The New ChoicePoint: A Privacy Success Story

By Don Peppers and Martha Rogers, Ph.D., INSIDE 1-to-1 Privacy, December 14, 2006

Of all the privacy/security breaches that came to light over the past few years, few seemed to shake consumer and corporate confidence more than the one that hamstrung data giant ChoicePoint. Perhaps it had to do with the surprising simplicity of the violation – the firm allowed scammers posing as legitimate small businesses to access its data.

The firestorm was swift and certain as privacy and security critics hammered the company like they had few others.

But many experts probably are scratching their heads now that former ChoicePoint critics repeatedly have praised the firm for the steps it took in the wake of the privacy/security crisis. How is it possible that a company which, only a year ago, was the not-so-proud recipient of a “Lifetime Menace Award” from Privacy International can now be celebrated as one of the business world’s most vigilant privacy and security practitioners?

To hear Carol DiBattiste tell it, ChoicePoint really had no other choice. DiBattiste, who joined the company as Chief Credentialing, Compliance and Privacy Officer in April 2005 and has since been elevated to General Counsel/Chief Privacy Officer, was charged by the company’s top execs with taking a thorough and comprehensive look at its practices.

“They were committed to turning it around,” DiBattiste said. “They were going to fix things in whatever way they had to, expending whatever resources they had to.”

The privacy/security revival began even before DiBattiste arrived. Immediately after the company became aware of the breach, it significantly curtailed the access of certain customers to the most sensitive information (Social Security and drivers’ license numbers). The decision essentially cut off certain types of customers, such as private investigators and other similar small businesses, entirely. It cost ChoicePoint $15 to $20 million and its competitors remain more than happy to provide that service.

When DiBattiste assumed control of the process, she brought in Ernst & Young’s privacy team and invited input from individuals within ChoicePoint’s other business units. Her first task was to strengthen the firm’s credentialing process for would-be customers. She centralized the credentialing team at the firm’s Alpharetta, Georgia, headquarters (previously, people within the geographically diverse business units had handled the task) and led the effort to re-credential all customers, save for law-enforcement agencies and public companies.

The credentialing process now involves two checklists, one designed to definitively verify the identity and trustworthiness of customers and another for customer site visits. “If they fail either, they’re denied access to our data. It’s over,” she said.

ChoicePoint also has overhauled its privacy and security policies, bolstering procedures that cover everything from physical- and remote-access security to incident response to data destruction. Most stringent is the third-party service provider policy. Fearing that individuals who enter ChoicePoint facilities could be exposed to sensitive personal information, the firm now asks vendors to fill out a 24-question self-assessment questionnaire. Vendors that don’t give privacy and security training to employees who potentially could come into contact with ChoicePoint information, for example, no longer make the cut.

DiBattiste led the charge on the audit/compliance front as well. “You can have all the credentialing and policies you want, but what’s the point if you’re not checking to see if they work?” she said.

Finally, ChoicePoint moved to better educate its own employees. The company now asks staffers to complete mandatory privacy, information security and code of conduct training programs. New employees must complete the programs within 30 days of being hired; all employees are tested on the procedures, with an 80 percent score required for a passing grade.

As for other companies who find themselves compromised on the privacy/security front, DiBattiste offers three nuggets of advice. First, every company – not just ones that regularly traffic in personal data – should have policies and procedures in place. Second, transparency in the immediate wake of a breach is crucial, as are communications about any/all steps that are being taken to right a wrong. Third, constant vigilance – whether via regular audits or other practices – remains key. “You have to do it. You have to check,” DiBattiste stressed. “Companies always, always need to be worried about this.”