4.1.1 Data Breaches: A New Concept Emerges

“I certainly wasn’t thinking of the words ‘cyber’ and ‘security’ at the time. Those words weren’t forefront on my mind.”

Attorney Chris Cwalina sat across the table from me, sipping sparkling water on a warm fall evening in Virginia. Chris was not just a veteran of data breach industry—he was one of the first attorneys to help manage a modern data breach crisis. Chris had been hired by the general counsel of ChoicePoint shortly after the breach became public to act as ChoicePoint’s “quarterback,” helping to manage the ensuing litigation and investigations, together with a large team of experts.

Before the ChoicePoint case, data breaches didn’t exist, at least not as a concept defined by law separate from other types of accidents or security incidents. “I was thinking these were bad guys who fraudulently deceived the company into giving them valuable information,” recalled Chris. “This was like a theft, a successful theft.”

That changed on February 17, 2005, just days after the ChoicePoint “theft” was announced. The Los Angeles Times printed a landmark article quoting U.S. Senator Dianne Feinstein: “Data breaches are becoming all too common, and current federal law does not require notification to consumers.” It was possibly the first time that any legislator had been quoted in the mainstream media using the term “data breach.”¹¹ Indeed, it was one of the first times that the term had ever been used at all in any publication, anywhere, save for a few isolated instances, typically used in headlines as a shortened version of “cardholder data breach.”¹²

11. Joseph Menn and David Colker, “More Victims in Scam Will Be Alerted,” Los Angeles Times, February 17, 2005, http://articles.latimes.com/2005/feb/17/business/fi-hacker17.

12. L. Kuykendall, “BJ’s Case Shows Issuers’ Data-Breach Cost Fatigue,” American Banker, August 26, 2004.

In the same article, Beth Givens, founder of the Privacy Rights Clearinghouse (PRC), stated: “A data breach affecting ChoicePoint is akin to the pot of gold at the end of the rainbow.” There it was again! The new term, “data breach,” went viral shortly thereafter, popping up in hundreds of publications over the coming months.

4.1.2 The Power of a Name

Once the concept was given a name, suddenly the public had the power to talk about the problem—and to track it. The PRC created its popular online database, “A Chronology of Data Breaches,” which lists all “reported data breaches from 2005 to present.”¹³ What most people don’t realize is that the database was originally named “A Chronology of Data Breaches Reported Since the ChoicePoint Incident.”¹⁴ A simple introduction on the website stated:

13. Chronology of Data Breaches: FAQs, Privacy Rights Clearinghouse, https://www.privacyrights.org/chronology-data-breaches-faq#is-chronology-exhaustive-list (accessed October 14, 2016).

14. A Chronology of Data Breaches Reported Since the ChoicePoint Incident, Privacy Rights Clearinghouse, April 20, 2005, http://web.archive.org/web/20050421104632/ http://www.privacyrights.org/ar/ChronDataBreaches.htm.

The data breaches noted below have been reported because the personal information compromised includes data elements useful to identity thieves, such as Social Security numbers, account numbers, and driver’s license numbers. The catalyst for reporting data breaches to the affected individuals has been the California law that requires notice of security breaches, the only state in the nation to have such a law at this time.

Yes! The ChoicePoint case literally inspired people to begin tracking this newly defined thing, the “data breach.” Since that time, the PRC updated the database to include data breaches from January 1, 2005, onwards.

Effectively, 2005 is “Year 0” for data breaches. In this book, we consider January 1, 2005, the beginning of “data breaches” as an event tracked distinctively from other cybersecurity-related incidents.

4.2.1 The Identity Theft Scare

At the time that the ChoicePoint breach occurred, Americans were already reeling with the growing epidemic of “identity theft,” bombarded with nightmarish stories of people like Michael Berry, an average citizen who found himself wanted for murder because a criminal had created a fake driver’s license in his name.¹⁷ A news story in the New York Times highlighted another example, that of Brent James of Arizona, who suddenly began receiving calls from a collections agency, harrassing him about defaulted loans he had never taken out. James discovered that “someone had entered into two cellphone contracts and bought a car in his name. And though Mr. James and his wife have owned a home since 2000, he also has ‘multiple personal judgments against [him]’ by landlords suing over a broken lease.”¹⁸

17. Center for Investigative Reporting (CIR), “Identity Crisis,” CIR Online, August 9, 2003, https://web.archive.org/web/20150526053835/ http://cironline.org/reports/identity-crisis-2085.

18. Gary Rivlin, “Purloined Lives,” New York Times, March 17, 2005, http://www.nytimes.com/2005/03/17/business/purloined-lives.html?%20r=0.

The Washington Post reported that the ChoicePoint breach “comes at a time when identity fraud and theft are on the rise, with as many as 10 million Americans a year falling victim to criminals who charge goods in their names or empty their bank accounts.”¹⁹ According to the FTC, in 2005 identity theft was the top consumer concern for the sixth year in a row.²⁰

19. Robert O’Harrow Jr., “ID Data Conned from Firm: ChoicePoint Case Points to Huge Fraud,” Washington Post, February 17, 2005, http://www.washingtonpost.com/wp-dyn/articles/A30897-2005Feb16.html.

20. Otto, Antón, and Baumer, “ChoicePoint Dilemma,” 2.

4.2.2 The Product Is . . . You

At the same time, entrepreneurs were beginning to recognize the massive potential value of personal information within the “legitimate” economy. As ChoicePoint had, companies could sell personal information to creditors, insurance companies, employers, and the federal government.

The Wall Street Journal reported that ChoicePoint and its peers allowed federal agencies to do an “end run” around the domestic privacy protections of the 1974 U.S. Privacy Act. “ChoicePoint and its rivals specialize in doing what the law discourages the government from doing on its own—culling, sorting and packaging data on individuals from scores of sources, including credit bureaus, marketers and regulatory agencies.”²¹

21. Glenn R. Simpson, “FBI’s Reliance on the Private Sector Has Raised Some Privacy Concerns,” Wall Street Journal, April 13, 2001, http://www.wsj.com/articles/SB987107477135398077.

4.2.3 Valuable Snippets of Data

ChoicePoint accumulated personal information because it was useful for many kinds of business purposes: employee background checks, customer credit verification, and more. The reason this was so dangerous is because at the same time, some of these little snippets of personal information (names, SSNs, phone numbers, etc.) were increasingly used as keys to facilitate access to various accounts and valuable assets.

In the United States, the SSN is a prime example: a simple nine-digit number that has been used far beyond its original design purpose. According to the Social Security Administration:²²

22. Carolyn Puckett, “The Story of the Social Security Number,” Social Security Bulletin 69, no. 2 (2009), https://www.ssa.gov/policy/docs/ssb/v69n2/v69n2p55.html.

The Social Security number (SSN) was created in 1936 for the sole purpose of tracking the earnings histories of U.S. workers, for use in determining Social Security benefit entitlement and computing benefit levels. Since then, use of the SSN has expanded substantially. Today the SSN may be the most commonly used numbering system in the United States. As of December 2008, the Social Security Administration (SSA) had issued over 450 million original SSNs, and nearly every legal resident of the United States had one. The SSN’s very universality has led to its adoption throughout government and the private sector as a chief means of identifying and gathering information about an individual.

Today, U.S. citizens use SSNs to:

• Gain access to bank accounts over the phone

• Get approved for a credit card

• Obtain a tax refund

• Gain access to medical records

• Verify identity and gain access to a wide variety of sensitive information and accounts

Criminals can use stolen SSNs for much the same purposes. “Together with other basic information, like name and date of birth, the Social Security number is a passport to a person’s identity,” wrote Bloomberg columnist Suzanne Woolley in 2017.²³

23. Suzanne Woolley, “Your Social Security Number Now Looks Like a Time Bomb. It Is,” Bloomberg, June 1, 2017, https://www.bloomberg.com/news/articles/2017-06-01/identity-theft-feeds-on-social-security-numbers-run-amok.

4.2.4 Knowledge-Based Authentication

What makes the SSN so powerful? The SSN is often used, either implicitly or explicitly, to authenticate a person. Authenticate means to verify a person’s identity.

Cybersecurity professionals like to say that you can authenticate a person in one of three ways, using:

1. Something you know, such as a password or confidential personal information

2. Something you have, such as a driver’s license number or hardware token

3. Something you are, such as your fingerprint or iris pattern

(There are other methods, such as somewhere you are or something you can do, but the three methods above are by far the most common.)

When I call my bank and the receptionist asks for my name and SSN, she authenticates me, or verifies my identity, using that special piece of data—an example of type 1 authentication (something you know), also known as knowledge-based authentication.

4.2.5 Access Devices

Your SSN, of course, is hardly the only example of a sensitive piece of data that is used to access valuable assets. Payment card information, driver’s license numbers, and even passwords are used similarly. This concept is reflected in U.S. law, which defines the general term “access device” (18 U.S.C. §1029(e)(1)).

[T]he term “access device” is used in the statute and is defined broadly as any “card, plate, code, account number, electronic serial number, mobile identification number, personal identification number, or other telecommunications service, equipment, or instrument identifier, or other means of account access that can be used, alone or in conjunction with another access device, to obtain money, goods, services, or any other thing of value, or that can be used to initiate a transfer of funds. . . .” The only limitation, i.e., “other than a transfer originated solely by paper instrument,” excludes activities such as passing forged checks.²⁴

24. U.S. Department of Justice, “1030. Definitions,” Criminal Resource Manual, https://www.justice.gov/usam/criminal-resource-manual-1030-definitions (accessed January 8, 2018).

Your SSN has great potential: You can use it to gain access to your bank account or your medical records, to get approved for a credit card, to obtain your tax refund. By nature, any data classified as an “access device” has this potential utility and is therefore a valuable asset. And where there are valuable assets, there is crime.

4.3.1 The Smoldering Crisis Begins . . .

Criminals began setting up fraudulent customer accounts as early as September 2003, more than two years before management became aware of the suspicious accounts. Were the fraudsters extremely sophisticated or stealthy? No. According to a subsequent FTC complaint, ChoicePoint didn’t detect the fraudulent application “because it had not implemented reasonable procedures to verify or authenticate the identities and qualifications of prospective subscribers.”³¹

31. United States v. ChoicePoint Inc., CA No. 1:06-CV-0198 (N.D. Ga. 2006), https://www.ftc.gov/sites/default/files/documents/cases/2006/01/0523069complaint.pdf.

The FTC provided specific examples of ChoicePoint’s failure to detect and report suspicious activity, such as:³²

32. United States v. ChoicePoint, CA No. 1:06-CV-0198, at 5–6.

. . . b. ChoicePoint accepted for verification purposes documentation that included facially contradictory information, such as different business addresses on federal tax identification documents and utility statements, without conducting further inquiry to resolve the contradiction;

c. ChoicePoint accepted other forms of facially contradictory or illogical application information, such as articles of incorporation that reflected that the business was suspended or inactive, and tax registration materials that showed that the business’ registration was cancelled a few days prior to the date the application was submitted to ChoicePoint. . . ;

. . . e. ChoicePoint approved, without further inquiry, the applications of subscribers notwithstanding the fact that the applicant left critical information, such as business license number, contact information, or applicant’s last name, blank on the application;

f. ChoicePoint accepted applications transmitted by facsimile from public commercial locations, and accepted multiple applications for putatively separate businesses from the same facsimile numbers . . . ;

g. ChoicePoint accepted and approved, without further inquiry, the applications of subscribers notwithstanding the fact that ChoicePoint’s own internal reports on the applicant linked him or her to possible fraud associated with the Social Security number of another individual.

Each of these examples includes a prodrome—a warning sign that, if recognized, could have allowed the company to avert the acute phase of the crisis. Really, one of the most shocking things about the ChoicePoint breach was that it consisted of many repeated individual frauds, which occurred over and over during a period of years, without any response.

4.3.2 Isn’t It Ironic?

Despite the growing concern about identity theft and fraud, ChoicePoint didn’t seem to treat its massive database of sensitive consumer data like hazardous material that needed careful control. After the breach was announced, the news ran story after story with examples of ChoicePoint’s lax information control practices. The Wall Street Journal reported, “[O]ne could even buy ChoicePoint background-check kits at Sam’s Club for $39.99, though ChoicePoint says it required buyers to prove valid business purposes for using them.”³³

33. Evan Perez and Rick Brooks, “For Big Vendor of Personal Data, a Theft Lays Bare the Downside,” Wall Street Journal, May 2, 2005, https://www.wsj.com/articles/SB111507095616722555.

Unfortunately, ChoicePoint itself did not appear to make smart decisions about approving customer applications. This was all the more damning because, according to ChoicePoint’s chairman and CEO, Derek V. Smith, “ChoicePoint’s core competency [was] verifying and authenticating individuals and their credentials.”³⁴ During his tenure as CEO of ChoicePoint, Smith authored two books about information security and risk. When the company was spun out from Equifax in 1997, it “took the name of ChoicePoint, signaling that it would help clients make smart decisions when they reach a ‘choice point.’”³⁵

34. Bruce Schneier, “ChoicePoint,” Schneier on Security (blog), February 23, 2005, https://www.schneier.com/blog/archives/2005/02/choicepoint.html.

35. Evan Perez and Rick Brooks, “For ChoicePoint, a Theft Lays Bare the Downside,” Pittsburgh Post-Gazette, May 3, 2005, http://www.post-gazette.com/business/businessnews/2005/05/03/For-ChoicePoint-a-theft-lays-bare-the-downside/stories/200505030214.

The irony was not lost on the media, which raked ChoicePoint over the coals for it. “ChoicePoint has just thrust itself into the nation’s consciousness as a conglomerate hoist by its own petard,” wrote the New York Times. “The outfit that sells the ability to anticipate suspicious activity; that provides security to the nation’s security services; that claims it protects people from identity theft—has been easily penetrated by a gang that stole its dossiers on at least 145,000 people across the country.”³⁶

36. William Safire, “Goodbye to Privacy,” New York Times, April 10, 2005, https://www.nytimes.com/2005/04/10/books/review/goodbye-to-privacy.html.

4.3.3 A Suspicious Phone Call

ChoicePoint, as an organization, only began to realize there was a serious problem in September 2004, when a staff member received a suspicious phone call. The Wall Street Journal later reported:³⁷

37. Perez and Brooks, “For Big Vendor.”

The company said a caller with a distinctive foreign accent, identifying himself as James Garrett of MBS Collections, applied for an account that would give him access to Choice-Point data. In another phone call, what sounded like the same man identified himself as John Galloway of Gallo Financial, also applying for an account. Faxed driver’s licenses for both applicants arrived, with photos that, like the voices, seemed identical.

ChoicePoint staff alerted the Los Angeles sheriff’s department, which immediately opened an investigation. “When ‘James Garrett’ called again, the firm, at a detective’s instruction, told him to go to a Copymat store on Sunset Boulevard to pick up a fax. There, investigators confronted a man named Olatunji Oluwatosin. He dropped to the ground ChoicePoint applications that bore both the MBS and Gallo business names.”³⁸ Oluwatosin was arrested. A Nigerian citizen, he ultimately pled no contest to identity theft and was sentenced to 16 months in prison. Later, investigators determined that Oluwatosin was part of a larger identity theft crime ring, which sold stolen identities on the black market for “$2,000 to $7,000 each.”³⁹

38. Perez and Brooks, “For Big Vendor.”

39. Perez and Brooks, “For Big Vendor.”

Evidence gathered from Oluwatosin’s apartment indicated that he had been regularly accessing ChoicePoint’s databases for an extended period without sending up any red flags. “On Mr. Oluwatosin’s kitchen counter, detectives found printouts from ChoicePoint databases, showing that ChoicePoint accounts had been used to make 17,000 searches,” according to an L.A. sherriff’s detective.⁴⁰

40. Perez and Brooks, “For Big Vendor.”

A Wall Street Journal reporter was apparently able to review the customer applications dropped by Oluwatosin on the day of his arrest. “The applications . . . suggest how much ChoicePoint depended on the honor system in deciding whom to let see its trove of personal information. A one-page form asked the applicant for basic data such as phone and fax numbers, a business-license number and an email address. In a field asking for the proposed business use for the databases, ‘James Garrett’ and ‘John Galloway’ wrote, ‘We use the services for collecting debt.’”⁴¹

41. Perez and Brooks, “For Big Vendor.”

4.3.4 Hiding in Plain Sight

A data breach can affect the organization as a whole, right down to the very valuation of an entire company. Therefore, it’s not enough for a small group of people within one or two departments to detect and analyze the event. An individual team siloed in a single department may not have the visibility to independently assess the potential risk to the organization as a whole or the reach to take the cross-organizational actions necessary to respond appropriately.

Organizations need to have a process in which first responders recognize an event as a potential data breach and escalate it to the appropriate decision makers for further guidance. Then, appropriate personnel need to investigate and gather input from potentially many areas of the organization—such as IT, compliance, legal, public relations—and evaluate it all together in order to understand the scope of the problem and determine the best next steps for the organization.

This process—recognition, escalation, investigation, and scoping—is all part of a larger phase of the incident response process in which the organization realizes that the data breach exists. According to the Oxford English Dictionary, “realize” means “to become fully aware of (something) as a fact; understand clearly.” The different activities (recognition, escalation, investigation, and scoping) tend to overlap, and multiple activities occur simultaneously.

Realizing that a potential data breach exists and working to understand it as clearly as possible require cross-organizational efforts, typically conducted with input at all levels from first responders to the executive team (and nowadays, even the board of directors).

4.3.5 Recognize

According to a former ChoicePoint executive, Mimi Bright Ribotsky, ChoicePoint staff often talked about how difficult it was to verify the legitimacy of customers, but did not fully appreciate the potential impact of the problem. “I didn’t think people realized what could happen as far as information getting into the wrong hands,” she said.⁴²

42. Perez and Brooks, “For Big Vendor.”

Therein lies much of the issue: Often, front-line staff members notice a suspicious event, a gap in process, or a vulnerability, but do not recognize the potential for catastrophic impact on the organization. And why would they, without the high-level view? In order for front-line staff members to recognize an issue as a potential data breach, the organization first needs to develop a process and provide tools and training to assist staff in recognizing symptoms.

4.3.6 Escalate

Someone within ChoicePoint alerted law enforcement—that we know. However, he or she apparently didn’t alert ChoicePoint executives. “ChoicePoint’s vice president testified in the Senate that he was the first executive to learn of the data breach, finding out in mid-November.”⁴³ CEO Derek Smith was reportedly “in the dark about the exposure for two months after it was detected last fall.” Smith reported that he was first informed of the crime in “January, or perhaps ‘late December.’”⁴⁴

43. Otto, Antón, and Baumer, “ChoicePoint Dilemma.”

44. Otto, Antón, and Baumer, “ChoicePoint Dilemma.”

That meant even as law enforcement carried reams of paper with ChoicePoint data out of rooms belonging to a Nigerian identity thief, executives apparently were going about their days, thinking everything was business as usual. As a result, the executive team was not involved in the first weeks (perhaps even months) of the breach response. During those crucial weeks while the crisis was building, ChoicePoint was unable to strategize, gather information, or take action at that executive level. The CEO was later blindsided by the extent of the problem and had to make critical decisions under enormous pressure.

If the executive team had been informed immediately of the suspected crime, ChoicePoint may well have been in a better position. Derek V. Smith himself was a thoughtful CEO. Before ChoicePoint’s breach was discovered, he wrote in a book: “What keeps me awake is the knowledge that so many of the tragedies—small and large—that we see every day could have been prevented or reduced if only the right well-meaning person had the right information at the precise moment they needed to make a well-informed decision.”⁴⁵

45. Derek V. Small, Risk Revolution: The Threat Facing America and Technology’s Promise for a Safer Tomorrow (Lanham, MD: Taylor Trade, 2004).

Indeed! If only ChoicePoint’s front-line staff had known to reject fraudulent applications or, at least after the fact, escalate to the executive team immediately so they could make a “well-informed decision.”

“The escalation path is actually harder than it seems,” said Chris Cwalina. “When we do exercises, [we often find that] what the incident response team thought was an appropriate level of escalation [is different from] the expectations of senior management and the board-level people. Characterization and severity level designation can be equally challenging.”

For example, your board members might expect to hear about a suspected data breach in a very early phase, whereas IT staff might be inclined to wait and escalate only after there is solid proof that a breach occurred. It’s critical to involve staff at every level of the organization in the data breach planning process and tabletop exercises, to ensure everyone is on the same page.

4.3.7 Investigate

From the airline ticket agent who allowed the September 11th terrorists onto airplanes to the minister who allowed a convicted sex offender to lead Sunday School and Scout groups—seemingly minor decisions made without the benefit of modern information tools can go terribly awry.⁴⁶—Derek V. Smith, CEO of ChoicePoint, 2004.

46. Derek V. Small, Risk Revolution: The Threat Facing America and Technology’s Promise for a Safer Tomorrow (Lanham, MD: Taylor Trade, 2004).

(Not to mention the decision made by the ChoicePoint clerk who approved Oluwatosin’s customer application : : : You just can’t make this stuff up!)

The executives at ChoicePoint were deeply aware that knowledge is power and that “modern information tools” enabled organizations to make smarter decisions. This was the core of their business model, their sales pitch. And yet, somehow they appeared to have forgotten this when it came to management of their own company’s operations.⁴⁷ When the breach hit, ChoicePoint struggled to understand exactly what had happened because it had limited information about access to its own crown jewels. As the Wall Street Journal reported:⁴⁸

47. Perez and Brooks, “For Big Vendor.”

48. Evan Perez and Rick Brooks, “For Big Vendor of Personal Data, a Theft Lays Bare the Downside,” Wall Street Journal, May 3, 2005, https://www.wsj.com/articles/SB111507095616722555?mg=id-wsj.

ChoicePoint Inc. has 19 billion data files, full of personal information about nearly every American adult. In minutes, it can produce a report listing someone’s former addresses, old roommates, family members and neighbors. The company’s computers can tell its clients if an insurance applicant has ever filed a claim and whether a job candidate has ever been sued or faced a tax lien.

But last October, after its databases were accessed by a man bent on identity theft, there was one thing ChoicePoint struggled to do: Figure out just what records had been stolen.

“They said it was a huge task and they didn’t have the staff to do it,” says Lt. Robert Costa, head of the Los Angeles County sheriff’s department identity-theft squad. “Apparently their technology wasn’t built so you were able to find the electronic footsteps these guys left.”

4.3.8 Scope

“Senior management was very involved with the investigation,” remembered Chris. “They wanted to know [the] scope.”

Scoping is a critical (and all-too-often-overlooked) component of data breach response, in which you determine exactly what data, computer systems, physical facilities, or other aspects of the organization are involved in a breach. Basically, you define the area at risk as best you can.

“How did [the criminals] get the data? What data did they get? Do we know what the box is?” Chris gestured, drawing a box in the air with his fingers.

The first step of scoping a data breach is to define the key questions that need to be answered, based on the risks to the organization caused by the potential data breach. Common questions include:

• What type(s) of information may potentially have been exposed?

• Who is affected by the exposure of this information? How many people?

• How much data may have been exposed?

• What laws, regulations, and/or contractual obligations relate?

• What jurisdictions do the affected parties reside in?

In the case of ChoicePoint, the decision makers desperately needed to know precisely whose records were accessed by the criminal. Why was this important? In 2003, California enforced the nation’s first security breach notification law. S.B. 1386 “requires any company that stores customer data electronically to notify its California customers of a security breach to the company’s computer system if the company knows or reasonably believes that unencrypted [personal] information about the customer has been stolen.”⁴⁹ The law applied to any company that does business with a California resident, even companies based outside of California. To provide incentive for compliance, California allowed injured customers to “institute civil actions to recover damages.”⁵⁰

49. FindLaw^®, California Raises the Bar on Data Security and Privacy, http://corporate.findlaw.com/law-library/california-raises-the-bar-on-data-security-and-privacy.html (accessed January 7, 2018).

50. Official California Legislative Information, Bill No. SB 1386, http://www.leginfo.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html (accessed January 7, 2018).

In other words, if ChoicePoint had exposed any records relating to a California resident, then it was legally required to notify the affected person. Since the criminal, Oluwatosin, was living in the Los Angeles area, ChoicePoint (an Atlanta-based company) worked with the local Los Angeles sheriff’s office, which instructed ChoicePoint to notify affected consumers in accordance with the new, widely publicized law.⁵¹

51. Charles Gasparino, “When Secrets Get Out,” Newsweek, March 13, 2005, http://www.newsweek.com/when-secrets-get-out-115027.

For ChoicePoint, the seemingly simple question of scope took a very long time to answer, due to the issues with its logging process. Initially, the company sent notifications only to residents of California—approximately 30,000 in total. After a massive public outcry from the rest of the country, ChoicePoint conceded that another 110,000 consumers around the nation were affected and would be notified as well. The Los Angeles sheriff’s department told the media that criminals could have downloaded records relating to as many as 4 million people. “ChoicePoint disputes that estimate but says the number of victims may grow higher than the 145,000 it has so far acknowledged,” responded the beleaguered corporate spokespersons.⁵² Even months after the breach was announced, the actual tally of affected persons remained unknown.

52. Perez and Brooks, “For Big Vendor.”

If only ChoicePoint could have easily created a report listing all accesses to consumer records! The technology was available, but the company had not deployed it. The fact that it took months and months for executives to understand the actual scope of the breach dramatically impacted their ability to respond and damaged the company’s image, as we will see in the next sections.

4.4.1 Ain’t Nobody Here But Us Chickens

“The man who wrote the book on information security has been conspicuous in his absence this week,” reported Bill Husted of the Atlanta Journal-Constitution. “Alpharetta-based Choice-Point faces a public relations nightmare after it sold personal data about consumers to identity thieves posing as legitimate business customers. . . . But since news of the crisis broke, Smith has made no public statements and declined interview requests. That strategy dumbfounds crisis management and marketing experts contacted Friday.”⁵⁴

54. Bill Husted, “Boss Keeps Low Profile Amid Crisis Experts Rap Strategy of ChoicePoint,” Atlanta Journal-Constitution, February 19, 2005.

“If it’s a national issue, the CEO must be involved. Otherwise he’s saying he doesn’t care,” said crisis management expert Jonathan Bernstein.⁵⁵

55. Husted, “Boss Keeps Low Profile.”

“You have to take responsibility publicly,” concurred public relations consultant Al Ries of Atlanta. “The CEO should come forward immediately, get on radio and TV and apologize.” Instead, Smith disappeared.

4.4.2 Just California . . . Really

The company had initially sent notifications to consumers on February 8, 2005—but only to California residents, the one state in the nation with a law requiring organizations to alert consumers when their “unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”⁵⁶ A ChoicePoint spokesman said, “California is the focus of the investigation and we don’t have any evidence to indicate at this point that the situation has spread beyond California.”⁵⁷

56. Baker Hostetler, “Data Breach Charts,” Baker Law, November 2017, 25, https://www.bakerlaw.com/files/Uploads/Documents/Data%20Breach%20documents/Data_Breach_Charts.pdf.

57. Rachel Konrad, “Californians Warned that Hackers May Have Stolen their Data,” USA Today, February 16, 2005, http://usatoday30.usatoday.com/tech/news/computersecurity/hacking/2005-02-16-choicepoint-hacked_x.htm.

Few people believed that. Instead, most people assumed that ChoicePoint had notified only Californians because it was not legally required to notify affected individuals in other states. “Right now you’ve got people in Massachusetts saying, ‘Hey, why am I less important than people in California?’” said Matt Stevens, the chief technical officer (CTO) of Network Intelligence.⁵⁸

58. Associated Press, “Big ID Theft in California,” Wired, February 16, 2005, http://web.archive.org/web/20050217193946/ http://wired.com/news/business/0,1367,66628,00.html.

4.4.3 . . . Oh, and Maybe 110,000 Other People

On the very same day that ChoicePoint said “we don’t have any evidence to indicate . . . that the situation has spread beyond California,” it posted an announcement on its website stating that “[a]dditional disclosures will be forthcoming to approximately 110,000 consumers outside of California whose information also may have been accessed.”⁵⁹

59. ChoicePoint, ChoicePoint Update on Fraud Investigation, February 16, 2005, https://web.archive.org/web/20050217071222/ http://www.choicepoint.com/news/statement_0205_1.html.

“The number of people being notified that they may have been caught in a massive identity-theft scam quadrupled . . . to 145,000,” reported the Los Angeles Times. “The company took the step after criticism that it was sending warning letters only to 35,000 possible victims in California, where state law requires such disclosure.”⁶⁰

60. Menn and Colker, “More Victims.”

4.4.4 The Explosion

Nineteen state attorneys general released an open letter to the company “demanding that the company respond immediately with details about how it will notify their residents.”⁶¹ State and federal legislators took action. Senator Dianne Feinstein used the ChoicePoint case as political capital to push for hearings on a federal data security and breach notification bill.⁶²

61. Rachel Konrad, “Data Firm Allowed 700 Identity Thefts: Half-Million Still at Risk at Credit Broker with No Federal Regulation,” Pittsburgh Post-Gazette, February 19, 2005.

62. Menn and Colker, “More Victims.”

The public was outraged by the fact that ChoicePoint staff had discovered the fraud in September 2004 but waited until February 2005 to notify victims. During that time, affected consumers were exposed to higher risk of identity theft, but were not aware and could not take appropriate action to reduce their risk of fraud (such as freezing their credit). The longer ChoicePoint waited, the greater the risk was to affected consumers.

According to the Atlanta Journal-Constitution “[t]he firm set up no special phone line to handle consumer inquiries.”⁶³ Within a week, the media reported that ChoicePoint had set up a toll-free number to answer questions related to the incident but that it was dysfunctional. For example, NBC News, which broke the story on February 14, 2005, reported that California resident Elizabeth Rosen called the number but was quickly frustrated about the lack of information provided. “[W]hen I called, the person just read from a script . . . they said disclosing too many details may hurt an ongoing investigation,” Rosen said. “I’m not happy about this. I didn’t even know who ChoicePoint was.”⁶⁴

63. Husted, “Boss Keeps Low Profile.”

64. Bob Sullivan, “Database Giant Gives Access to Fake Firms,” NBC News, February 14, 2005, http://www.nbcnews.com/id/6969799/print/1/displaymode/1098.

4.4.5 The Blame Game

ChoicePoint representatives blamed law enforcement for the delay in notification, saying that it occurred because police officers had “requested that notification not take place, so as not to compromise the investigation.” In response, the Los Angeles County sheriff’s office stated that it had told ChoicePoint in November that the company was legally required to notify California residents.⁶⁵ Furthermore, police indicated that “ChoicePoint did not appear willing to quickly share information about the case.” Robert Costa, lead investigator for the Southern California High Tech Task Force’s identity theft detail, told the media, “We’ve been following up on leads while waiting for ChoicePoint.”⁶⁶

65. Evan Perez, “ChoicePoint Is Pressed for Explanations to Breach,” Wall Street Journal, February 25, 2005, http://www.wsj.com/articles/SB110927975875763476?mg=id-wsj.

66. Robert O’Harrow Jr., “ID Data Conned from Firm: ChoicePoint Case Points to Huge Fraud,” Washington Post, February 17, 2005, http://www.washingtonpost.com/wp-dyn/articles/A30897-2005Feb16.html.

As the media storm ensued, ChoicePoint emphasized that it had been the victim of a crime, conceding no wrongdoing. “We’re not to blame,” said ChoicePoint spokesperson James Lee. The company’s unsympathetic letter provided little help for the recipients, recommending only that they “place a fraud alert on [their] credit report[s] by calling the toll-free number of any one of the three credit bureaus listed below,” carefully review their credit reports for errors, and contact the credit card companies directly if they notice any suspicious activity.

“The way the letter sounds, it was totally an incident against them, and an ‘inconvenience’ to us,” said Chapman about the notification letter from ChoicePoint. “I’m going to have to watch my back for the rest of my life.”⁶⁷

67. Scalet, “Five Most Shocking Things.”

4.4.6 That New Credit Monitoring Thing

Eventually, ChoicePoint’s response team did get organized, make clear public statements, and take thoughtful action to compensate consumers. On February 25, ChoicePoint sent a follow-up letter to affected consumers, with a remarkable offer:⁶⁸

68. EPIC.org, ChoicePoint letter dated February 25, 2005, https://epic.org/privacy/choicepoint/cp_letter_022505.pdf (accessed January 7, 2018).

We assure you we understand the inconvenience this incident may cause you and have therefore partnered with Experian, one of the three national credit reporting companies, to provide you, at our cost, with the resources that will help you monitor and protect the use of your personal information.

One of these resources is the credit monitoring service provided by Experian. Reviewing your credit report frequently for inaccuracies is one way of helping prevent against potential identity theft. . . . This credit monitoring service will allow you to have unlimited access to your Experian credit report and will provide you with daily monitoring and email alerts of key changes to your Experian credit report.

For thousands of people, this was the first time they had ever heard of “credit monitoring” as a service, let alone received it. A decade later, offers of credit monitoring in these situations are so commonplace that many consumers now have “free credit monitoring” three or four times over due to different breaches that exposed their information. Back then, it was a new idea, and wholly appropriate given the type of information accessed and the public concerns of identity theft.

4.4.7 Act Now, While Goodwill Lasts

It might seem obvious, but once you realize a data breach crisis may have occurred, you must act. This is especially important if you are already in the acute phase. You must act to manage the crisis itself, as well as the perception of the crisis. This requires a two-pronged approach: crisis management and crisis communications.

The delayed response from ChoicePoint’s executive team at the start of the acute phase is understandable, but it cost them. The executive team undoubtedly felt ashamed and vulnerable. They didn’t know what to do. They didn’t have the information they needed. They weren’t prepared to manage the crisis. In all likelihood, they were fearful that taking responsibility or making strong public statements would place them at greater risk of liability. So they clammed up. Even though eventually they did take proactive response measures, their early delays enraged the public and stoked the flames.

What kinds of actions should you take? Here are a few examples:

Crisis Management:

• Quarantine infected systems to stop the spread of malware.

• Secure your systems by purging malware, removing attacker accounts, and tightening firewall rules.

• Devalue stolen data if possible by changing passwords or other mutable information.

• Implement additional controls to reduce harm, such as fraud monitoring for stolen credit card numbers.

Crisis Communications:

• Notify consumers.

• Provide a statement to the media.

• Hold press conferences.

• Set up a call center.

• Provide compensation, if appropriate.

The biggest mistake organizations make during the acute phase is that they don’t take quick and immediate action. Frequently, data breach response teams get mired in internal legal discussions or try to wait until the scoping is fully complete before communicating with affected stakeholders or taking action. This last mistake is extremely common: In cases where the organization is unprepared and log collection and analysis is slow and painstaking, the scoping phase can take a long time, and often you simply can’t afford to wait until you have all the answers.

As we will see throughout this book, the longer you wait to act, the greater the risk that stolen data will be misused, and the more you have to worry about negative press and reputational damage. That’s not to say that you should rush a response (there is a balance), but prioritize action. Remember, laws and regulations are only part of what guides your response. Maintaining trust and goodwill with your stakeholders is of the utmost importance. This requires clear, timely, and honest action.

4.5.1 Devalue the Data

Digitized data is a beautiful thing. An inherent benefit of digitized data is that, in theory, it is easy to distribute, easy to change, and easy to access remotely. These are all qualities that can help us reduce risk quickly in the event that a data breach is discovered.

4.5.2 Monitor and Respond

A second option is to monitor accounts or assets that may be accessed using stolen data and develop a system for detecting and responding to fraudulent use. When a data breach happens today, free credit monitoring is perhaps the most common form of compensation provided to victims, as illustrated in the ChoicePoint case.

Credit agencies such as Experian, TransUnion, and Equifax collect records of lending and payment activity on mortgages, loans, credit cards, bills, and other financial accounts. From this, they produce your credit report and calculate your credit score (really, multiple scores) that are designed to convey information about your creditworthiness to other lenders.

When a criminal sets up a new account using a victim’s stolen personal information or abuses an existing account, a record of this activity will typically show up on the victim’s credit report. The consequences of identity theft can include unpaid credit card bills that the victim didn’t even know existed, repeated credit inquiries by new lenders, and other results that negatively impact the victim’s credit. For the victim, this can result in a nightmare scenario where he or she is denied credit or charged exhorbitant interest rates due to a damaged credit rating.

Enter credit monitoring: a service where a third party, such as the Big Three credit agencies (Experian, Equifax, and TransUnion), or vendors such as AllClear or LifeLock, monitor the victim’s credit reports and provide alerts when there are any suspicious changes. These may include changes in your credit score, address, new accounts, delinquencies, credit inquiries, and other factors that might affect your credit score.

Credit monitoring provides some value to consumers by helping to detect issues with their credit report quickly. It’s also a way for the credit bureaus to make extra recurring revenue: They typically charge consumers $15 to $20 a month. Card brands are in on the action, too: “The monitoring business is profitable enough that big credit card companies, including Capital One and Discover, now partner with Experian to sell private-label versions of the monitoring service directly to their customers, taking a cut of the fees and giving the rest to Experian.”⁷³

73. Ron Lieber, “A Free Credit Score Followed by a Monthly Bill,” New York Times, November 2, 2009, http://www.nytimes.com/2009/11/03/your-money/credit-scores/03scores.html.

4.5.3 Implement Additional Access Controls

SSNs, payment card numbers, passwords, and many other types of data are called “access devices” for a reason: because they facilitate access to valuable information or assets. If such an access device is stolen, it may be costly, difficult, or impossible to devalue the data entirely. However, in many cases, organizations can implement additional access controls to reduce the risk of unauthorized access. These controls are often combined with additional monitoring efforts.

For example: if customer passwords are exposed, but the breached organization does not force a password reset immediately due to, say, concern about irritated customers, the organization may choose to implement an additional check to determine whether the device or IP address used to log in to the customer account has been used in the past. If so, the organization may allow the login to proceed. Otherwise, the user may be subjected to additional verification procedures, such as a text or call to the phone number on file. From a technical perspective, this is riskier than forcing an immediate password reset across the board, but management may decide that the business risk associated with the potential for widespread customer irritation outweighs the risk of unauthorized account access.

This type of additional check is common for payment cards: Often banks or card brands are aware that a consumer’s card number has been stolen. However, rather than spending money to replace cards in bulk and risk widespread customer anger, financial institutions may choose to selectively implement additional controls such as callbacks when they detect deviations from the cardholder’s normal spending patterns.

The challenge comes when sensitive information is used to access systems outside the breached organization, often in many different places. The SSN is a perfect example of this—your SSN may have been stolen from a hospital and used to procure a cell phone from Verizon. The hospital has no control over Verizon’s sales cycle, and their security teams do not communicate. Indeed, the hospital may never suffer any direct damage due to a breach of personally identifible information (it may not even be detected!) and yet many outside organizations and the victims themselves may experience financial damage.

4.6.1 Call in the Experts

ChoicePoint faced a multitude of investigations and legal actions. “The SEC had an investigation, the FTC had an investigation, [there was a ] coalition of forty-four Attorney Generals . . . chaired by Vermont, Illinois and California. . . . We had lawsuits, a consumer class action, a derivative class action, 401(k) litigation,” Chris Cwalina rattled off the players one by one. “The coalition actually made things a little bit more manageable frankly, because at first we got inquiries from all these AGs, and then there was a coalition formed where we just then had the one sort of entity that we had to respond to on behalf of all of them. . . . [Congress] called a hearing, so we had executives that had to testify, PR, crisis management, external communications dealing with the press, dealing with class actions, dealing with the various regulators.”

“What did you learn from managing the ChoicePoint breach?” I asked.

“Dealing with a [data breach] adequately requires a large number of subject matter experts,” he responded immediately. Certainly by the time the ChoicePoint crisis reached the chronic phase, the company had pulled together an organized, well-managed response effort. It hired subject matter experts for each area of the breach response, with Chris as the “quarterback,” coordinating the various efforts.

“Privacy and cyber security practices didn’t exist back then,” said Chris. “So the company hired lawyers with expertise dealing with [attorneys general], or lawyers with expertise dealing with the FTC, or lawyers with expertise dealing with consumer class actions. Then we coordinated all those law firms, plus the factual investigations and the internal stuff.”

Times have changed since ChoicePoint’s breach. Today, when an organization suspects a breach, there are law firms with specialized data breach practices that maintain all the subject matter experts that you would need in-house. “Part of my idea for going into private practice was to go to a place where I could get as close to one stop shop as I could, be at a firm where I could have all the pieces necessary for a company [that] had a breach,” said Chris.

Quite often, the chronic phase of a data breach crisis lingers, much like a chronic cough. Executive teams might expect things to return to normal any day, while in reality customer relationships continue to need repairing, regulators need responses, and various other aspects of the crisis management must continue for long after the acute phase has passed. During the chronic phase, the key goal of the crisis management team is to maintain the response effort.

Don’t expect the response to end when the acute phase is over. The organization needs a long-term plan for managing all aspects of the potential ripple effects of the crisis, including:

• Lawsuits

• Increased scrutiny by regulators

• Consumer relationship repair

• Image repair campaigns

• Media and public investigations

In the wake of a breach, you may need to budget long-term resources for staff to rebuild customer relationships, manage compensation programs, handle investigations and lawsuits, or execute other programs that you put in place.

4.6.2 A Time for Introspection

The chronic phase “is also a period of recovery, of self-analysis, of self-doubt, and of healing,” writes Fink.⁹³ Indeed, much of the “opportunity” of a data breach comes from the natural introspection and subsequent investment in better practices that many organizations undertake after a breach.

93. Fink, Crisis Management, 24.

In the ChoicePoint breach, the introspection happened for many affected parties, from the company itself, to consumers, to the industry of data brokers, to the U.S. legislature. “The security breach that ChoicePoint discovered last fall in California has caused us to go through some serious soul searching,” said ChoicePoint CEO Derek Smith.⁹⁴ The United States as a nation examined this new industry, data brokers, in order to understand the risks to consumers and push for greater transparency. The spotlight of the ChoicePoint crisis made the public much more aware of the growing new market—as well as the risks.

94. Jonathan Peterson, “Data Collectors Face Lawmakers,” Los Angeles Times, March 16, 2005, http://articles.latimes.com/2005/mar/16/business/fi-choice16.

“[T]he very existence of these vast information stockpiles—vulnerable to both error and poaching—has spawned a new area of worry and risk,” wrote the Wall Street Journal, echoing popular sentiment.⁹⁵

95. Perez and Brooks, “For Big Vendor.”

4.6.3 Testifying before Congress

Amid growing concerns that information brokers were not effectively self-regulating, the Senate Judiciary Committee initiated an inquiry. The executives of ChoicePoint, as well as competitors from Acxiom and LexisNexis, testified before Congress at a hearing on April 15, 2005, on “Securing Electronic Personal Data.” In this hearing, Senator Feinstein grilled the executives to determine whether the California law had an impact on breach disclosure. Below is an excerpt of the transcript from that historic hearing:⁹⁶

96. C-SPAN, “Securing Electronic Personal Data,”C-SPAN, video, 2:32:49 min, posted April 13, 2005, https://www.c-span.org/video/?186271-1/securing-electronic-personal-data.

Senator Feinstein. . . . The California law went into effect in 2003. I would like to ask each of the people here representing companies to indicate if, prior to 2003, you had a breach and did not notify people. Mr. Sanford?

Mr. Sanford [LexisNexis]. I believe there were security breaches in the business that I acquired that I mentioned, Seisint. I believe there may have been a security breach in LexisNexis prior to 2003, that may have involved personally identifiable information, and we did not make notice prior.

Senator Feinstein. Thank you. I appreciate the honesty. Mr. Curling?

Mr. Curling [ChoicePoint]. Yes, ma’am, I previously indicated there was a breach that we didn’t notify them.

Senator Feinstein. Thank you. Ms. Barrett?

Ms. Barrett [Acxoim]. The breach that we had in 2003 did span the enactment of the law in

July. Our obligation as a provider since the breach did not involve our—

Senator Feinstein. My question is, did you have a breach prior to the 2003 law going into effect?

Ms. Barrett. Yes, the breach that we had did span it, but we did provide notice to our clients.

Senator Feinstein. Thank you. This is my point: If it weren’t for the California law, we would have no way of knowing breaches that have occurred. It is really only because of that law that we now know. We in no way, shape or form are able to pierce the depth of what has happened in this industry.

4.7.1 The New Normal

When a data breach occurs, what does it mean to be “well and whole”? Things will never be exactly the way they were before the breach. Your organization will be different after a breach. You can’t control that fact; but you can control, to a certain extent, how it evolves and what it becomes. ChoicePoint itself went through a major adaptation process—something that it had not done effectively after suffering earlier breaches. In Senate hearings, ChoicePoint’s president admitted that “between 45 and 50” similar breaches had occurred previously.⁹⁸ The media reported that ChoicePoint had suffered an earlier, similar breach in 2002, perpetrated by a pair of Nigerian criminals.⁹⁹

98. Evan Perez and Rick Brooks, “For ChoicePoint, a Theft Lays Bare the Downside,” Pittsburgh Post-Gazette, May 3, 2005, http://www.post-gazette.com/business/businessnews/2005/05/03/For-ChoicePoint-a-theft-lays-bare-the-downside/stories/200505030214 (accessed January 7, 2018).

99. “ChoicePoint Reported to Have Had Previous ID Theft,” Insurance Journal, March 3, 2005, http://www.insurancejournal.com/news/national/2005/03/03/52108.htm.

According to the FTC, even though law enforcement alerted ChoicePoint multiple times to these earlier breaches, the company failed to “monitor or otherwise identify unauthorized activity.” The company simply had not learned from prior breaches—likely because it was not required to notify consumers, and therefore there was no great public outcry.

ChoicePoint’s failure to adapt after the 2002 breach left it vulnerable in the years to come, as the risks of identity theft and data breaches continued to intensify.

4.7.2 Growing Stronger

When the 2005 crisis hit, ChoicePoint was finally forced to adapt, due to pressures from the public, regulators, shareholders, and others. The company launched an internal reorganization, creating a “chief credentialing, compliance and privacy officer” position, which reported directly to the board of directors. It even changed its business model—to an extent. “At ChoicePoint, damage control eventually kicked in. The company announced that it would ‘discontinue the sale of information products that contain sensitive consumer data, including Social Security and driver’s license numbers, except where there is a specific consumer-driven transaction or benefit’ or law enforcement purpose.”¹⁰⁰ As per the consent decree that it was eventually subjected to, the company was required to implement stronger security measures and conduct routine third-party security audits.

100. Scalet, “Five Most Shocking Things.”

The company was also financially damaged by the data breach. On the day of the announcement, “its stock price fell 3.1% on the day the breach was reported, and then continued to fall.” Two years later, shares were still worth only 80% of the pre-breach value.¹⁰¹ Unlike other companies, ChoicePoint might not have had to worry as much about brand damage since it was not a consumer-facing company, because (as Chris Cwalina pointed out) “not a lot of people knew who ChoicePoint was in the first place.”

101. Khalid Kark, “The Cost of Data Breaches: Looking at the Hard Numbers,” Tech Target, March 2007, http://searchsecurity.techtarget.com/tip/The-cost-of-data-breaches-Looking-at-the-hard-numbers.

Ultimately, ChoicePoint moved past its data breach crisis. According to Gartner, the company “transformed itself from a poster child of data breaches to a role model for data security and privacy practices.”¹⁰²

102. Jon Swartz and Byron Acohido, “Who’s Guarding Your Data in the Cybervault?” TechNewsWorld, May 17, 2007, http://web.archive.org/web/20070517203855/ http://www.technewsworld.com/story/56709.html.

This is consistent with Chris Cwalina’s view of what occurred. “ChoicePoint senior leaders and employees really came together to turn a challenging event into a positive force,” he mused. “They put a lot of resources into improving and further building a compliance and privacy function. They brought in a lot of new people and relied on an existing large group of really talented employees to improve. I think that they did a really good job in that regard. It was not like senior execs said, ‘This is no big deal. We’re not going to bother with this.’ Everyone involved actually cared quite deeply about what occurred, and put a lot of time, effort and resources into it.”

ChoicePoint was acquired in 2008 for $4.1 billion by Reed Elsevier, the parent company of LexisNexis.

4.7.3 Changing the World

Security expert Bruce Schneier pointed out that the economics did not incent data brokers to protect consumer data. “The hundreds of millions of people in ChoicePoint’s databases are not ChoicePoint’s customers. They have no power to switch credit agencies. They have no economic pressure that they can bring to bear on the problem. . . . ChoicePoint doesn’t bear the costs of identity theft, so ChoicePoint doesn’t take those costs into account when figuring out how much money to spend on data security. In economic terms, it’s an ‘externality.’”¹⁰³

103. Schneier, “ChoicePoint.”

The ChoicePoint case illustrated to the U.S. public and legislators that:

• Absent laws, information brokers did not effectively protect consumer information from exposure.

• Information brokers would not notify consumers of a data breach out of the goodness of their hearts, but instead required clear legal and/or financial incentives.

• Breach notification legislation worked, at least in some cases.

“Responsible handling of such records is every bit as important a public safety issue as is the proper disposal of hazardous waste,” wrote Atlanta pundit Scott Henry in the aftermath of the ChoicePoint breach. “If it turns out that ChoicePoint’s gross negligence doesn’t violate current law, the laws are clearly inadequate. It’s encouraging that legislators in Georgia and around the country are already drafting laws that would help prevent—or at least provide reasonable notification of—a similar security breach.”¹⁰⁴

104. Scott Henry, “ChoicePoint,” Creative Loafing, February 23, 2005, http://www.creativeloafing.com/news/article/13017248/choicepoint.

As a result of the ChoicePoint breach, laws across the United States were enacted to hold organizations accountable for notifying consumers of a breach, therefore also indirectly providing incentive to reduce breaches. By June 2005, 35 states had introduced data breach notification laws, and at least 22 states had enacted laws by October of that same year.¹⁰⁵

105. Milton C. Sutton, Security Breach Notifications: State Laws, Federal Proposals, and Recommendations (Moritz College of Law, Ohio State University, 2012), 935, http://moritzlaw.osu.edu/students/groups/is/files/2012/02/s-sutton.pdf.

The World Privacy Forum later called ChoicePoint “the Exxon Valdez of privacy.” While many breaches have been compared to Exxon Valdez crisis, the ChoicePoint case is perhaps its closest equivalent. Like the Exxon Valdez spill, ChoicePoint wasn’t the first disaster of its type or the biggest (not even close). It was, however, the most visible to the American public and resulted in the creation of new laws and greater oversight. The ChoicePoint breach helped the public understand that organizations require clear incentives in order to act in the best interest of the public.

In other words, the ChoicePoint breach didn’t just change ChoicePoint. It changed the data brokerage industry and the world.

4.8.1 Cybersecurity Starts at the Top

The data breach crisis planning process is most effective when it is driven from the executive level, and managed by a risk officer or chief information security officer (CISO), outside of IT. Ideally, it should be integrated with an enterprise crisis management effort.

It turned out that ChoicePoint had never assigned responsibility for managing information holistically, throughout the enterprise. As a result, ChoicePoint’s team was not only forced to create response procedures on the fly; they even created whole positions that, in retrospect, should already have existed. For example, the notification letter that ChoicePoint sent to consumers was signed “J. Michael de Janes, Chief Privacy Officer.”

CSO magazine pointed out that de Janes was “actually the general counsel for ChoicePoint. His description of responsibilities on the ChoicePoint website does not include privacy. It seems that ChoicePoint just needed a privacy officer, and fast.”¹⁰⁷

107. Scalet, “Five Most Shocking Things,” 29.

The company did have a very accomplished CISO at the helm: Rich Baich, who had been named “Information Security Executive of the Year in Georgia” during 2004, “in recognition of his accomplishments in the realm of information security.”¹⁰⁸ He was a Certified Information Systems Security and Privacy Professional (CISSP) and also a Certified Information Security Manager. His book, Winning as a CISO, (ironically) was published in June 2005, while the ChoicePoint crisis still burned.

108. “ChoicePoint CISO Named Information Security Executive of the Year in Georgia 2004,” Business Wire News, March 19, 2004, https://www.businesswire.com/news/home/20040319005030/en/ChoicePoint-CISO-Named-Information-Security-Executive-Year.

When the ChoicePoint data breach erupted, Baich was publicly roasted and called a “fraud and discredit to the position of the CISO.” He responded by pointing out that the breach was not a “hack,” arguing that issues with customer vetting processes were not his responsibility.

“Look, I’m the chief information security officer. Fraud doesn’t relate to me.”¹⁰⁹

109. Scalet, “Five Most Shocking Things.”

And indeed, it didn’t. Despite the fancy title (“Chief,”) ChoicePoint’s CISO was siloed inside the IT department, which was fully separate from the unit of business that handled customer vetting and access policies. Although on paper ChoicePoint had someone who might appear to be “in charge” of information security, in reality, due to Baich’s placement within the organization, it was not possible for him to manage information security or coordinate a breach response across all business units, as was truly necessary.

Cybersecurity incident response teams have traditionally been built and led from within the IT department. This might have made sense when most cybersecurity incidents were handled by IT staff, without major risk to the organization as a whole. Viruses, spam, inappropriate use, equipment loss—all of these cases were once handled within IT, with little planning or involvement from other departments.

Over the years, as data breaches have become more of a concern, organizations have started to realize that planning for data breaches must be a coordinated effort involving stakeholders from across the organization. While your IT department may be perfectly capable of managing the technical aspects of a data breach, it is rarely the case that an IT manager is in a position to effectively plan for or manage an enterprise-wide crisis response strategy, which typically involves a diverse team such as representatives from legal, public relations, human resources, risk management, executive management, and other departments. Furthermore, since data breaches often expose flaws within IT (including process deficiencies, resource allocation issues, and more), it is often most effective to have data breach planning managed by a team outside the IT department, thereby reducing the potential for conflict of interest.

“Information Security should [not] necessarily be under IT,” said Chris Cwalina. “Incident response is in essence a risk management function. And an incident response team should have appropriate support and visibility in the organization or it will be difficult to make progress. Also, it is so important for legal to be part of the incident response function and investigative process. Security analysts and lawyers need to spend a lot of time together and learn to speak one another’s language. This is critical.”

“[T]he CISO can’t just work in the tech space,” said Michael Assante, chief security officer (CSO) of American Electric Power. “They have to start looking at business processes.”¹¹⁰

110. Scalet, “Five Most Shocking Things.”

“[T]he extent to which fingers are pointed at [Baich] speaks volumes about how broadly CISOs have come to be regarded as protectors of information, no matter the threat,” wrote CSO magazine. “[W]hat happened reflected a wholesale failure of ChoicePoint’s approach to security governance.”¹¹¹ ChoicePoint had never fully evaluated or addressed the risks of a data breach at a holistic, enterprise level. This gap stemmed directly from the fact that ChoicePoint had never assigned responsibility for doing so to a person who had an appropriate breadth of access within the organization. Despite CSO magazine’s damning assessment of ChoicePoint’s information security program, this failure is repeated over and over in organizations everywhere, even to this very day.

111. Scalet, “Five Most Shocking Things.”

In order to successfully manage cybersecurity, and its sister, data breach response, an executive-level person needs to be engaged, with oversight by the board of directors or other top stakeholders. All too often, we give a person responsibility for “information security,” but it cannot truly be meaningful unless that person is placed high enough in the organization to actually oversee information management across the whole enterprise.

Within a month of ChoicePoint’s breach notification, the company announced that it had hired Carol DiBattiste, former deputy administrator of the U.S. Transportation Security Administration, to take on the new role of “chief credentialing, compliance and privacy officer” for the company. This new role reported directly to the board of directors. “[W]e need a strong voice outside the day-to-day business that is responsible for customer credentialing, compliance and privacy,” said John Hamrem, chair of ChoicePoint’s privacy committee. “Having a person of Carol’s stature join us is vital to our efforts to have the kind of policies, procedures and compliance programs that build confidence as well as set a standard for the industry.”¹¹²

112. Associated Press, “ChoicePoint Names DiBattiste Chief Credentialing, Compliance and Privacy Officer,” Atlanta Business Chronicle, March 8, 2005, https://www.bizjournals.com/atlanta/stories/2005/03/07/daily6.html.

4.8.2 The Myth of the Security Team

Cybersecurity and data breach response aren’t solo efforts. Large organizations typically have an information security team, which is tasked with both proactive cybersecurity and incident response.

Data breaches, however, are crises that reverberate throughout the organization—and beyond. They cannot be designed or executed solely by the “information security team,” however convenient that might seem. Response planning efforts must reflect the crisis itself and involve stakeholders throughout the organization and out into the broader ecosystem, such as:

• Legal

• Public relations

• Customer relations

• IT

• Cybersecurity team

• Insurance

• Human resources

• Physical security

• Finance

• Executive team

• Board of directors

• Forensics firms

• Customers

• Former IT staff

• Key vendors/suppliers

When developing a data breach crisis response function, management must engage all of the key stakeholders regularly. The frequency and depth of involvement varies for each stakeholder, but in order for crisis response plans to be effective, this involvement must be ongoing throughout the lifespan of the organization.