought more about security, he said.
“Encrypt all your laptops,” Lemecha recommended. “Because they’re going to get lost, they’re going to get stolen. And make sure all your handheld devices have passwords on them and you have the ability to do a remote wipe [of data].”
In 2005, the records of 163,000 consumers were compromised after criminals pretending to be legitimate ChoicePoint customers sought details about individuals listed in the company’s database of personal information.
ChoicePoint agreed to pay US$10 million in civil penalties and $5 million for consumer redress. The company, which recently reached a separate settlement with 43 states over the breach, also decided to limit the sale of information products containing sensitive consumer data, including Social Security and driver’s license numbers.
In doing so, ChoicePoint walked away from what was a more than $15 million business serving small and midsize accounts, but the company felt it could not sufficiently determine the credentials of those customers in a cost-efficient manner, Lemecha said.
After the data breach, ChoicePoint worked backwards to determine the credentials of every one of its customers, he said. “The truth is, we assume every piece of information a customer provides us in the credentialing process is potentially fraudulent, and we validate it against other sources,” Lemecha said.
ChoicePoint has been subjected to more than 80 external audits over the past 24 months, he said.
In April, Gartner analyst Avivah Litan told USA Today that “ChoicePoint transformed itself from a poster child of data breaches to a role model for data security and privacy practices.”
Lemecha offered a five-step plan to CIOs looking to shore up their data security and privacy systems, based on what ChoicePoint has done.
The first step is governance. ChoicePoint has a chief privacy officer who reports directly to a board that governs privacy and public responsibility, bypassing the rest of the corporate structure, he said. This board is briefed quarterly on progress improving privacy and security, and several other committees take on more specific oversight roles.
Beyond committees, ChoicePoint has a number of divisions tackling privacy and security from different angles, such as a corporate credentialing center, a compliance and privacy division, and internal auditing.
“From an execution perspective, don’t expect a single group to be able to do it all,” Lemecha said. “If you want to do something really simple, take a look at your organization, figure out where all the security functions occur, and lay out an accountability and responsibility chart, just a simple diagram.”
The second step is to clearly define expected behavior and provide tools to employees to simplify compliance. ChoicePoint instituted a number of practices to monitor potentially fraudulent customer behavior, such as investigating companies that suddenly increase the number of background checks they run by a large margin, he said.
Third, a company should write information security breach response policies and procedures, spelling out who should be notified in case of a breach and what the company should do for affected customers.
After ChoicePoint’s breach, the company offered free credit monitoring, credit reports and identity-theft insurance to the victims.
Fourth, determine the credentials of people you work with and who work for you.
Lemecha recommended performing background checks on employees on an ongoing basis, rather than just doing one at the time of hire. “If you only check them at the beginning, you’ll never know what’s happened in between,” he said.
The last step Lemecha recommended is embracing openness. ChoicePoint developed a Web site detailing the steps it takes to protect privacy, and developed another site that lets consumers find out what information ChoicePoint maintains about them in its files — if they can sufficiently authenticate their identities, of course.
Until ChoicePoint’s data breach, “we felt we were as good as anyone else in the industry,” Lemecha said. “But now we feel we really are world-class in terms of our policies, procedures and practices.
That was a leap that got taken in really an 18- to 24-month period. It’s a very short time and it took work from a lot of people.”