IMPACTS OF CHOICEPOINT$$S NEGLIGENCE

IN INFORMATION SECURITY

ChoicePoint is a leading data broker with access to $19$ billion

public records and information on more than $220$ million

individuals. The company collects personal information,

including names, Social Security numbers, birth dates,

employment information, and credit histories, which it then

sells to over $50,000$ businesses and government agencies.

They rely on ChoicePoint$$s data for customer leads,

background checks, or other verification purposes.

The Problem

On February $15,2005,$ ChoicePoint reported that the personal

and financial information of $145,000$ individuals had been

$$compromised$$ putting them at risk of identity theft. The

compromise was not due to hackers or malicious spyware.

ChoicePoint had sold the information to Olatunji Oluwatosin,

a $41-$year$-$old Nigerian national living in California, who had

pretended to represent several legitimate businesses$$a

technique that is called pretexting. Oluwatosin$$s credentials

had not been verified, which enabled him to set up bogus

business accounts that gave him access to databases containing personal financial data. For their negligence and violation

of their privacy policy, ChoicePoint faced state and federal

penalties.

At the state level, ChoicePoint was compelled to

disclose what had happened. California$$s privacy breach

notification law, Senate Bill $1386($SB $1386),$ which went

into effect in July $2003,$ required ChoicePoint to inform

residents that their personal information had been compromised. Within days, outraged attorneys general in $38$ other

states demanded that the company notify every affected

U$.$S$.$ citizen.

At the federal level, ChoicePoint was charged with

multiple counts of negligence for failing to follow

reasonable information security practices. Beginning in

$2001,$ the company had been receiving subpoenas from

law enforcement authorities alerting them to fraudulent

activity. Despite these warnings, management did not

tighten customer approval procedures to safeguard

access to confidential data. The Federal Trade Commission

$($FTC$)$ charged ChoicePoint with violating the:

$$ Fair Credit Reporting Act $($FCRA$)$ by furnishing credit

reports to subscribers who did not have a permissible

purpose to obtain them, and by not maintaining

reasonable procedures to verify their subscribers$$

identities and intended use of the information.

$$ FTC Act by making false and misleading statements about

its privacy policies on its Web site.

Section $5$ of the FTC Act prohibits unfair or deceptive

practices, which gives the FTC authority to take action

against companies whose lax security practices could expose

the personal financial information of customers to theft or

loss. For a full explanation of the Act, see ftc$.$gov$/$privacy$/$

privacyinitiatives$/$promises$.$html$.$

On March $4,2005,$ ChoicePoint filed a report with the

SEC warning shareholders of an expected $$20$ million decline

in income by December $31,2005,$ and a $$2$ million increase

in expenses from the incident. In addition, there would

also be FTC fines. In January $2006,$ the FTC announced that

ChoicePoint had agreed to pay a $$10$ million fine, the agency$$s

largest$-$ever civil penalty, plus $$5$ million to compensate

customers for losses stemming from the data breach. Legal

expenses of $$800,000$ were incurred in the first quarter of

$2006$ alone related to the fraudulent data access. With the

announcement of the impending $$15$ million settlement,

ChoicePoint$$s stock price plunged, as shown in Exhibit W$11\mathrm{.}1\mathrm{.}1.$

The Solution

As part of the settlement, the FTC mandated the solutions to

ChoicePoint$$s risk exposure. The company implemented new

procedures to ensure that it provides consumer reports only

to legitimate businesses for lawful purposes, established and

maintains a comprehensive information security program,

and obtains audits by an independent third$-$party security

professional every other year until $2026.$ To reassure stakeholders and legitimate customers, ChoicePoint hired a chief

privacy officer $($CPO$).$

The Results

ChoicePoint$$s data breach brought businesses$$ security policies to national attention. Together with high$-$profile frauds

and malware, data breaches have triggered increased corporate governance and accountability.

Sources: Compiled from ftc$.$gov, Gross $(2005),$ Mimoso $(2006),$ and

Scalet $(2005).$

Please to answer the following questions below and also to out in a powerpoint preseentation

Questions

$1.$ Explain why Oluwatosin$$s pretexting attempt at

Choicepoint was effective.

$2.$ List three business impacts of the data breach.

$3.$ List three changes that were made to increase information security.