ChoicePoint -- What We Learned from Our Screw-up

xpangler points out an article in Baseline magazine in which "ChoicePoint's lead privacy & compliance executives talks about the 'more than 30' new practices and procedures the company has put in place since it mistakenly sold private data on 163,000 people to Nigerian criminals last year."

Mental translation

[finkployd]

Perhaps I am too cynical, but when I see this:
Carol DiBattiste, ChoicePoint's chief credentialing, compliance and privacy officer, says the company has taken numerous steps in the past year to make sure such a breach never happens again.

I cannot help but think they actually mean:
Carol DiBattiste, ChoicePoint's chief credentialing, compliance and privacy officer, says the company has taken numerous steps in the past year to make sure such a breach is never made public again.

Really, the ONLY consequence a company like this suffers from a breach is negative publicity and maybe a token fine. Even bad publicity is not really a problem for them since the people they hurt have no say in whether or not to do business with them.

When that is the case, I'll bet it much easier to clamp down on leaks and not reveal breaches to the public/government than prevent them.

Finkployd

Re:Mental translation

[aztec+rain+god]

Isn't the real lesson from that whole debacle that Choicepoint has no business handling my personal information? It seems to me like if they really were to 'get it', they would find a different line of work to be in, and perhaps do some form of good for humanity. In my mind, the real transgression going on wasn't the 160,000- odd cases of Nigerians getting their hands on the personal data, its the unknown number of 'legitimate' transactions.

I think you've hit a good point, that people have no say as to what is done with their info. There really needs to be a mechanism, or a form or something where I can tell Choicepoint to delete any records having to do with me.

Re:Mental translation

[finkployd]

What repercussions? Did they lose business? Sure they got hit with a 10 million dollar fine but look at their financial statements, that is barely a drop in the bucket for them.

Honestly, companies are losing hundreds of thousands of records containing personal data every week, THERE ARE NO REPERCUSSIONS! They say oops, a couple of blogs report it, and life goes on for them. Sure some people get royally screwed but those people cannot trace it back to the company that had the breach. Heck, the government is losing data on its employees and military people, do you really think they are in any position to punish anyone for it? They don't even try anymore.

Finkployd

Re:Mental translation

[finkployd]

ChoicePoint isn't the only game in town, even in their specialized arena (they're a spinoff of Equifax). If they get a bad reputation for poor security then companies will stop doing business with them and start doing business with a competitor.

But why? How does their inability to protect data really hurt their customers one bit? What would the motivation be in dropping them because they didn't secure data very well?

And, contrary to many people, I do think these companies serve a valuable purpose. We would not have nearly the level of easily available credit in the US if it wasn't for them. And easily available credit leads to more home ownership, more small business startups, and numerous other advantages.

Without them you might have to wait a few days, or even weeks to get a line of credit. This is not a bad thing, in fact I would venture to guess there would be fewer problems if people DID have to wait for lines of credit. I just bought a house, the process is not lightening fast and you do not need instant credit to do it. And if someone is starting up a business on instant credit then they are not probably not thinking things through or planning very well.

Sure, it leads to some people drowning in credit debt as well, but that's due to irresponsibility on the part of both the person and the creditor -- in fact, accurate credit data is more likely to help avoid this problem than increase it.

Choicepoint has some major accuracy issues as well, so they are probably not helping there. In one notable case (referenced elsewhere in the comments) one person spent a week in jail due to Choicepoint's inaccurate data. I would venture to guess than since they are perceived as accurate, they actually make the situation WORSE by not being accurate. Kind of like how bad security is often worse than no security.

The issue is that consumers have little to no control over the data at this point -- you're only allowed to place a credit freeze in a handful of states (and the "warning" that you can place on your report is universally ignored). There's insufficient protections against inaccurate data. And getting access to your own report is still overly difficult (although it's improved greatly in the last year, now that everyone can get a free copy every year (twice a year in Georgia)).

What sickens me is that while protections are available, you have to pay for them. Not only do you have to pay for them, but you have to pay the people who are irresponsible with your data to begin with, thus necessitating the need for the protections. If that does not sound like a mob style protection racket, I don't know what does.

Finkployd

Pop quiz

[Rob+T+Firefly]

It's enhanced user ID and password protections--if employees forget their passwords, they must take a five-question quiz (example: "What year was your Social Security number issued?") to reset it; if they fail that, they must pass a 15-question quiz with a systems administrator.

I'm sure that makes everyone feel better and inspires lots of Holy Grail "What... is your favorite color?" gags, but as long as the info exists in records for someone to verify, it's open to being copied and used by the wrong people.

Re:Lesson 1

[soren42]

Well, there should be, damnnit. It's no wonder the majority of posts of Slashdot go unmoderated.

What I learned from Their Screw-up

[PingXao]

Americans need an ammendment to their Constitution that guarantees them the Right To Privacy. Then, assumiung a Congress that actually follows the Constitution can be elected, in conjunction with the Right To Privacy there should be a law that prohibits the use or sale of my personal data without my prior consent. Better: it should be against the law to even collect and store that information in any database where the consumer - citizen, if you will - doesn't have the ability to "SQL DELETE FROM * WHERE NAME = ME".

Re:Turn off the spin

[Almost-Retired]

I'd say that the penalty was fair. It's not necessary to drive the company out of business - just necessary to give them a sting so that they don't do it again.

No, sorry, that doesn't cut it with this old fart. Until they are put out of business, and their database put in escrow for purposes of forensics traceing only, with it to be preserved on non-networked servers that it takes a federal court order to gain access to, such shennanigans will continue. While they're at it, I'd be in favor of the top floor executives haveing a hand amputated in the grand old arab justice manner. Maybe both hands for the President of such a company.

I frankly could care less about the collateral damages from putting many of such a companies rank & file people out of work, they knew full well the type of business they were working for. I cannot seriously seperate those people from all the 419 scammers in Nigeria. They're all birds of a feather. Put them out of business, mark them physicly for life and make it damned clear that this is what will happen to everyone that abuses the data they are in charge of. Then and only then will these leaches turn honest.

--
Cheers, Gene