ChoicePoint details data breach lessons

Assume every piece of information is “potentially fraudulent,” CIO says

BOSTON -- Few companies know as well as ChoicePoint the consequences of failing to secure the personal information of consumers.

A provider of information used in background checks, ChoicePoint was involved in a data breach more than two years ago that compromised the records of 163,000 people -- but has since transformed itself into what one analyst called a “role model” in data security and privacy. Today, the organization’s CIO explained how it recovered and offered lessons other enterprises that handle sensitive data can learn from ChoicePoint at the IDC IT Forum & Expo in Boston.

Too often, simple mistakes are the cause of data breaches, said Darryl Lemecha, CIO and senior vice president of shared services at ChoicePoint. Listing a person's Social Security number on a mailing address label, or not securing data on a laptop that is later stolen or lost, are mistakes that have left some companies wishing they had thought more about security, he said.

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

BOSTON -- Few companies know as well as ChoicePoint the consequences of failing to secure the personal information of consumers.

A provider of information used in background checks, ChoicePoint was involved in a data breach more than two years ago that compromised the records of 163,000 people -- but has since transformed itself into what one analyst called a “role model” in data security and privacy. Today, the organization’s CIO explained how it recovered and offered lessons other enterprises that handle sensitive data can learn from ChoicePoint at the IDC IT Forum & Expo in Boston.

Too often, simple mistakes are the cause of data breaches, said Darryl Lemecha, CIO and senior vice president of shared services at ChoicePoint. Listing a person's Social Security number on a mailing address label, or not securing data on a laptop that is later stolen or lost, are mistakes that have left some companies wishing they had thought more about security, he said.

“Encrypt all your laptops,” Lemecha recommended. “Because they’re going to get lost, they’re going to get stolen. And make sure all your handheld devices have passwords on them and you have the ability to do a remote wipe [of data].”

In 2005, the records of 163,000 consumers were compromised after criminals pretending to be legitimate ChoicePoint customers sought details about individuals listed in the company’s database of personal information. ChoicePoint agreed to pay $10 million in civil penalties and $5 million for consumer redress. The company, which recently reached a separate settlement with 43 states over the breach, also decided to limit the sale of information products containing sensitive consumer data, including Social Security and driver’s license numbers.

In doing so, ChoicePoint walked away from what was a more than $15 million business serving small and midsize accounts, but the company felt it could not sufficiently determine the credentials of those customers in a cost-efficient manner, Lemecha said.

After the data breach, ChoicePoint worked backwards to determine the credentials of every one of its customers, he said. “The truth is, we assume every piece of information a customer provides us in the credentialing process is potentially fraudulent, and we validate it against other sources,” Lemecha said.

ChoicePoint has been subjected to more than 80 external audits over the past 24 months, he said.

In April, Gartner analyst Avivah Litan told USA Today that "ChoicePoint transformed itself from a poster child of data breaches to a role model for data security and privacy practices."

Lemecha offered a five-step plan to CIOs looking to shore up their data security and privacy systems, based on what ChoicePoint has done.

The first step is governance. ChoicePoint has a chief privacy officer who reports directly to a board that governs privacy and public responsibility, bypassing the rest of the corporate structure, he said. This board is briefed quarterly on progress improving privacy and security, and several other committees take on more specific oversight roles. Beyond committees, ChoicePoint has a number of divisions tackling privacy and security from different angles, such as a corporate credentialing center, a compliance and privacy division, and internal auditing.