Reparations to ChoicePoint's flawed customer credentialing processes--and, more importantly, its reputation--were...
well under way in January when along came the Federal Trade Commission with a $15 million reminder that life for the data collector will never be the same.
Survival and recovery may forever be relative terms for ChoicePoint, whose infamous data breach, reported in February 2005, led to its FTC fine. Ironically, the penalty was levied the same day ChoicePoint reported record revenues of $1.1 billion for 2005, a "milestone year" according to CEO Derek V. Smith.
It may be a cold day in Hades before Smith hears any adulation for those numbers. The breach, which exposed more than 160,000 people to identity theft, has led to at least 800 confirmed cases and unprecedented scrutiny.
This is the environment in which Carol DiBattiste operates. Hired shortly after the breach was made public, the former deputy administrator and chief of staff at the Transportation Security Administration leads an independent office that reports to the ChoicePoint board of directors' privacy committee. Her mission is to clean up the means by which ChoicePoint credentials its customers, align security and privacy within the company's four walls, and concentrate on implementing a steady stream of checks and balances to ensure a breach like the one that started 2005's firestorm never happens again.
"I stay up at night thinking about how to beat bad guys from getting our data, and making sure the people who access our data are who they say are," DiBattiste says.
Olatunji Oluwatosin, a 41-year-old Nigerian national living in California, exploited those weaknesses. He posed as legitimate enterprises to set up more than 50 bogus accounts and gain access to ChoicePoint's trove of personal data, including names, addresses and Social Security numbers. He was arrested in February 2005, and was later sentenced to 10 years in prison and ordered to pay $6.5 million in restitution.
DiBattiste's first priority was to shore up the lax vetting of customers. She and her team immersed themselves in each of ChoicePoint's business units to learn their security and privacy processes and procedures in an attempt to marry the two disciplines. She hired consultants from Ernst & Young's privacy team to introduce industry best practices to ChoicePoint and tailor them around its business model. Each of these activities came under the umbrella of a new risk mitigation model, which was the focus of more than 50 outreach events internally and externally that DiBattiste coordinated before the end of 2005.
"Customers are thrilled because it's a business imperative for us," she says.
Credentialing procedures for new customers were ramped up, starting with the hiring of more than 40 individuals dedicated to checking customers and verifying who they are, the legitimacy of the companies they represent and whether they are, in fact, agents of the company. Existing customers will also be recredentialed, an exercise DiBattiste expects to continue through August.
Checklists vet customer identities through various sources, including bank references. Site visits are mandated for customers seeking access to the most sensitive ChoicePoint information stores. A quality control board then reviews the credentialing teams to ensure no human error was introduced during the vetting process and that each of the multiple verifications was done properly.
"There are certain things on our checklist that, if you don't pass, it's a hard fail and you're not going to be one of our customers," DiBattiste says. "I think our credentialing process is one of the best out there. It goes through a lot of checking of who you say you are, and whether you are going to use data in a manner that is permissible under law."
ChoicePoint customers can also expect periodic audits of their account activities-- some scheduled, some without notice. Hun-dreds of accounts have already been cut off because of suspicious behavior, DiBattiste says.
Customer privacy training is also a priority for 2006, in addition to mandatory online privacy training for employees.
"We want to get customers aware of what their obligations are with the data," DiBattiste says. "That's a heavy lift. All of this is key to our risk mitigation model. With this combination of site visits and rigorous checklists, we hope to keep another incident from happening."
This article originally appears in the April 2006 issue of Information Security magazine. Be sure to vote in SearchSecurity.com's mini-poll for the top security survivor in this series.