The ChoicePoint Attack – Case Study

Team F

• Susan Crowley• Nafisah Hunter• Beata Kolodziej• Ingrid Macias• Toni Steiner• Maria Velasco

Toni

• ChoicePoint exposed itself to considerable expense, problems and possible loss of brand confidence.

• What are the ethical issues?• What is ChoicePoint’s response?• Did ChoicePoint choose wisely?

• Full disclosure o Legal

California Security Breach Notice Law Security Freeze Law www.annualcreditreport.com. www.consumersunion.org/campaigns/Breach_law

s_May05.pdf www.consumer.gov/idtheft.com  ww.privacyrights.org

• Consider the question from the viewpoint ofo Customers

The customers had a right to know that their information had been compromised.

It was the morally right thing for ChoicePoint to do.o Law enforcement personnel

Law enforcement personnel needed to know so that they could conduct their own investigation and possibly catch the criminals.

o Investors The price of their stock would decline when the news

would be disclosed, but long term it would help that ChoicePoint did not hide the facts.

• Managemento Senior Mgmt must make prudent decisions in light of

available information.o They must consider the factors and take cost-

effective action to reduce probable losses. Every company must periodically evaluate its security

program.

• A corporation has obligations, not just to its stockholders, but also to all the other constituencies that affect or are affected by its behavior, that is, to all parties that have a stake in what a corporation does or doesn’t do.

• Corporations have responsibilities beyond simply enhancing their profits because, as a matter of fact, they have such great social and economic power in our society.

• With that power must come social responsibility.

Beata

• Given ChoicePoint’s experience, what is the likely action of similar companies whose records are compromised in this way?

     - this crime is an example of a failure of     authentication not a network break in,

ChoicePoint's firewalls and other safeguards were not harmed;

     - the likely action that should be taken by the        similar companies to avoid such problems in       the future could be issuing more authenti-       cation methods.                Given your answer, do you think federal regulations and additional laws are required?

 for example: include an username, password, include  some sample questions that the answers will be known  only to a given individual.  - also, evaluating the security program of the given com-    pany at a given time;  - keeping an eye on the activity of the accounts so every      abnormality will be quickly spotted.

  * Given your answer, do you think federal regulations      and additional laws are reguired?   - regarding to the fact that there is an increasing level     of identity theft in this country even though companies  are trying to find security solution for that, there is a definite need for issuing tougher laws that will protect people, when the information about them is stolen, or simply somebody is using that information without their consent.  - regulations must be clear that identity theft is a     serious crime, and there is a punishment for those     who do this.   

• What other steps could be taken to ensure that data vendors notify people harmed by data theft?

   - security needs to be applied closely to the          information it is protecting to be effective    - make the information less available for

         "third parties" google documents    - ensuring that protection cannot be

arbitrarily removed by end-users or system administrator.

   - controlling access and usage privilegies     

Ingrid

• Visit http://choicepoint.com• Summarize the products that ChoicePoint

provides.• What seems to be the central theme of this

business?

Business and Non-Profit Solution

LexisNexis® Risk Solutions delivers comprehensive credentialing, background screening, authentication, direct marketing and public records services to businesses and nonprofit organizations.

Government Solutions

LexisNexis® Risk Solutions provides information, analysis and distribution solutions to advance the efforts of law enforcement, public safety, health care, child support enforcement, entitlement and other public agencies.

Central theme The LexisNexis Risk Solutions delivers actionable intelligence to help clients make critical business decisions with confidence and speed.Their solutions are designed to serve the multi-billion dollar risk information industry, which includes professionals and organizations in areas such as insurance, law enforcement.............

Nafisah

• Review the security policy material in this chapter and reflect on an appropriate program policy for ChoicePoint.

• Describe why ChoicePoint needs a security policy.

• Who and what should be governed by such a policy?

• Consider not only employees, but alsoo Data subjectso Customerso Data sourceso & Partners

Why ChoicePoint Needs a Security Policy?

In order to meet its business mission which is to provide risk-management and fraud-prevention data. ChoicePoint's most important asset is information.  Data sources must feel confident that ChoicePoint can ensure the confidentiality, integrity and availability of this asset. Security should be integrated into ChoicePoint's business processes to protect information and assets that support its business.

Goal of Security Program

To protect information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. Assets to be protected are computer facilities, programs, and sensitive data. This policy will ensure the enforcement of security programs and policies. The Office of the Chief Information Officer will be responsible for managing security programs and policies.

Who will be governed by the security policy?

• Employees • Customers

 • Data Sources (public & private)

 • Partners (City of Denver's Vital Records Dept)

 • Data Subjects (those on whom data is maintained)

Human Safeguards ChoicePoint Should Consider

• Customers would have to enter into contracts that set up security measures that are appropriate to the sensitivity of the data they are supplied.

 • Customers would be subjected to screening /

background checks for authenticity of their business. • Customers receive security training

 • Provide accounts and passwords for customers

      (low level security level and temporary access)

Susan

• Suppose that ChoicePoint decides to establish a formal security policy on the issue of inappropriate release of personal data.

• Summarize the issues that ChoicePoint should address.