Data Breach at ChoicePoint - Research Paper Example

Data Breach at ChoicePoint ChoicePoint is the foremost credentialing service and brokerin United States of America. The organization caters to the needs of more than 220 million US citizens while maintaining 19 million public records. In 2000 the ChoicePoint sold important information without checking the background and credentials of buyers. This caused the company various fines and until 2008 the amount paid for compensations reached to $55 millions. This paper critically analyzes the root causes of the data breach at ChoicePoint while providing significant discussion on prevention methods. In addition to this, the sufficiency of fines imposed on ChoicePoint and effectiveness of the changes implemented by the organization in regard to data security are also discussed. Data Breach at Choice Point Introduction This paper aims to study and discuss data breach from different perspectives while making reference to the renowned data breach incident at ChoicePoint. The organization purchases the personal information of individuals including their names, birthdates, credit histories, social security numbers, employment data etc. These are then sold to different government agencies and businesses. Hence a significant number of marketing, accounting, human resources and finance managers depend upon the ChoicePoint to gain background information, verifications and customer leads. In 2000 ChoicePoint failed to protect its information records while selling them to unauthorized customers. This led the company to substantial loses and it had to pay fines for the next few years. In this paper, the root causes of this event are discussed including the prevention methods against data breach. Moreover, the sufficiency of fines imposed on the organization are discussed and the changes implemented by the organization after the data breach incident are also critically analyzed. Discussion Root Causes of Data Breach at ChoicePoint There are certain causes due to which customers’ information at ChoicePoint was compromised. For instance, the Federal Trade Commission claims that the company did not have realistic procedures to screen the potential subscribers which indicate substantial application issues. Hence it can be said that ChoicePoint failed to recognize the obvious threats present within its system. The Federal Trade Commission further declares that ChoicePoint did not take notice of its in appropriate application procedures while failing to keep check on subscribers even after getting notifications from law enforcement agencies regarding the fraudulent activities similar to those identified in 2001 (Farrell, 2006). Another significant cause due to which the consumer data was easily misused by subscribers was the violation of Fair Credit Reporting Act by ChoicePoint. Companies handling and selling customer data to government agencies and businesses are extensively required to ensure that the subscribers have authenticity to use data while also having a permissible reason to obtain them. However, ChoicePoint actually failed to recognize the identities of its subscribers while also being unable to evaluate their intentions to use the data (Farrell, 2006). Furthermore, it was identified that the organization was continuously providing credit reports to the criminal associations even after recognizing some false accounts set up at ChoicePoint (Sullivan, 2006). Consequently it had to discontinue its business operations particularly those in which sensitive consumer data was sold to subscribers. Moreover, the company faced a significant reduction of $15 million to $20 millions in its revenues (Scalet, 2005). Prevention from Data Breach Analysts argue that the incident of Data Breach reported at ChoicePoint could have been prevented through making significant changes in the company policy and the overall subscribers’ application procedure. Research and cost analysis indicates that it is easy and highly cost effective for organizations to act proactively when they are trusted with sensitive information of mass population. This is actually better than making changes in company procedures after data breach (Jones, 2012). Proactive approach has to be adopted by the organizations and law enforcement agencies both. For instance, new technologies must be developed to help in protecting customer data and laws must be updated as per the upcoming data breach challenges. It should be followed by the restoration of identity standards (Pollack, 2013) i.e. individuals subscribing to ChoicePoint must have to prove their identity and the purpose for which they need to access sensitive customer information. Data breach could have been prevented at ChoicePoint through the implementation of following procedures (Breach Prevention Overview, 2014): Risk Assessment: At the initial step ChoicePoint must have assessed the potential risks faced by the organization. Here, it could have gained help from security experts and law enforcement agencies. Compliance and Mitigation: Laws regarding data breach are significantly complex in nature. Thus it was appropriate for ChoicePoint to observe and alleviate risks prior to the actual incident of data breach. Breach Preparedness: This relates to the fact that data breaches can take place even when the organization has implemented risk assessments and compliance procedures. In order to meet such challenges the organization must have breach preparedness which will facilitate it in identifying the offenders and compensating the customers’ loss. Sufficiency of fines imposed on ChoicePoint Once the data breach was identified at ChoicePoint the Federal Trade Commission imposed serious penalties upon the organization including a fine of $10 million. The fine was considered sufficient to compensate the loss of 160,000 consumers. It was also recognized as the largest fine ever imposed by FTC on any organization. In addition to this, ChoicePoint was later asked to pay $5 million in a trust fund so as to facilitate individuals who were somehow affected by the identity theft (Vijayan, 2006). Another research reveals that the organization incurred total $26 million in fees and fines as additional $10 million were spent on the lawsuit of civil class-action whereas more than $500,000 was paid in terms of legal fees and different compensations (Romanosky, 2008). In my opinion the fines imposed on ChoicePoint were significant enough from hindering such an incident to happen again. The company had compromised the privacy of its consumers while on the other hand it also broke the federal laws and misled individuals about its privacy policy (Mohammed, 2006). Hence it was important to impose such huge fines so that no other company can violate laws of Federal Trade Commission. ChoicePoint’s data breach case also affected the security policies of other businesses by exposing them to the national level. Although significant data breach prevention measures were ensured by the law enforcing agencies after the incident but research indicates that malware and frauds are still increasing in the corporate sector. One of the reasons for such an increase in data breach and other similar activities is lack of ethics. Therefore apart from imposing fines law enforcement agencies and Federal Trade Commission must also increase ethical and moral guidance for these businesses in order to transform them in responsible members of the community. Effectiveness of changes implemented by ChoicePoint ChoicePoint made a number of changes in its procedures and policies following the data breach incident in 2005. Initially the company suspended all the apprehensive accounts while also rejecting few of the business license requests. Moreover, the company gave special attention to its validation process and made a public announcement that now the data will not be available to non-government and privately held organizations (Otto, 2006). Here, one of the most important changes made by the organization was to acknowledge its mistakes and compensating the loss of customers (Data Security: ChoicePoints Lessons Learned, 2006). This was followed by changes in the stock trading policy of the organization (ChoicePoint Inc. to pay $15 million over data breach, 2006). One report indicates that ChoicePoint changed its business model which increased the company’s operating charges from $8 to $10 millions (FTC hits ChoicePoint with $10 million fine over breach, 2006). The company also made a firm decision of limiting its sales unless the purchaser was associated with an accredited bank (Wright, 2014). All of these steps were taken to ensure that personal information of customers is protected up to the maximum extent (Bosworth, 2005). I personally believe that these changes played an important role in restoring the credibility of the organization while influencing other organizations to make similar changes in order to prevent data breach. Conclusion The above research and discussion reveals the fundamental causes of data breach at ChoicePoint while also discussing the prevention methods. Moreover, the sufficiency of fines imposed on the organization is discussed in detail and the effectiveness of subsequent changes made in organizational procedure by ChoicePoint is also mentioned. References Bosworth, M. (2005). Guilty Plea in ChoicePoint Data Theft. Retrieved July 18, 2014, from Free Republic. Breach Prevention Overview. (2014). Retrieved July 18, 2014, from ID Experts. ChoicePoint Inc. to pay $15 million over data breach. (2006). Retrieved July 18, 2014, from Gainesville. Data Security: ChoicePoints Lessons Learned. (2006). Retrieved July 18, 2014, from Base Line Magazine. Farrell, C. & Rich, J. (2006). ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress. Retrieved July 18, 2014, from Federal Trade Commission . FTC hits ChoicePoint with $10 million fine over breach. (2006). Retrieved July 18, 2014, from Jacobs Media Corporation. Jones, M. (2012). Data Breaches: Recent Developments in the Public and Private Sectors. A Journal of Law and Policy for the Information Security , 555-580. Mohammed, A. (2006). Record Fine for Data Breach. Retrieved July 18, 2014, from The Washington Post. Otto, P. A. (2006). The ChoicePoint Dilemma: How Data Brokers Should Handle the Privacy of Personal Information. North Carolina State University Technical Report . Pollack, D. (2013). A Decade of Breach: The More Things Change, the More They Stay the Same. Retrieved July 18, 2014, from ID Experts. Romanosky, S. T. (2008). Do Data Breach Disclosure Laws Reduce Identity Theft? Tuck School of Business , 1-20. Scalet, S. (2005). ChoicePoint Data Breach: The Plot Thickens. Retrieved July 18, 2014, from CXO Media, Inc. Sullivan, B. (2006). ChoicePoint to Pay $15 million over data breach. Retrieved July 18, 2014, from NBC News. Vijayan, J. (2006). FTC imposes $10M fine against ChoicePoint for data breach. Retrieved July 18, 2014, from Computer World. Wright, B. (2014). ChoicePoint Marked New Era in Data Security Law. Retrieved July 18, 2014, from SANS Technology Institute. Read More