Case Study Information Handling at Choice Point

With a large number of people who were left vulnerable due to ChoicePoint’s irresponsible practices, the firm should look to lead in the cleanup, investigation, and prevention of the data through actions such as (a) Providing complimentary credit monitoring, (b) preliminary checks on those that might be affected, and (c) a checklist/guide for individuals who may be victims of identity theft. A recent example of these actions taking place can be seen in the case of Equifax’s 2017 data breach, known widely as the biggest data breach in history, where it has been reported that over 143 million people were affected.

According to the Equifax, the breach lasted from mid-May through July 2017. “The hackers accessed people’s names, social security numbers, birth dates, addresses and, in some instances, driver's license numbers. They also stole credit card numbers from about 209,000 people and dispute documents with personal identifying information for about 182,000 people" (FTC.)  Equifax took the steps listed above in an effort to mitigate the effects of the breach. By having people directed to their website “EquifaxSecurity2017.com”, they have a better understanding of whether they were impacted and are made aware of the next steps to take in order to protect themselves against hackers. The site also provides news and updates regarding the event, keeping you up to speed. Equifax clearly explains the steps they are taking in order to clean up their mess, stating that they “took steps to stop the intrusion, and engaged an independent cybersecurity firm to forensically investigate and determine the scope” upon the learning of the incident.

ChoicePoint did indeed provide a website, providing similar details to Equifax at privacyatchoicepoint.com, which now redirects to LexisNexis’ Consumer and Data Access Policies page. (An archived version of the website can be viewed using the internet archiving tool, the Wayback Machine, at https://web.archive.org/web/20060719203510/http://www.privacyatchoicepoint.com:80/.) Unfortunately, the internet wasn’t as engrained into society then compared to now. This information likely never made its way to consumers looking for a way to stay safe against criminals.

A few years following the crisis, ChoicePoint had started to become met with praise with their response to the incident. In the April 2007 USA Today article: Who's guarding your data in the cybervault?, Gartner Analyst, Avivah Litan, was quoted as saying “ChoicePoint transformed itself from a poster child of data breaches to a role model for data security and privacy practices." Three months later, Darryl Lemecha, CIO and senior vice president of shared services at ChoicePoint, spoke at the IDC IT Forum & Expo describing his company’s experience following the aftermath of the data breach. He explains that they had been audited over 80 times during a 24-month span. He feels this helped them to take a “leap”, describing ChoicePoint as being world-class in terms of policies, procedures, and practices (Network World.) During the Expo, he outlined a five-step plan in which ChoicePoint took, and advised firms to follow suit in tightening up data security and privacy systems:

• Governance (appointing privacy officers, board members, committees and various divisions overseeing privacy & security)
• Clearly defining expected behavior and provide tools to employees to simplify compliance
• Write information security breach response policies and procedures, spelling out who should be notified in case of a breach and what the company should do for affected customers
• Determine the credentials of people you work with and who work for you
• Embracing openness (transparency with customers, and individuals whose data is being housed)

Data aggregators such as ChoicePoint are relied upon by its customers to provide valuable information on individuals.  Their business is important to society because it is a means to make decisions that affect business, economics, and life generally. Hiring managers using the data can make informed decisions on the hiring of an employee via background checks, while banks can use similar information make decisions on approving loans and mortgages. Through analyzing information such as criminal history, credit reports, previous employment and finances, responsible users of the data contribute to the overall security of society. Without data aggregators, it becomes extremely difficult to make everyday business decisions involving people who are unfamiliar to your firm. Though ethically questionable, data brokers should continue to have the right to sell an individual’s information to customers with guidance from the FCRA which regulates the practice. Violations of FCRA principles can lead to fines and consequences from the FTC, such as that experienced by ChoicePoint as described earlier in the essay.

Previously, the now disbanded Individual Reference Services Group (IRSG) was approved by the FTC to allow for the self-regulation of data aggregation. Their members developed principles with regards to distributing public and non-public data, explaining that “public record information and publically available information shall be usable without restriction unless legally prohibited.” The IRSG continued with “individual reference services may distribute non-public information without restriction of its contents only to qualified subscribers, following this by creating guidelines as to what conditions have to be followed in order to be considered “qualified.” The IRSG was soon disbanded after the introduction of the Gramm-Leach-Bliley Act of 1999. In the testimony of Chris Jay Hoofnagle, Director of the Electronic Privacy Information Center (EPIC), he states that the IRSG allowed "qualified subscribers" needing to “only state a valid purpose for obtaining the information and agree to limit redissemination of information” (EPIC.)

From an individual standpoint, it is easy to perceive that these businesses are only worried about their own self-interests and preservation, without concerns for the individual who is unknowingly contributing toward building their personal profile with actions they take in every-day life. However, from a business perspective, I can understand how important data collection and distribution is for society and maintain its safety and security. Imagining a world without data aggregation companies would be that of schools who have felons teaching kids in a classroom, and irresponsible businesses applying for billion-dollar loans without a means to preventing these scenarios. As quoted in the case study, Derek Smith says “we have a right to privacy. But in this society, we can’t have a right to anonymity”, which I agree with. While the right parties should be able to know who you are in order to make informed decisions, they need to also understand that they cannot abuse this power by selling data irresponsibly.

Data aggregation firms need to also understand that by providing a service that they see as reducing risks and making the world safer, they are regularly exposing the same people they are looking to keep safe. Gone are the days of only having to worry about protecting paper documents, behind a locked door and unarmed guards. ChoicePoint’s failures have been an opportunity for other firms to learn from their mistakes as they will continue to be targeted by hackers. Though confident in their business, cyber-security should continue to be invested in allowing for the around the safeguarding of their product, individual’s information, which clearly has extreme value in the marketplace.

Bibliography

1. Boatright, J. R., & Smith, J. D. (2017). Ethics and the conduct of business. Boston: Pearson.
2. Brodkin, J. (2007, June 11). ChoicePoint details data breach lessons. Retrieved October 22, 2017, from https://www.networkworld.com/article/2291190/lan-wan/choicepoint-details-data-breach-lessons.html
3. Cole, B. L. (n.d.). Retrieved October 22, 2017, from http://www.diogenesllc.com/irsg.html
4. March 17, 2005, Chairman Re: Testimony on ChoicePoint and ... (n.d.). Retrieved October 22, 2017, from https://epic.org/privacy/choicepoint/majorasltr3.17.05.pdf
5. (n.d.). ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress. (2015, June 26). Retrieved October 22, 2017, from https://www.ftc.gov/news-events/press-releases/2006/01/choicepoint-settles-data-security-breach-charges-pay-10-million
6. (n.d.). The Equifax Data Breach: What to Do. (2017, October 05). Retrieved October 22, 2017, from https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do
7. (n.d.). INDIVIDUAL REFERENCE SERVICES INDUSTRY PRINCIPLES. Retrieved from https://www.ftc.gov/system/files/documents/reports/individual-reference-services-report-congress/irsappd.pdf
8. Identity Theft Recovery Steps | IdentityTheft.gov. (n.d.). Retrieved October 22, 2017, from https://identitytheft.gov/
9. Individual Reference Services Group - Federal Trade Commission. (n.d.). Retrieved October 22, 2017, from https://www.ftc.gov/system/files/documents/reports/individual-reference-services-report-congress/irsappd.pdf
10. Reed Elsevier to acquire ChoicePoint for $3.6 billion. (2008, February 21). Retrieved October 22, 2017, from http://www.nytimes.com/2008/02/21/technology/21iht-reed.4.10279549.html
11. What Can I Do? (n.d.).
12. (n.d.). Retrieved October 22, 2017, from https://web.archive.org/web/20060719203510/http://www.privacyatchoicepoint.com:80/