Data Security: ChoicePoint’s Lessons Learned

A rash of security breaches has hit the headlines recently, chief among them the theft of a Department of Veterans Affairs’ laptop with data on 26.5 million vets. Perhaps the best advice on how to respond if your company is caught in the line of fire comes from one that has been there itself: consumer data broker ChoicePoint.

In February 2005, ChoicePoint acknowledged that it had mistakenly sold personal information on thousands of individuals—as it turned out, more than 163,000 people—to bogus companies set up by Nigerian criminals (see ChoicePoint: Blur, from Baseline‘s June 2005 issue). The Federal Trade Commission this January fined the Alpharetta, Ga.-based company $15 million for the disclosures.

Carol DiBattiste, ChoicePoint’s chief credentialing, compliance and privacy officer, says the company has taken numerous steps in the past year to make sure such a breach never happens again.

“There’s not a company around today that takes security more seriously than we do,” claims DiBattiste, who joined ChoicePoint in March 2005 after serving as deputy administrator of the U.S. Transportation Security Administration. She says ChoicePoint has passed 43 security and privacy audits in the past year.

Gartner analyst Avivah Litan says ChoicePoint’s security practices are now extremely strict—and appear to be among the best in any industry. “When you’re fined and caught after a data breach,” she says, “you really shape up.”

Some of ChoicePoint’s changes involved business practices. The company says it has improved customer-screening procedures, verifying their authenticity via multiple sources and by physically visiting their premises. It also now provides personally identifying information like Social Security numbers only as part of consumer-initiated transactions (as when someone applies for a home loan), as part of fraud-prevention programs or when requested by law enforcement officials.

But ChoicePoint has also tightened the screws on its information-technology infrastructure, with what DiBattiste says are more than 30 new policies and procedures.

It’s enhanced user ID and password protections—if employees forget their passwords, they must take a five-question quiz (example: “What year was your Social Security number issued?”) to reset it; if they fail that, they must pass a 15-question quiz with a systems administrator.

ChoicePoint has blocked access to its network from all non-U.S. Internet addresses, with a few exceptions that DiBattiste declined to detail. It has put employees at each of its 60 U.S. locations in charge of verifying the destruction of outdated consumer information, which the company is required by law to dispose of.

And the company now encrypts all data feeds to the three major credit bureaus as well as certain information stored in its databases, such as credit card numbers. DiBattiste adds that a project to move to laptop encryption “across the board” is still in the works.

Another new measure: ChoicePoint this month created a security advisory committee comprised of DiBattiste, the company’s CIO, head of internal audit, the chief business officer, chief marketing officer, chief administrative officer and general counsel. The group meets regularly “to ensure we’re hitting every aspect of security and privacy,” says DiBattiste.

“One of the lessons we learned is that security is a moving target,” she says. “The bad guys move too. So we have to constantly be in touch with the things we need to be doing to respond.”

QUESTION: What do you think of ChoicePoint’s changes? Write to [email protected].