Loss of customer data is a major risk for businesses.
In 2005, the records of 163,000 consumers were compromised after
criminals pretending to be legitimate ChoicePoint customers sought
details about individuals listed in the company’s database of personal
information. (more here)
In this article from PC World the organization’s CIO explained how it recovered and offered lessons
other enterprises that handle sensitive data can learn from ChoicePoint.
He offered a five-step plan to CIOs looking to shore up their data
security and privacy systems, based on what ChoicePoint has done.
The
first step is governance. ChoicePoint has a chief privacy officer who
reports directly to a board that governs privacy and public
responsibility, bypassing the rest of the corporate structure.
The second step
is to clearly define expected behavior and provide tools to employees
to simplify compliance. ChoicePoint instituted a number of practices to
monitor potentially fraudulent customer behavior, such as investigating
companies that suddenly increase the number of background checks they
run by a large margin.
Third, a company should write
information security breach response policies and procedures, spelling
out who should be notified in case of a breach and what the company
should do for affected customers.
After ChoicePoint’s breach, the
company offered free credit monitoring, credit reports and
identity-theft insurance to the victims.
Fourth, determine the credentials of people you work with and who work for you.
The last step he recommended is embracing
openness. ChoicePoint developed a Web site detailing the steps it takes
to protect privacy, and developed another site that lets consumers find
out what information ChoicePoint maintains about them in its files —
if they can sufficiently authenticate their identities, of course.