ChoicePoint -- What We Learned from Our Screw-up

xpangler points out an article in Baseline magazine in which "ChoicePoint's lead privacy & compliance executives talks about the 'more than 30' new practices and procedures the company has put in place since it mistakenly sold private data on 163,000 people to Nigerian criminals last year."

Lesson 1

[OakDragon]

Never trust anyone who says things like "Greetings!" and "Honorable", and who CAPITALIZES in very ODD places.

Mental translation

[finkployd]

Perhaps I am too cynical, but when I see this:
Carol DiBattiste, ChoicePoint's chief credentialing, compliance and privacy officer, says the company has taken numerous steps in the past year to make sure such a breach never happens again.

I cannot help but think they actually mean:
Carol DiBattiste, ChoicePoint's chief credentialing, compliance and privacy officer, says the company has taken numerous steps in the past year to make sure such a breach is never made public again.

Really, the ONLY consequence a company like this suffers from a breach is negative publicity and maybe a token fine. Even bad publicity is not really a problem for them since the people they hurt have no say in whether or not to do business with them.

When that is the case, I'll bet it much easier to clamp down on leaks and not reveal breaches to the public/government than prevent them.

Finkployd

Re:Mental translation

[aztec+rain+god]

Isn't the real lesson from that whole debacle that Choicepoint has no business handling my personal information? It seems to me like if they really were to 'get it', they would find a different line of work to be in, and perhaps do some form of good for humanity. In my mind, the real transgression going on wasn't the 160,000- odd cases of Nigerians getting their hands on the personal data, its the unknown number of 'legitimate' transactions.

I think you've hit a good point, that people have no say as to what is done with their info. There really needs to be a mechanism, or a form or something where I can tell Choicepoint to delete any records having to do with me.

Now they need to do quality control

[meburke]

ChoicePoint is an aggregator. As much as 20% of their data could be inaccurate. Employers (for instance) make decisions based on ChoicePoint data, even though ChoicePoint "suggests" that they independently verify the accuracy of any negative reports. (Of course, it may work the other way also: 20% inaccuracy suggests that ChoicePoint will give subscribers false positive data, too.) Is this important? Well, Baseline Magazine wrote a nice article on this last year, http://www.baselinemag.com/article2/0,1540,1825320 ,00.asp
http://www.baselinemag.com/article2/0,1540,1825287 ,00.asp
and I was really impressed with the fact that a Home Depot employee spent a week in jail for crimes he did not commit.

Security is only half of it; Accuracy is the other half.

Pop quiz

[Rob+T+Firefly]

It's enhanced user ID and password protections--if employees forget their passwords, they must take a five-question quiz (example: "What year was your Social Security number issued?") to reset it; if they fail that, they must pass a 15-question quiz with a systems administrator.

I'm sure that makes everyone feel better and inspires lots of Holy Grail "What... is your favorite color?" gags, but as long as the info exists in records for someone to verify, it's open to being copied and used by the wrong people.