Databreaches.net has a story on how ChoicePoint has decided to settle with the FTC regarding an information security breach the data broker experienced in 2008. Ironically enough, the breach could have been prevented: ChoicePoint had implemented the correct security measures in response to their 2005 breach. However, the software was turned off. (It reminds me of instances when computer users turn off their laptop encryption software that was painstakingly implemented by their administrators).
The 2005 data security breach resulted in the identity theft of at least 800 people. However, a total of 163,000 records were sold to a crime ring posing as a legitimate business. Compared to the actual number of people affected, it looks like the theft didn't translate into a massive amount of crime. On the other hand, SSNs apply for a lifetime, so it's a premature assumption that the matter has been settled. ChoicePoint ended up paying $10 million in civil penalties and $5 million in consumer redress. The company also agreed to have its data security program assessed every two years until 2026 by an outside company (that's 20 years!) Using the above numbers the cost per person affected is $92 (or rather, was. Recent trends suggest that the cost, on average, is closer to $200).
The 2005 data security breach resulted in the identity theft of at least 800 people. However, a total of 163,000 records were sold to a crime ring posing as a legitimate business. Compared to the actual number of people affected, it looks like the theft didn't translate into a massive amount of crime. On the other hand, SSNs apply for a lifetime, so it's a premature assumption that the matter has been settled.
ChoicePoint ended up paying $10 million in civil penalties and $5 million in consumer redress. The company also agreed to have its data security program assessed every two years until 2026 by an outside company (that's 20 years!)
Using the above numbers the cost per person affected is $92 (or rather, was. Recent trends suggest that the cost, on average, is closer to $200).
The more recent breach compromised the information of 13,750 people, which resulted in a fine of $275,000 (average cost: $20 per person). ChoicePoint is also required to report to the FTC, every two months for two years, on how the brokerage company is protecting their data bases. I assume this is in addition to anything that was agreed to in 2006. I find the FTC's reaction to be questionable. Here you have a situation where a breach could have been avoided, but wasn't. Not only that, it was a company that should have known better due to its past experience. Plus, it had promised to the FTC to do certain things; it didn't. I also assume that whatever security tool was turned off, and allowed the breach to take place for a month, was quoted in ChoicePoint's bi-annual reports as one of the ways the data broker was protecting its databases. In other words, I'm assuming misleading reports (well, a report, considering it's probably the first one) were submitted. And despite all of this, the FTC has decided to...go lax on them? Two hundred grand is nothing to sneeze at, but it's a drop in the bucket for this company. And, when taken into account past fines, on a normative basis, it's much less of a fine ($20 vs. $92). Considering what I've read, it seems that the fine should have been higher on a normative basis.
The more recent breach compromised the information of 13,750 people, which resulted in a fine of $275,000 (average cost: $20 per person). ChoicePoint is also required to report to the FTC, every two months for two years, on how the brokerage company is protecting their data bases. I assume this is in addition to anything that was agreed to in 2006.
I find the FTC's reaction to be questionable. Here you have a situation where a breach could have been avoided, but wasn't. Not only that, it was a company that should have known better due to its past experience. Plus, it had promised to the FTC to do certain things; it didn't.
I also assume that whatever security tool was turned off, and allowed the breach to take place for a month, was quoted in ChoicePoint's bi-annual reports as one of the ways the data broker was protecting its databases. In other words, I'm assuming misleading reports (well, a report, considering it's probably the first one) were submitted.
And despite all of this, the FTC has decided to...go lax on them? Two hundred grand is nothing to sneeze at, but it's a drop in the bucket for this company. And, when taken into account past fines, on a normative basis, it's much less of a fine ($20 vs. $92). Considering what I've read, it seems that the fine should have been higher on a normative basis.
This begs the question, what are other companies doing? For example, if a company has had a data breach because a computer was stolen, and they promise to use encryption software like AlertBoot to protect the data on their computers...do they actually do so? Or is it going to be lip service until the next data fiasco? Thankfully, our experience shows that it's the former--although, admittedly, it's a biased one (companies that are paying lip service wouldn't sign up with AlertBoot encryption services to begin with).
This begs the question, what are other companies doing? For example, if a company has had a data breach because a computer was stolen, and they promise to use encryption software like AlertBoot to protect the data on their computers...do they actually do so?
Or is it going to be lip service until the next data fiasco? Thankfully, our experience shows that it's the former--although, admittedly, it's a biased one (companies that are paying lip service wouldn't sign up with AlertBoot encryption services to begin with).
Related Articles and Sites:http://www.databreaches.net/?p=7870http://www.msnbc.msn.com/id/11030692/