ChoicePoint lessons learned.

After its involvement in a headline-grabbing 2005 data breach that compromised the records of 163,000 people, ChoicePoint has since turned itself into a role model for how to do data security and privacy right. So much so that the company, which provides data used in background checks, now is sharing its experience and advice on securing consumers' personal information.

It's a remarkable turnaround. After ChoicePoint handed over sensitive data about individuals in its database to criminals pretending to be clients, the company paid $10 million in civil penalties and $5 million to consumer victims. The company, which settled separately with 43 states over the breach, also decided to limit the sale of information products containing sensitive consumer data, such as Social Security and driver's license numbers, according to a NetworkWorld report.

As a result, ChoicePoint left what was a more than $15 million business serving small and medium accounts because it could not adequately confirm the credentials of those customers in a cost-efficient manner, Daniel Lemecha, ChoicePoint's chief information officer and senior vice president said, speaking at the 2007 IDC IT Forum & Expo in Boston. Over the past 24 months, he said, ChoicePoint has gone through more than 80 external audits.

In April, a Gartner analyst told USA Today that ChoicePoint has "transformed itself from a poster child of data breaches to a role model for data security and privacy practices."

At the IDC IT Forum, according to Network World, Lemecha offered a five-step plan based on ChoicePoint's actions for securing data and privacy systems:

1. Governance: ChoicePoint's chief privacy officer reports directly to a board that governs privacy and public responsibility, bypassing the rest of the corporate structure, according to Lemecha. The board is briefed quarterly on progress improving privacy and security, and several other committees are responsible for more specific oversight roles. The company also has several divisions that handle privacy and security from different angles, such as a corporate credentialing center, a compliance and privacy division, and internal auditing. One group or department cannot do it all, Lemecha said.

[ILLUSTRATION OMITTED]

2. Clearly define expected behavior and provide tools to simplify compliance for employees: ChoicePoint implemented new practices for monitoring potentially fraudulent customer behavior, such as investigating companies that suddenly increase the number of background checks they run by a large amount.

3. Create data breach response policies and procedures: Who should be contacted in the event of a breach, and what should the company do for affected customers? After its breach, ChoicePoint offered victims free credit monitoring, credit reports, and identity theft insurance.

4. Determine the credentials of those you work with and those who work for you: Lemecha advised background checks for employees on a regular, ongoing basis, rather than just at the point of hire.

5. Embrace openness: ChoicePoint's website now lists the steps it takes to protect privacy. The company developed another site that lets consumers see what information ChoicePoint maintains about them in its files.

Lastly, Lemecha advised companies to beware of simple security mistakes. For example, listing a person's Social Security number on a mailing address label and not securing data on a laptop that is later stolen or lost are common and costly mistakes. Lemecha recommended encrypting all laptops and ensuring all portable devices are password-protected. No matter the device, a firm should have the ability to remotely delete any sensitive data that it may hold.