Baich: Data theft problem no easy fix

Rich Baich knows about data theft. Back in 2005, Baich was where he is now: at the RSA Security Conference in San Francisco, a published author and star in the tight-knit community of information security experts. Then the roof fell in as Baich's employer, data broker ChoicePoint, revealed that it had unwittingly allowed identity thieves posing as legitimate customers to make off with the financial records of more than 163,000 consumers.

For months afterward, Baich, now a Principal at consulting firm Deloitte, was forced to explain how the security lapse had happened and to defend his performance as the CISO in light of the breach. His company was ultimately forced to pay $15 million in penalties and compensation as a result of the breach in a deal with the FTC.

Two years later, ChoicePoint is just one in a string of major data breaches that now includes companies like Massachusetts retailer TJX, and Baich is back at RSA with a new book, a new job, and a new perspective on the problems of companies like ChoicePoint, CardSystems, or TJX, which he sees as symptoms of a broader, societal failure to recognize the value of personal data.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Rich Baich knows about data theft. Back in 2005, Baich was where he is now: at the RSA Security Conference in San Francisco, a published author and star in the tight-knit community of information security experts. Then the roof fell in as Baich's employer, data broker ChoicePoint, revealed that it had unwittingly allowed identity thieves posing as legitimate customers to make off with the financial records of more than 163,000 consumers.

For months afterward, Baich, now a Principal at consulting firm Deloitte, was forced to explain how the security lapse had happened and to defend his performance as the CISO in light of the breach. His company was ultimately forced to pay $15 million in penalties and compensation as a result of the breach in a deal with the FTC.

Two years later, ChoicePoint is just one in a string of major data breaches that now includes companies like Massachusetts retailer TJX, and Baich is back at RSA with a new book, a new job, and a new perspective on the problems of companies like ChoicePoint, CardSystems, or TJX, which he sees as symptoms of a broader, societal failure to recognize the value of personal data.

Chatting with InfoWorld in a hotel across from San Francisco's Moscone Center, where the RSA Conference is in full swing, Baich said that the U.S. needs a grassroots campaign to educate ordinary citizens about the need to protect their personal information.

Baich, who was accompanied by an attentive press officer from Deloitte, was circumspect when asked to comment on the recent breach at TJX but said that companies need to do a better job of understanding the "lifecycle" of information within their organizations and need to develop strategies to combat data loss that are based on risk, not merely on compliance demands or technology.

Asked to comment on TJX's decision to wait more than a month after disclosing the theft of credit card data from its network, Baich said that companies are often under orders from law enforcement to keep news of a breach secret while an investigation is ongoing. However, companies need to do a better job about protecting their interests -- asking law enforcement to put their request to suppress information about a breach in writing, then being honest in saying that the company held off on notifying the public at the request of law enforcement, for example.

Baich, who faced stern criticism from many former supporters for suggesting that the failure of ChoicePoint to vet its customers wasn't the purview of the CISO, said he now has a more holistic view of enterprise security after working on behalf of companies for Price Waterhouse Coopers and now Deloitte.

"It's allowed me to experience things differently. You can't talk about security or privacy and compliance without talking about people, policies, and processes," he said.

Among other things, companies need to plan in advance for incidents like the TJX or ChoicePoint breach and create cross-disciplinary teams, including human resources, legal, information security, physical security, and law enforcement personnel, to respond to them when they occur, Baich said.

For more enterprise computing news, visit InfoWorld. Story copyright InfoWorld Media Group, Inc.