Choicepoint
Essay by 24 • January 28, 2011 • 3,688 Words (15 Pages) • 1,116 Views
Introduction
Based in Alpharetta, Georgia, ChoicePoint was formerly a struggling insurance services unit of Equifax. Derek Smith successfully trimmed its labor-intensive operations and replaced them with technologically based ones, which resulted in both higher growth and higher margins. This allowed the company to spin off from Equifax and become publicly traded in 1997.
The company’s initial focus was data services for the insurance industry. As its business matured and expanded, ChoicePoint also entered into non-insurance markets and was able to consolidate fragmented industries through acquisition and integration.
ChoicePoint tapped various public and private sources to gather data, assembled it into proprietary databases, and sold products primarily to Fortune 1000 companies, but also smaller businesses, law firms, private investigators, law enforcement, and individuals.
Their services included: background checks and drug testing on job applicants, personal public records, and background checks on service providers.
Issue Statement
The company recently faced lawsuits and industry criticisms due to the inaccuracy, breach, and misuse of personal data. As the growing concerns about security and privacy issues of the data industry loom, some new stricter regulations and laws are likely to be passed, that may threaten the company’s profit and future.
In the sections below, we will discuss those issues and industry’s critics as well as their legitimacies. We will also give recommendations and advice to CEO Derek Smith about how to overcome the issues and address the concerns to ensure ChoicePoint will remain a trusted data resource that provides value and convenience to businesses and individuals.
Case Analysis
Even with all of ChoicePoint’s accomplishments and useful services they provided, the company had its fair share of critics. Our analysis is based this criticism of ChoicePoint and the data brokerage industry in general. With the ultimate goal of individual privacy and information security, we focused on the article “Management’s Role in Information Security,” which describes the difference between security and privacy. “Privacy deals with the degree of control that an entity, whether a person or organization, has over information about itself. Security deals with the vulnerability of unauthorized access to the content” (Dutta, 68). For the privacy issues we looked at the legal and regulatory landscape without trying to analyze morals, and for the security issues we focused on the Three Components of a Balanced Approach to Organizational Security which is shown below. “This approach specifically recognizes the three cornerstones identified in the diagram, enabling senior management to address security as the socio-technical problem that it really is” (Dutta, 73).
Criticism 1: Identity Theft
In 2005, much of the criticism centered around data brokers contribution to identity theft. “By hacking into data brokers’ computer systems, or more simply, by posing as legitimate customers and buying the information, thieves could gain access to consumers’ identifying informationвЂ"their names, Social Security numbers, and mothers’ maiden names” (CP, 5).
Organizational Security Gaps: Organization & Technology
Thieves hacking into data brokers systems brings into question the technology of the brokers. We question the current data brokers “’Defense in Depth, including firewalls, intrusion detection software, password protection, key encryption, escrow accounts, authentication, secure servers, and virtual private networks” (Dutta, 78)?
The ability of a thief to pose as a legitimate customer and purchase the information may be an even bigger issue. This can be linked to the organization cornerstone where data brokers like ChoicePoint appear as though they are not helping employees understand just how important data security is. While ChoicePoint used a “credentialing process” to ensure the legitimacy of clients, it was single page application and they never revoked a customer. There are clearly some major gaps in the process that need to be addressed.
Criticism 2: Data Inaccuracies
Another issue from critics focused on inaccuracies in the industry’s records. Examples show that based on false information provided by ChoicePoint one employee had been fired from a company and another applying for job have been denied employment. “Another incident involved a ChoicePoint subsidiary charged with having supplied the state of Florida with a list of individuals mistakenly identified as felons. The state used the list to purge its voter roles in the 2000 presidential electionвЂ"thus depriving individuals of their constitutional right to vote.” (CP, 5).
Organizational Security Gaps: Organization & Critical Infrastructures
ChoicePoint claims that they gave employees (but not independent contractors) a training manual which taught “investigatory procedures,” but when this was examined during a court case, the process was declared to be “opaque.” Clearly, if ChoicePoint had procedures in place that only applied to employees and not independent contractors working for the company, they left a big gap in the organization cornerstone.
It would appear as though “senior management’s role to provide the leadership that establishes security as an important issue in the organization,” (Dutta, 77) was not in place. In addition, the proper scrutiny was not given to security procedures, to ensure that they would serve their purpose.
Also, based on the presumptions made by brokers about the accuracy of records they received from public record, there was not enough government-industry collaboration taking place to share concerns, incidents, and vulnerabilities around their data.
Criticism 3: Outdated Data
The next issue from critics was based around outdated data. Many states updated their
...
...