Your Slip Is Showing… Again!

ChoicePoint, one of the nation’s largest data brokers, has been fined $275,000 by the U.S. Federal Trade Commission for a data breach that exposed personal information of 13,750 people last year. But this is not the first time that ChoicePoint has had problems with the FTC.

In 2005, ChoicePoint suffered a breach that compromised the personal information of more than 163,000 people and resulted in at least 800 cases of identity fraud. In a 2006 court settlement agreed to as a result of this breach, the company was ordered to pay $10 million in civil penalties and $5 million to consumers.

Additionally, the court ordered ChoicePoint to maintain procedures to ensure that sensitive consumer reports were provided only to legitimate businesses for lawful purposes; to maintain a comprehensive data security program; and to obtain independent assessments of its data security program every other year until 2026.

And A One… And A Two…

Usually when an incident like this happens, the company hires a chief security or privacy officer or at least orders the IT department to put measures in place to ensure that such an embarrassing incident won’t happen again. After all, $15 million is a lot of money, even to a company like LexisNexis (which owns ChoicePoint).

Well, it happened again. Though inconceivable, ChoicePoint turned off a key electronic security tool that it used to monitor access to one of its databases and failed to notice the problem for four months from April through July 2008.

During this time, an unknown person conducted unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers. The searches continued for 30 days. After discovering the breach, the company brought the matter to the FTC’s attention.

The FTC alleged that had the monitoring tool been working, this breach would have been caught. But since it wasn’t working, the FTC alleged that ChoicePoint’s conduct violated the 2006 court order described above. This time, The FTC fined ChoicePoint $275,000 has required them to file a report with the FTC every two months for two years, including detailed information about how it is protecting the breached database and certain other databases and records containing personal information.

Personally, I fail to see why a second breach of confidential information cost the company much less than the first breach. I used to think that the penalties were more severe for a second offense. I guess that’s why I’m not a lawyer.

And What Did We Learn From This?

Like many of the incidents that I write about, this one too is a teachable moment.

First of all, does your company have an information security policy? If you do, how do you ensure that the policy is being enforced? One way to ensure policy enforcement is through logging, and mining the logs looking for errors, omissions, and purposeful violations. Apparently, ChoicePoint either wasn’t logging the status of their database monitoring tool, or they weren’t evaluating the logs which caught that the tool was turned off.

There are a number of companies selling logging solutions that will not only aggregate logs from your various systems, routers, remote access points, and applications, but can mine your logs to search for policy violations. You see, by understanding detailed log event data that IT systems produce, your organization can better manage, investigate, and protect your systems.

Not only can you drill down on individual events within the log, but because the system can correlate and analyze data such as system and application log files, database event records, and operating system event logs, you can trace a violation from the entry point to its destination and discover where your vulnerabilities lie.

The Log Warehouse

Log Warehouse

One such solution is the Sensage Log Warehouse (pictured), which is also OEM’d by HP. Similar in function to devices from other manufacturers, the appliance plus associated software saves time and money. Since it uses specialized hardware, it can store logs up to 40 times more efficiently than the relational databases used by other logging solutions.

Many companies which sell logging solutions also supply custom software that offer standard reports for Payment Card Industry (PCI), Data Security Standard (DSS) and other compliance mandates (SOX, HIPAA, FISMA, NISPOM and others without custom programming.

Would a logging solution have helped ChoicePoint? It very well might have if it were properly configured and monitored. Can a logging device help your organization? Probably yes, if you are subject regulatory requirements that require auditing and reporting.

A logging solution is also valuable for non-repudiation of documents during e-discovery so that you can prove who had access to which documents at what time, when they were changed, and by whom, and whether or not required documents were purged.

In short, a logging solution can be the answer to many security and compliance problems that your organization may face now and in the future. This might be a good time to do a bit of research or attend one of the many webinars being offered by vendors in this space.

The Last Word

If all else fails, you may want to think about encrypting your data so that if it does get out, at least it’s useless. I have covered this topic in an article to be published in the November / December issue of The Connection which will be posted on my Portfolio page after the magazine hits the streets.

Post a Comment