At first, the ChoicePoint security breach seemed not only ordinary but almost insignificant. That same month, February, saw stories that had bigger numbers (Bank of America, 1.2 million names and Social Security numbers) and more sex appeal (T-Mobile, Paris Hilton) than the predictable details of the ChoicePoint case. Thousands of victims, compromised Social Security numbers, an arrest on charges of identity theft. Yada yada yada. But somewhere along the way, the ChoicePoint saga became the spark that caused an explosion.
Maybe it was the fact that this wasn't a hack. Personal information of nearly 145,000 people wasn't stolen from ChoicePoint. In fact, the company sold the information to inadequately vetted bogus businesses -- this when the company itself helps other businesses verify creds. Maybe it was that the people whose information was compromised weren't customers of ChoicePoint, just accidental citizens of the vast databases of the Alpharetta, Ga.-based information broker. Maybe it was the way that ChoicePoint behaved after the breach: from an initial, bumbling response that smacked of marketing, to a changing story about what had happened and how the company was responding, to the revelation that top executives had sold millions of dollars worth of stock between the time the fraud was discovered and when it was announced to the public.
Or maybe it was this last twisted bit of irony: ChoicePoint chairman and CEO Derek V. Smith had recently written two books about how individuals can protect themselves in the information age.
You can't make this stuff up.
"It was like they put a big sign on themselves that said 'Regulate me,'" security maven Bruce Schneier says.
Now that the initial flames are dying down -- and lawmakers are trying to figure out how to prevent future fires at ChoicePoint and other information brokers such as LexisNexis and Acxiom -- we've tried to sort out what the debacle means for CSOs. Five key plot points emerge, and they all lead to an ending where the CSO's job may never be quite the same.
The unbearable lightness of data
Like most Americans, Mary Chapman had never heard of ChoicePoint until one day in February, when she got a letter informing her of "a recent crime committed against ChoicePoint that MAY have resulted in your name, address and Social Security number" being inappropriately viewed.
"I was angry as all can be, because the way the letter sounds, it was totally an incident against them, and an -- I quote -- 'inconvenience' to us," says Chapman, a 61-year-old resident of Yreka, Calif. "It could be a lot more than an inconvenience."
Chapman feels fortunate not to count herself among the 750 people who ChoicePoint says have already become victims of identity theft due to the security breach. But she's seething about the fact that her information was inadequately protected by a company she'd never done business with. She's also mad about how difficult it was for her to sign up for the free credit monitoring service that ChoicePoint is giving all the victims for one year -- not that she thinks one year is long enough.
"I'm going to have to watch my back for the rest of my life," she says. "I'm angry that my rights as a citizen have been violated. I'm angry that a company is out there selling my personal information for monetary gain. Yes, I'm angry. I'm very angry. And I hope to heavens that everybody who's involved in this is just as angry as I am."
Virginia attorney Leonard Bennett of Consumer Litigation Associates is hoping that other victims are angry too. Along with 10 other attorneys in four states, Bennett is preparing to file a class-action lawsuit against ChoicePoint on behalf of citizens whose information was compromised in the breach. As of press time, in fact, nearly 20 class-action suits had been filed, according to the Los Angeles Times.
Meanwhile, the furor seems to have roused other beasts. A dormant 2003 negligence case against the Arizona-based TriWest Healthcare Alliance (more than 500,000 names with personal information stolen) may be sputtering back to life. Others lawsuits are sure to follow. Hard on the heels of the ChoicePoint incident came revelations of a security breach at a competitor, the Reed Elsevier subsidiary LexisNexis (310,000 names with personal information), in addition to news of a database break-in at shoe retailer DSW.
At ChoicePoint, damage control eventually kicked in. The company announced that it would "discontinue the sale of information products that contain sensitive consumer data, including Social Security and driver's license numbers, except where there is a specific consumer-driven transaction or benefit" or law enforcement purpose. Although the company has not been clear about exactly what this business change entails, executives were ostensibly shutting down some of the business and admitting that they simply couldn't reliably verify credentials for some small-business customers. That seemed cold comfort to the privacy community.
"My reaction isn't, 'Gosh, I'm glad to hear that,'" says consultant Richard Purcell, who is CEO of the Corporate Privacy Group. "It's, 'My God, why have you been doing that when there's no reason to?'"
Before, few people had really known about all of the information that ChoicePoint and its brethren amass, from driving records and property deeds to lists of relatives and job history for nearly every adult in the United States. Now, the citizen-cowboys are rounding themselves up. They've found out about the risks to their personal data -- and that may be the most powerful information leak of all.
The Dangers of Narrowly Defining Information Security
Over the past decade, ChoicePoint CISO Rich Baich has become a bold-faced name in the infosec world. When the scandal broke, Baich, a CISSP and Certified Information Security Manager, was with his tribe at the 2005 RSA Conference in California. At a roundtable discussion about the transformation of the security industry, the CEO of Symantec introduced Baich as "a true security professional." This was assumed. Baich was the 2004 Information Security Executive of the Year for Georgia, recognized for his "illustrious career." He has a new book coming out, in late spring, titled Winning as a CISO. In a cover story on the CISO role, this magazine described him as the rare thriving CISO with a budget and clout.
ChoicePoint CISO Rich Baich has emphasized information security's separation from antifraud responsibilities.
But the limelight turned scorching. "What a fraud and discredit to the position of the CISO," read an anonymous posting in response to that story at CSOonline.com, including the URL of a ChoicePoint press release about the debacle.
When CSO requested an interview with Baich in early March, ChoicePoint's public relations department said to contact him directly to inquire about his availability. Baich returned our call. Sounding upbeat, he said that he was trying to convince his public relations department to let him set the record straight. "They need to let this happen," he said. "Look, I'm the chief information security officer. Fraud doesn't relate to me." He indicated that he would be doing the CISO community a service by explaining to the media why fraud was not an information security issue. (The company later denied his request to grant the interview.)
The feds, however, are acting as if it's an information security issue. ChoicePoint has indicated that the Federal Trade Commission is "conducting an inquiry into our compliance with federal laws governing consumer information security and related issues."
The security community seems skeptical of Baich's argument too. CISOs have long asserted that their responsibilities ought to encompass all aspects of information protection -- whether a vulnerability stems from insider misuse, an outside hack or (in ChoicePoint's case) a social engineering scam. It seemed an especially convenient moment for Baich to argue, uncharacteristically, that his job description is actually narrower than one would assume.
"Social engineering to get access to systems is social engineering. It's malicious activity," says Craig Shumard, CISO and senior vice president at insurance company Cigna. Shumard says he definitely considers protecting against social engineering scams to be part of his job. "Any type of trying to penetrate or misuse or access information inappropriately is all within the CISO's job. I would take it even a step further. Where you have trusted users and they misuse their trusted access, I view that within the CISO's job as well."
"Rich is looking at this at a very technical level, saying, None of my security technology would have helped prevent this," says Michael Assante, CSO of American Electric Power. Assante considers Baich a friend, and he thinks the crime is a result of a weakness in ChoicePoint's business processes for vetting customers. "But I believe that the CISO has to be a critical part of looking at weaknesses," he says. "Clearly, as CISO or CSO, we can't discount weak business processes. My view of the CISO's role -- and I think we're very early in this maturity curve -- but my view is that the CISO can't just work in the tech space. They have to start looking at business processes.
"I think for anyone to try and say 'it's not my responsibility' is a dangerous thing. More and more we need to recognize that it is our responsibility," Assante says.
Not that the buck necessarily stops with Baich. At ChoicePoint, the information security department was not in charge of verifying the credentials of its customers. But Baich was the company's top security person, and the extent to which fingers are pointed at him speaks volumes about how broadly CISOs have come to be regarded as protectors of information, no matter the threat. Responding to the media glare by disputing the "hack" characterization is a case of splitting hairs; by any name, what happened reflected a wholesale failure of ChoicePoint's approach to security governance.
The dizzyingly short tenure of the first CPO
Back to that letter that Chapman and the other ID theft victims received. It had the signature line of a real person: "J. Michael de Janes, Chief Privacy Officer."
Funny thing, that CPO moniker: As near as CSO can determine, it was the first time that de Janes donned it -- and perhaps the last. De Janes is actually the general counsel for ChoicePoint. His description of responsibilities on the ChoicePoint website does not include privacy. It seems that ChoicePoint just needed a privacy officer, and fast.
As part of its effort to reassure the public that it would prevent future fraud, ChoicePoint quickly announced that it was creating an office of credentialing, compliance and privacy that would report directly to the board of directors' privacy committee. "Recent events where criminals were able to become customers have led us to take this strong action in order to regain the trust of consumers that their information is being used only for their benefit, or the benefit of society at large," said privacy committee chairman John Hamre in a written statement. To lead that effort, the company needed to hire a privacy officer who would do more than just sign letters.
Starting on May 2, Carol A. DiBattiste, previously deputy administrator of the Transportation Security Administration, will be ChoicePoint's first chief credentialing, compliance and privacy officer.
The limited scope of the disclosure
By now, everyone knows about California state law SB 1386, which went into effect on July 1, 2003. It requires businesses to inform residents if their unencrypted personal information -- including name along with either driver's license number, Social Security number, or credit card or banking information -- has been compromised. This is the law that brought light to the ChoicePoint breach. But what few people have realized is how narrowly that light was cast.
ChoicePoint originally began notifying some 35,000 California residents that their information had been involved in the scam. That wasn't good enough for the attorneys general in 38 other states, who demanded that the company notify all affected U.S. citizens. ChoicePoint quickly announced that more than just California residents had been affected after all, and that the company would send letters to consumers in all 50 states.
But even this broader notification process had a hitch. The nearly 145,000 people nationally that ChoicePoint identified as affected were based on an investigation that went back only as long as the law was in effect. According to public records filed by ChoicePoint, the company investigated "unauthorized access to our information products on or after July 1, 2003, the effective date of the California notification law."
This seems like the final straw for Beth Givens, director of the Privacy Rights Clearinghouse, a national consumer advocacy organization. "What a negligent company," she says, her voice falling, when she hears about the limitations of the ChoicePoint investigation.
When asked about the scope of the investigation during a Congressional hearing, CEO Smith stated (without much detail) that an "aggressive" investigation is still under way.
Going forward, though, companies may not be so lucky in how they limit an investigation. The U.S. Federal Reserve Board has since announced new rules requiring financial institutions to notify customers "as soon as possible" if their personal information has been breached. A bill that Sen. Dianne Feinstein (D-Calif.) reintroduced to the Senate on Jan. 24, 2005, has been gaining traction. Similar to the California disclosure law, Feinstein's bill would require businesses and government agencies to notify individuals when there is a "reasonable basis to conclude" that a criminal has obtained their unencrypted personal data. The FTC supports this type of notification law, and also a possible expansion of the Gramm-Leach-Bliley Act, which currently affects how financial institutions protect their customers' privacy. Also, Sen. Bill Nelson (D-Fla.) is introducing legislation that would empower the FTC to regulate the information industry. Those are only the more prominent laws introduced on both the federal and state levels.
Cigna's Shumard expects some kind of national disclosure law as a likely outcome. "And if you have a couple other high-profile incidents while that legislation is being debated, that will have an impact," he says. The end result? The further we get from July 1, 2003, the longer the time span of an investigation will need to be -- and the harder it will be to hide the true scope of a security breach.
The SEC's emergence as a confession booth
Consumers whose information was compromised in the scam weren't the only ones to hear the bad news straight from ChoicePoint. On March 4, 2005, in what may be a first for a publicly held company, ChoicePoint filed an 8-K with the Securities and Exchange Commission, warning shareholders that revenue would be affected by the fallout from the security breach, to the tune of an estimated $15 million to $20 million decline by Dec. 31, 2005, and another $2 million in expenses from the incident. A spokeswoman downplayed the disclosure, saying it was a routine SEC filing done because ChoicePoint was exiting one of its lines of business due to the security breach.
But the confession must have looked cathartic for Reed Elsevier, the London-based parent company of ChoicePoint competitor LexisNexis. Less than a week after ChoicePoint filed its 8-K, Elsevier filed a 6-K (the equivalent filing for a non-U.S. company), as a way of announcing its own news. The personal information of 32,000 individuals in its databases may have been fraudulently accessed in a similar scheme in which criminals stole legitimate business credentials. Elsevier sought to reassure shareholders: "The financial implications are expected to be manageable within the context of LexisNexis's overall growth."
Later, Reed Elsevier filed a second 6-K about the breach, stating that about 310,000 U.S. residents may have been affected, almost ten times the company's earlier estimate.
Sound like Sarbanes-Oxley compliance?
Not quite. Section 409 of Sarbanes-Oxley does require that the "issuer must disclose to the public information on material changes in the financial condition or operations of the issuer on a rapid and current basis." Both events seemed to meet the requirement. But that rule has not yet taken effect, and the feds are still trying to hammer out "real-time" and other vagaries of the law. These two disclosures seem to be more preemptive than anything else.
"It's Sarbanes-Oxley, only indirectly," says Arthur Miller, the Harvard Law School professor who is known for his attention to privacy issues. "What it really is is corporate accountability. After the Enron and WorldCom fiascos, companies are much more sensitive about what they have to tell shareholders. The companies don't want to be caught in the bind of, if their stock goes down, somebody bringing a class-action lawsuit against them, saying that there was a material piece of information [the company] didn't disclose to them" -- which had already happened to ChoicePoint.
"This is very prophylactic," Miller continues, "and from a social point of view I suppose it's desirable, because there hasn't been enough corporate accountability. This is a recognition of the fact that privacy is material. Privacy fiascos can move the stock."
"The fact that it was done voluntarily is key," says Howard Schmidt, chief security strategist of eBay and former national cybersecurity adviser. "Myself and others have tried to stay away as much as possible from government regulations. The companies felt it was significant enough that they went ahead and filed this on a voluntary basis." Now, Schmidt is hopeful that the next time a company has a significant security breach, that company "might be more inclined to file an SEC report because it's already been done."
Epilogue: The one point that's not shocking
Anyone who's been in this business very long knows an explosion like ChoicePoint doesn't necessarily change the world. The hard work is just starting now, as CSOs and CISOs try to make the most of the newfound attention that consumers, lawmakers and boards of directors are paying to information security. The biggest failure could be yet to come, if the ChoicePoint scandal ends up as yet another footnote in the troubled narrative of our failed attempts at information security, early 21st century. Sasser. U.S. Department of Interior. PayPal phishing. Los Alamos. ChoicePoint.
"It does have a potential" to be a tipping point, Schmidt says. "My only fear is that it makes a splash for a week or two weeks, and then it calms down, and the fire in the belly, so to speak, wanes. We see that in post-9/11 life."
Timothy Williams, CSO of Nortel Networks, seems to agree. ChoicePoint can be a watershed moment, he says, but only if CSOs use it to get support for their jobs and make a good case for why companies shouldn't approach risks within the narrow confines of "IT security" or "fraud" or "investigations."
"We can take a bad situation and build some good processes around it," Williams says. "Then we're seizing the opportunity."
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.