This case study examines ChoicePoint's critical vulnerabilities in data security and privacy management stemming from rapid acquisitions, lack of integrated governance frameworks, and absence of industry-wide Information Security Management Systems (ISMS) standards. The paper assesses how ChoicePoint's challenges reflect broader systemic failures across the personal data industry, evaluates the legitimacy of privacy advocates' concerns regarding data protection practices, and recommends comprehensive organizational restructuring including the creation of a Chief Governance Officer position, implementation of ISO 27001 standards, and adoption of Governance, Risk and Compliance (GRC) frameworks to prevent congressional over-regulation and restore consumer trust.
The systemic challenges that ChoicePoint is facing must be addressed at a fundamental level, requiring major restructurings of processes, strategies, and systems. Compounding these internal challenges are the need to remain aligned with and influence legislation regarding personal data privacy. The many data breaches the company has experienced—both from internal failures and fraudulent activity—have made it a focal point of U.S. Congress's efforts to reduce identity theft risk and unauthorized access to personal data. This analysis examines the legitimacy of industry critics' concerns, assesses existing processes and their impact on individual privacy, and recommends legislative and organizational changes needed to protect personal privacy while allowing the personal data industry to serve corporate and government customers effectively.
ChoicePoint was formed as a spin-off from Equifax and rapidly filled unmet data needs in the insurance industry, concentrating on automobile and homeowner insurance segments—two of the largest in the U.S. Building on credit reporting expertise developed at Equifax, ChoicePoint launched with a complete suite of reports and data analysis services for the property and casualty (P&C) industry. These offerings included risk assessment profiles, statistical analysis of claims reporting for financial forecasting and fraud prevention, and continuous refinement of the Comprehensive Loss Underwriting Exchange (CLUE) report. The CLUE report became so successful that 95% of auto insurers used it and its accompanying data services. A key competitive advantage was its ability to draw on a database of 175 million claims spanning 1998 to 2005, creating the most thorough data mart in the P&C industry. From this foundation, ChoicePoint applied both descriptive and predictive analytics to align services with risk assessments customers required. The company held extensive software licenses with Fair-Isaac, a credit scoring technology relying on constraint-based risk definition—technology that could also aid the company in assessing its own business strategy risks.
ChoicePoint successfully executed the many processes required for mergers and acquisitions (M&A). With 50 total acquisitions at the time of this case study, many incorporating Web 2.0-based technologies, ChoicePoint was well positioned to gain significant market share across all business segments as companies increased reliance on Internet services. Templar and iMap exemplified this acquisition strategy. ChoicePoint subsequently acquired VitalCheck, an Internet platform enabling online ordering of birth, marriage, divorce, and death certificates. Despite exceptional execution of M&A activities, the company struggled to integrate expanding business lines into a unified platform of services that could be effectively governed. This disconnect between services, databases, and data collection and analysis methodologies became the catalyst for ChoicePoint's problems. In fact, the entire personal data industry suffered from lack of integration across business units and inconsistent data collection, analysis, and representation methodologies. ChoicePoint's challenges were exacerbated by acquisition velocity and the absence of corporate-level governance. More critically, ChoicePoint had no consistent data protection policy and had not defined how to internally manage, audit, and report on its Information Security Management Systems Initiative (ISMS).
This represented a strategic liability not only for ChoicePoint but across the industry, leaving the entire sector vulnerable to congressional over-regulation. A scalable and secure ISMS must balance agility in responding to external factors with strength in protecting critical information assets. In essence, the entire industry had invited criticism by failing to audit and enforce ethical standards on itself. The case study indicates very high certainty that U.S. Congress would enforce stricter, more difficult-to-implement privacy and ethical standards than those the industry would define for itself—simply because the industry possesses greater understanding of its unique systems, standards, processes, and requirements. Ignoring self-regulation and active ISMS initiatives including audits risked regulatory burdens that could force industry consolidation due to increased compliance costs. Leadership was needed to establish a model for corporate governance including ISMS initiatives with comprehensive audits.
Defining audits alone is insufficient. The industry requires adoption of the ISO 17799 standard for security management, validated through audit processes based on British Standard 7799 (BS7799), which forms the basis for ISO 17799 and ISO 27001, the International Standards Organization standard for ISMS installation and operations. Underscoring compliance to these standards is the need for a strategic governance, risk and compliance (GRC) plan. The critical component is periodic internal audits ensuring organizational compliance with ISO standards. To prevent industry over-regulation, leadership must catalyze change across the entire sector. At the time of the case study, neither ChoicePoint nor the broader industry had implemented compliance with these standards, nor had meaningful self-regulation or auditing processes been established. As a result, individual privacy faced serious jeopardy online, and industry critics' concerns were largely justified. A significant gap existed in systems and processes for managing ISMS initiatives and connecting them to strategic governance, risk, and compliance frameworks. What was needed was a governance framework integrated with ISMS initiatives to make security lapses far less likely to occur.
The Fair Credit Reporting Act (FCRA) revolutionized the credit and personal data industry, providing credit access to middle- and lower-income consumers, who became the greatest beneficiaries of this legislation. As the FCRA catalyzed industry growth, the need for better and more accurate monitoring increased as fraud escalated with greater credit data availability. Despite industry growth, there was complete absence of oversight, no industry-wide ISMS best practices or standards, and critically, no strategic GRC planning at the chief executive or board level in any company. Not a single firm had completed an ISMS Implementation Cycle due to lack of strategic governance across the industry. Consequently, sales of illegally obtained personal information flourished, leaving victims to fend for themselves. Industry discussions had considered using Generally Accepted Accounting Principles (GAAP) to counter process inefficiency and lack of control monitoring. However, while credit reporting laws increasingly enabled credit access for lower- and middle-income families—embraced as a growth catalyst—they had not motivated corresponding changes in governance, auditing, and ISMS initiatives.
ChoicePoint's challenges revealed that the entire personal data industry value chain required complete re-vamping of processes and systems to achieve higher data privacy levels. Considering the value chain from data providers through agents and bankers who resold bundles of data through their own channels, the industry demonstrated complete lack of understanding regarding individual data privacy. The value chain featured conflicting methodologies and analyses, further increasing the potential for data compromise as information was collected, analyzed, sold, and resold. These converging factors created a perfect storm: the personal data industry had no practices, processes, or systems for managing privacy throughout the entire value chain. As these challenges pervaded ChoicePoint and all industry companies, privacy advocates began dissecting the processes, systems, and approaches data providers used to collect, analyze, and sell information. Their findings quickly became the foundation for congressional attention and heavy regulatory focus on an industry suffering from lack of process integration and internal governance oversight. ChoicePoint had become the poster child of the personal data industry due to numerous data protection lapses. The scenarios in the case study of criminals posing as small businesses to access databases represented a pervasive problem across the entire industry and catalyzed intensified legal and regulatory oversight.
Dissecting the processes, systems, and techniques of the American personal data industry, privacy advocates argued that U.S. providers operated unchecked with convenience-based privacy policies that disregarded consumer welfare, proposing that European Union standards should be applied to American providers. These standards mandate rigorous compliance to British Standard 7799, ISO 17799, and ISO 27001—world-recognized data security standards. Privacy advocates hired IT experts to evaluate the security and stability of personal data providers' databases and Web infrastructures. Their conclusion was damning: the widely adopted PDCA Model (Plan-Do-Check-Act), defined by W. Edwards Deming and prevalent in other industries for defining governance strategies to ensure system security, was entirely unknown in the personal data industry. There was complete lack of consistency across middleware applications and their compliance with ISMS initiatives and stated British and ISO standards. Experts also discovered comprehensive lack of data security on provider databases. Comparable database implementations at consumer packaged goods companies maintained higher levels of data security and verification processes. Most critically, privacy advocates found that many personal data providers' data warehouses were open and easily accessible even from outside the company.
ChoicePoint's leadership had no choice but to completely restructure the company as an example for industry peers to follow. Leadership would need to document these changes and provide an industry roadmap for achieving higher data privacy levels through more effective Business Process Management (BPM) and Business Process Reengineering (BPR). However, redefining processes was insufficient—the systems supporting those processes required complete overhaul. The first step was defining a corporate-level governance and risk management position. Creating a Chief Governance Officer (CGO) with authority to implement internal audit programs, schedules, and standards was essential. A thorough ISMS initiative was required immediately. These initial steps represented a "mea culpa," or admission of guilt and oversight failure, signaling to Congress intentions to completely restructure privacy management across the organization.
Leadership must define a strategic GRC plan going forward, complete with assessment of how to successfully complete company-wide ISMS implementation. The plan must specify that foundational ISMS elements—Availability, Confidentiality, and Integrity—must be aligned with each other and integrated into the governance framework. These three foundational elements form the basis of ISMS strategic plans and implementation strategies. All these points required explanation to both privacy advocates and Congress if credibility were to be established for the long term.
ISMS implementation requires intensive integration from financial, customer, internal process, and learning and growth perspectives to succeed. This integration need is accentuated by the eleven domains comprising the ISO/IEC 27001 standard: defining security policy; organizing information security; defining Asset Management strategic plans; integrating personal data security and system components; planning enterprise-wide Communications and Operations Management; defining precise Access Control approaches; developing strategic approaches to Information Systems acquisition, development, and maintenance; defining alert-based Information Security Incident Management across all facilities globally; defining business continuity management strategic plans; establishing governance frameworks ensuring continued compliance to federal and global requirements; and developing physical and environmental security at the strategic level. From these eleven domains, high integration is critical for successful ISMS implementation. One most critical factor for success across all eleven domains is defining a stable, sustainable change management strategy consistent with organizational culture—a challenge leadership will face long-term.
Only by completely restructuring the company's approach to managing data privacy at the process and system level, and making GRC a corporate strategic priority through creation of a Chief Governance Officer position, can ChoicePoint overcome the risk of massive congressional regulation. Leadership must exit the business of selling data to small and medium businesses; these transactions are not scalable within a GRC framework and their incremental revenue does not justify the risk. Ultimately, ChoicePoint can work with Congress only by disclosing how errant its processes and systems have become and welcoming periodic audits of GRC strategic plans and ISMS initiatives. Anything less than full accountability and disclosure risks intensive regulation.
You’re 99% through this paper. Sign up to read the full paper.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.