Legislation: Disclosure Loopholes
				ChoicePoint may have discovered the breach that exposed the personal data of 145,000 people, but the break-in likely would never have been publicly disclosed had it not been for California's landmark Security Breach Information Act, SB 1386. The Georgia-based company was bound by law to come clean to more than 35,000 affected Californians, and soon revealed that 110,000 more Americans nationwide were also at risk to identity theft. What few know is that the law gives compromised companies wide latitude as to when they must inform consumers. The gap between discovery and disclosure could ultimately work against numerous state and federal bills swiftly being modeled after the California statute. "I don't think that Congress or big business really has a clue yet as to how to deal with consumer data privacy," says Stephen Cobb, author of Privacy for Business. "I'm not sure notification is where the focus should be. Per-instance or per-incident fines may be more appropriate." ChoicePoint sat on the disclosure for five months, going public in February after a Nigerian man's conviction in the scam become public record in Los Angeles. The company says it stayed mum at investigators' request, which is allowed under SB 1386. The law stresses that "disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement." That disclosure loophole could leave individuals exposed to identity theft during criminal investigations, and privacy advocates aren't convinced legislators will provide the level of protection consumers need. Some experts say that the courts may have to determine what constitutes proper notification. "The day of reckoning is coming when the case is made in court that someone suffered great harm, in terms of actual costs and stress, during the time the theft remained a secret," Cobb says. --Anne Saita

Despite its best efforts and spin control, ChoicePoint has joined the American lexicon as the next symbol of shoddy data protection. The Georgia-based data collector didn't suffer a traditional network hack. No firewall was bypassed. No AV subverted. No IDS tricked. Rather, a fraudulent scheme duped the processes that guarded the sensitive information of 145,000 people. It's an instance where a company's most precious asset was compromised because security and business managers failed to properly assess the risk of a business process. It's also an example of how a company's public disclosure of a security breach can quickly spin out of control once the mainstream media begins ripping into the story.

"I'm in awe of how this has gone to the dinner table," says ChoicePoint CISO Rich Baich. "It's not possible to assess the damage to our reputation." Baich bristles at headlines proclaiming the fraud perpetrated against ChoicePoint as the work of "hackers." With identity theft a sexy topic, the news media will latch on to a story like ChoicePoint's, which is fluid with details following an arrest and prosecution in the case in February, as well as the compulsory disclosure of the breach under California's Security Breach Information Act (SB 1386). Managing the message sent to shareholders and customers via the press has been paramount.

"The mislabeling of this event as a hack is killing ChoicePoint," says Baich. "It's such a negative impression that suggests we failed to provide adequate protection. Fraud happens every day. Hacks don't."

Regardless of the incident's true classification, or what the media calls it, ChoicePoint has quickly become a case study in the importance of an incident response plan that takes into account working with law enforcement, publicly disclosing breach information and dealing with overwhelming press coverage.

A Rich Target
More than 50 acquisitions since 1997 made ChoicePoint one of the richest depositories of American personal data. Social Security numbers, addresses, medical records, criminal rap sheets--you name it, chances are ChoicePoint had it stored in its databases. Firms like ChoicePoint, Lexis-Nexis and others sell this data to clients doing background checks on job and loan applicants and conducting criminal investigations.

CISOs like ChoicePoint's Baich understand how hackers, organized crime groups and scam artists covet that data. They also understand that no security control or business process is perfect, and that there may be days like the one last October when ChoicePoint's fraud detection systems found an anomaly in its public records group. Someone had figured out a way to beat the company's credential verification process and was setting up phony accounts to pilfer thousands of records.

This is the moment when the bottom drops out of a CISO's stomach--and it's worse for those who don't have a thorough and tested incident response plan in place.

"CISOs have to have a plan and make sure all aspects work," says Patrick Gray, director of X-Force operations for Internet Security Systems (ISS). "[During a crisis] isn't the time to create one. When an incident breaks, it's already too late."

< PREV PAGE   |   1  |   2  |   NEXT PAGE  >