UNIVERSITY OF WASHINGTON
Analysis of ChoicePoint Case Study Group 10 Amar Kohli, BK Sarthak Das, Dhawal Kumar Lachhwani and Divya Krishnan 12/1/2014
Executive Summary
ChoicePoint being one of the major players in the personal data industry was reveling in its success by the end of 2004, with revenues of $920 million and a customer base of 100,000. It had used its greatest asset - data, to create value for its clients using relevant products and services. The clients of ChoicePoint were able to drive business growth to new heights harnessing the personal data of millions of citizens in America. But all was not well with ChoicePoint when they were ambushed by privacy advocates and victims of identity theft. This was a result of their business model which focused on maximizing profits and was negligent in protecting its data against people with criminal intent. Identity thieves had got access to sensitive information on more than 163,000 ChoicePoint customers which led to huge monetary loss. While investigating an incident of identity theft, ChoicePoint discovered 50 fake client accounts opened by criminals to extract valuable information about their targets. ChoicePoint was also critiqued heavily for its data inaccuracies and lack of proper procedure to correct data mismatch especially data originating from government entities. After extensive analysis of the case study, we feel that ChoicePoint could have adopted certain strategies to win over public confidence and prevent monetary loss owing to lawsuits. ChoicePoint could have reviewed their clients through onsite visit which would have prevented fake accounts from being created and kept the identity thieves at bay. It was also necessary for ChoicePoint to have an audit mechanism through which they kept track of client data requests so as to ensure that the data was used to legitimate purposes. With respect to the issue of data inaccuracies, ChoicePoint could have obtained the access rights to the source data without independently storing them in their databases. This would have reduced their IT infrastructure costs and also made the public entities responsible for data inaccuracy. ChoicePoint could have ensured better transparency by having procedures to notify the public in case of any data mismatch. ChoicePoint could have also collaborated with the other data brokers to make the personal data industry more secure and compliant to the privacy rights of American citizens. Introduction
ChoicePoint faced numerous problems such as identity theft, privacy violation and data breach. ChoicePoint showed a pattern of negligence while handling data breach incidents and misinformation. It also had to face legal implications from the individuals whose data compromised. The purpose of this report is to provide ChoicePoint with recommendations to improve their information protection strategies. Appraisal of ChoicePoint’s business model
Market opportunity
When Equifax made a transition in their business model, by expanding beyond credit-reporting to data brokerage, another intention was to provide the business an escape from the laws that restricted the type and amount of information a credit agency can sell. And thus ChoicePoint was born which being a data broker company was free from governing laws and restrictions in data collection and sale. With that added advantage, ChoicePoint acquired various companies that added data and data capabilities to ChoicePoint’s existing database; capabilities ranging from data sharing within multiple databases, to creating electronic maps, to biometrics. The key concept behind ChoicePoint’s business model was to
consolidate the fragmented personal data markets ranging from “insurance, public records, preemployment screening, and drug testing markets (to name a few)” (Paine & Phillips, 2008, p. 4). With an expanded set of data, ChoicePoint became a frontier in data brokerage serving multiple clients including government bodies, small to large scale business and individuals. The insurance industry – property and casualty (P&C) and life and health insurance (L&H) segments – required applicant’s data to assess risk and detect fraud; their claims histories and motor vehicle reports; and services such as properties inspection and audit, surveillance, and fraud investigations. The business customers required data for pre-employment screening, public-records searches, biometric of their job applicants apart from business and professional credentialing; collections and recovery; risk management; compliance; due diligence and fraud protection. ChoicePoint even catered to individuals for their needs such as ordering “birth, marriage, divorce, and death certificates over the internet instead of traveling to the local courthouse” (Paine & Phillips, 2008, p. 3) as well as insurance reports, public -records self-checks, and background checks on service providers. The largest requirements were from the marketing businesses which acquired personal data to analyze and target the specific users for marketing. Even youth organizations used data to screen various service providers specifically to avoid hiring sexoffenders. ChoicePoint harnessed these above mentioned market opportunities in order to comply with their mission statement which is, “To be the premier provider of intelligent information to help our customers better understand whom they do business with” (Paine and Phillips, 2006-2008, p. 2). ChoicePoint creating value
Paine and Phillips (2006-2008) state the various ways in which ChoicePoint created value for its stakeholders, namely, its suppliers and clients. It had public and private sources for data collection and had government bodies, corporate business and individuals as clients. The figure below gives us a brief idea of the position of the stakeholders in the business:
Figure 1: Information Flow Model of ChoicePoint (Source: Paul N. Otto, Annie I. Antón, David L. Baumer (Author). (2006). Information Flow Model of ChoicePoint [infographic], Retrieved Nov 30 2014, from: http://theprivacyplace.org/blog/wp-content/uploads/2008/07/tr-2006-18u.pdf )
As shown in the above figure, ChoicePoint acquired its resources from various government entities such as the federal government and state government. Private Insurance companies provided ChoicePoint their claims histories without any cost. Other data was either bought in electronic form or ChoicePoint hired contractors to gather information by hand. Later on ChoicePoint even acquired more than 50 companies to increase their data capabilities. Quite a few of such stakeholders survived on selling information to ChoicePoint. With the advent in collection strategies of different forms of data at ChoicePoint, after the acquisition of 50 technologically and fundamentally diverse companies, ChoicePoint was able to provide DNA identification, biometrics, and electronic maps to its clients for advanced screening and background check purposes as well as customer identification, customer behavior, and a focused list of potential customers for targeted marketing. By 2005, ChoicePoint’s C.L.U.E Report (Comprehensive Loss Underwriting Exchange) was the industry standard for over 95% of auto-insurers. With an increasing demand from law enforcement clients, ChoicePoint had “at least $117 million in contracts with the federal government, $63.4 million of which was a contract with Department of Justice” (Paine & Phillips,
2008, p. 3). The law enforcement clients majorly employed the services to trace financial assets and terrorists. But the sector that majorly gained from ChoicePoint’s data brokerage is marketing, where consumer data is analyzed to identify business patterns which helped in targeting specific sets of users for promotional marketing. This brokerage of data brought in revenue of close to $920 million to ChoicePoint, with over 100,000 customers by 2004. By 2008, ChoicePoint had grown to an extent that Reed Elsevier paid $4.1 billion to acquire ChoicePoint. ChoicePoint’s beneficiaries
As discussed by Paine and Phillips (2006-2008), we see that ChoicePoint had a varied range of beneficiaries who utilized its products and services, namely, insurance companies, fortune 1000 companies, employers and landlords, financial institutions, government intelligence firms, law enforcement agencies and individuals. They also provided services to smaller businesses, journalists, law firms, private investigators, and even other data brokers. In a 2004 report, it was shown that almost 40% of ChoicePoint revenue was generated through business services, 40% from their forte that was insurance services, 9% from government services, and 11% from marketing. The products and services offered by ChoicePoint benefitted its clients who used data to drive business profits and assist in doing their job in a more efficient manner. Assessment of industry criticisms
Charges against the personal data industry
The charges against data brokers such as ChoicePoint and the personal data industry are very serious and we believe that the concerns about privacy and data security in relation to this industry are valid. Some of the biggest criticisms against the industry include identity theft and inaccuracy of data. Several people lost their jobs because of false charges from inaccurate data provided by ChoicePoint. “A Chicago area woman was fired from her job because ChoicePoint records incorrectly stated that she was a drug dealer and shoplifter” (Paine and Phillips, 2006 -2008, p. 5). Many individuals were denied job offers because of the misinformation provided by ChoicePoint. Even though maintaining updated information is a complicated task for the personal data industry, it is absolutely necessary for them to provide a disclaimer to their customers, so that individuals do not suffer because of misinformation. Companies that use the data provided by data brokers expect accurate information so it is the data broker’s job to ensure veridical data. ChoicePoint was sued by a man wh o was denied a job offer from IBM because his pre-employment screening showed that he had a criminal conviction, when, in fact, he had been expunged (Paine and Phillips, 2006-2008). This shows that IBM depended solely on ChoicePoint for their pre-employment screening, which led to them losing a potential good employee. Identity theft, another criticism against the personal data industry caused “individuals to be mistakenly identified as felons” (Paine and Phillips, 2006-2008, p. 5). Paine and Phillips (2006-2008) show that an individual named Jeffery Davis was denied a job because he was identified as a felon, whereas he was a victim of identity theft. Threat to individual ’s privacy
The personal data industry poses a major threat to individual’s privacy, especially if data brokers such as ChoicePoint do not keep their data secure and accurate. Personal privacy is of utmost importance to most individuals in the United States and the U.S. Congress has even passed the Privacy Act, requiring
government agencies to adopt a set of fair information practices for databases containing personal information. However, companies such as ChoicePoint sold individual’s personal data to government agencies (Paine and Phillips, 2006-2008). This concept was not well received by the public and posed a threat to their privacy. Data brokers sold information to marketers and salespeople, who then had access to individual’s Social Security numbers. Thieves could easily get access to this sensitive information by hacking into a data broker’s system. With access to the system, a thief could modify sensitive records and cause a lot of potential damage to the victim. In fact, ChoicePoint’s data was breached in 2006 and over 163,000 individuals’ private information such as credit histories, social security details, etc. was leaked. The Federal Trade Commission (FTC) charged ChoicePoint $10 million in penalties and $5 million in consumer redress to settle the charges ( “ChoicePoint Settles Data Security”, 2006). Data brokers also have access to personal data such as an individual’s address, contact details, family medical history details, income, etc. They even know if an individual is an alcoholic or if he/she suffers from depression. This personal data, when in the wrong hands, poses a large threat to any individuals’ privacy, especially if it’s not kept secure. People can lose their jobs or even be forced into a divorce because of inaccurate and insecure information provided by the personal data industry. Assessment of the situation
ChoicePoint’s approach to ensure data accuracy
We feel that ChoicePoint did not take enough measures to ensure that their data is accurate especially considering the fact that it is a company dealing with personally identifiable data of millions of Americans. Paine and Philips (2006-2008) give the example of Jeffrey Davis who was denied a job as he was mistaken for a felon and in spite of Davis’s dad requesting ChoicePoint to correct the error, Davis had to let go of a second opportunity of employment. This clearly shows that ChoicePoint is not quick enough to fix their mistakes and do not realize the negative effects of their inaccurate data on the victims of mistaken identity. ChoicePoint, when acquiring data from reliable sources such as government entities, was to assume that the data is accurate unless contested. Texas Department of Public Safety (DPS), which is one of the sources for ChoicePoint, is infamous for having incomplete and missing data (Paine and Philips, 20062008). As DPS database had only 60% of all the criminal records, the data provided by ChoicePoint to its clients had lot of inaccuracies. ChoicePoint relied heavily on the source of the data for accuracy and did not have any process to check the accuracy of data once it is transferred to the ChoicePoint database. Another problem in collecting data from government bodies was that their databases were updated more frequently than ChoicePoint could buy or update the data. For example the DPS updates its records every hour in some cases whereas ChoicePoint updated their databases only once a month. This meant that for a month, someone’s criminal record was not reflected or a wrongly accused person was still a felon in ChoicePoint’s databases. It was believed that the expense of collecting or updating data was much more than ChoicePoint could afford especially in the case of state records where the data was updated frequently. ChoicePoint did have some measures to check the integrity of the data received from various sources. Paine and Philips (2006-2008) suggest that ChoicePoint gave its employees a training manual on ‘investigatory procedures’ but there doesn’t seem to be any mechanism in which ChoicePoint ensured that its employees were well-versed in the training manual and that they followed the manual before giving data out to their various customers like insurance companies and law enforcement agencies. Another validation performed by ChoicePoint was that it double-checked on the identity of the future
hires showing a criminal record in their database while performing an employee background check for their clients. But this excludes employees whose criminal records were not discovered as part of the background screening and whose data was not properly updated. Also, although not perfect, these validations performed by ChoicePoint were not visible to the outside world which created more mistrust regarding the services provided by ChoicePoint. ChoicePoint’s security measures
We think ChoicePoint had been negligent in maintaining adequate security measures considering that they have a bundle of personal information about millions of people. In 2005, there was a case about an identity thief who posed as James Garrett, and who identified himself as an executive of M.B.S, a Los Angeles based small business company (O'Harrow Jr., 2005). The thief posed as a potential client of ChoicePoint and requested electronic records of individuals. The ChoicePoint employee became suspicious of the thief and with the help of police lured the man into a copy store. When the thief was caught, it revealed a huge identity scam but by then he had already got access to 145,000 records from ChoicePoint. After the incident, ChoicePoint found out 50 other such fake accounts created by con-artists and identity thieves. This shows lack of adequate security measures at ChoicePoint. After this incident, ChoicePoint restricted the sale of its information especially sensitive consumer data. O’Harrow Jr. (2005) describes the security measures of ChoicePoint for opening a new account - “Before granting service, ChoicePoint typically requires a photocopy of a driver's license and business records on file with a state or local government agency. A ChoicePoint employee would then verify that such a person and company exists “(p. 3). But Identity thieves used fake ids and created fake companies on paper and got them registered with government agencies using phony names. Hence the criminals were easily able to bypass the security measures of ChoicePoint which shows that ChoicePoint was negligent in verifying data request. As seen by many legal cases against ChoicePoint, it had a passive security strategy, one that believes in dealing with a breach after it has occurred. Considering that ChoicePoint is an information-centric company, it should have been proactive in securing its data and also validating its client requests. Concerns on the usage of ChoicePoint’s data
We are very concerned about the sale of ChoicePoint data to clients without probable cause. A lot of con-artists are using the front of fake small businesses to steal personal records of thousands of people. With the news of, illegal surveillance done by NSA, being out in the open, people have realized that law enforcement agencies are not respecting the right of an American citizen to embrace privacy (Gellman, 2013). Also this has made the people more critical of the data collection and data security done by data brokers such as ChoicePoint. Law enforcement agencies have in the past showed that they have not conveyed the full details in their reports, allowing them 2776 violations of the rules for the surveillance of American citizens and foreign nationals. The United Nations has urged all the countries to p rotect the privacy of their citizen’s in this technological era where the power is dominated by the entity or person having the maximum relevant data (Sengupta, 2014). In such a scenario it is important that even the government agencies such as the NSA be given data with caution and care.
Recommendations
After inspection of ChoicePoint’s business model and the criticisms held out against the data brokerage industry, we have come up with certain recommendations which could have been followed by ChoicePoint to regain their reputation in the industry. Client Vetting - ChoicePoint had been the target of massive data breach which did not include any technological attack vector, rather it was a proper use of social engineering to perform identity theft which penetrated ChoicePoint’s poorly organized business structure. There was no proper vetting of the clients, who were allowed to request ChoicePoint’s data for a mere $15 charge (O’Harrow Jr., 2005). The easy access of background information of numerous citizens created a honeypot for identity theft. If the clients were reviewed by onsite visit and a secure channel was introduced for the data transfer it would really protect them from identity theft. Audit trails - It was also noticed that ChoicePoint would just accredit a client through faxed documents (Otto, Antón, & Baumer, 2006), which is ironical for a company providing background check, not to check their own clients. Another flaw in their business model was the lack of client accountability and absence of supervision from ChoicePoint once the data was handed over to the clients. There should have been an audit trail keeping track of client data requests and the usage of ChoicePoint data. The creation of audit trail would also help in making ChoicePoint more credible in the government regulatory acts such as HIPAA, GLB Act and many more, depending on the nature of the data. Accurate sources - Based on the case study, we found out that ChoicePoint stored data on their systems resulting in data mismatch. The entities providing the data did not hold any liability if ChoicePoint didn’t update their data. We would suggest a data extraction model which would save money and improve the accuracy of ChoicePoint products. ChoicePoint should have adopted a service based approach, where they would have the right to give access to the data source of their suppliers without storing the data on their servers. This would reduce their IT infrastructure costs of setting up a data center and would also make the public and private entities responsible for incorrect data being stored by them. Suppose, an incorrect credit report was stored by the national credit bureau and ChoicePoint reports it, the citizen should be able to report back to the bureau to initiate a credit freeze on their account and withhold any wrong inference being made about them through this data. Transparency - ChoicePoint had created a Big Brother persona for driving a data based decision model which could make or break anyone’s life with a single report. Although the motive of their CEO was much appreciated during its inception, the way it carried out its decisions behind the backs of citizens whom it was supposed to empower, might have been a possible cause for its downfall. We believe, if ChoicePoint had made the public more aware by sending out emails about their profile’s deficiency it would create a more empowering image for the company. For example, if Katherine had asked XYZ bank for a loan and she had a bad credit report which explicitly specified a bad payment history, ChoicePoint needs to send out a mail to her explaining why she did not get the loan approval as well as the next step to follow to mend this. This mail should also contain steps for her to approach ChoicePoint if she thought the report was wrong in any manner. ChoicePoint would then approach the source of the data with Katherine’s complaint and get it fixed in an expedited manner. If ChoicePoint would have performed this kind of service to the citizens it would have been more popular and desirable service which would absolve them of their corporate monitor image. Lack of unified Privacy Laws - The wayward behavior of ChoicePoint is also partially due to the lack of relevant federal regulations and acts in consumer privacy. There are many different acts and policies in place which address privacy in terms of the type of data being collected, such as Health Insurance
Portability and Accountability Act (HIPAA), Driver’s Privacy Protection Act, Fair Credit Reporting Act and many more. Although all of these legal acts protect citizens by safeguarding certain private details about them but there is no unifying framework which prevents companies collecting all of these details and using them for different purpose (United States Government Accountability Office, 2013). Based on a report by United States Government Accountability Office which was addressed to Chairman of Committee on Commerce, Science and Transportation of U.S. Senate there have been debate on creating a unified framework for data collection. According to the report, “privacy advocates have argued that a comprehensive overarching privacy law would provide greater consistency and address gaps in law left by the current sector-specific approach. Other stakeholders have stated that a comprehensive, one-size-fits-all approach to privacy would be burdensome and inflexible ” (United States Government Accountability Office, 2013, p. 1). Although this might seem to be an onerous task of consolidating all the acts(refer Appendix) which protect consumer privacy across multiple domains, there definitely is a need of some kind of governing framework which acts as an umbrella to these various laws. Collaboration with other data brokers - Corporations like ChoicePoint would have to pitch in with their business models and views of making the industry secure. There will be cost associated with compliance activities once an overarching law has been passed by the government. But the additional cost can be justified as the previous business model had led to bad reputation and monetary losses owing to legal issues. ChoicePoint lost nearly $27.3 million for the data breach which included legal fees and auditing costs (Otto, Antón, & Baumer, 2006). This could have been avoided if ChoicePoint would have set up a proper compliance plan early on in their business. The result of non-compliance can be heftier as it takes more time and effort, leading to low operational output. It can also be damaging to company’s reputation which takes years to rebuild and loss of stakeholder’s confidence in the company (Steinberg, 2011). Concluding Comments
In conclusion, adopting an active security strategy along with consistent efforts to manage data protection could have prevented ChoicePoint’s security breach. Being a data broker is like walking on a tightrope, one mistake and you can fall flat on your face. Hence, ChoicePoint could have adopted the better security technologies and robust business model which would have helped them in maintaining their leadership in the personal data industry.
APPENDIX
Bibliography Company Overview of ChoicePoint, Inc. (2014, November 30). Retrieved November 30, 2014, from http://investing.businessweek.com/research/stocks/private/snapshot.asp?privcapId=364405 2. Reed Elsevier to Acquire ChoicePoint, Inc. (2008, February 21). Retrieved November 30, 2014, from http://www.reedelsevier.com/mediacentre/pressreleases/2008/Pages/ReedElseviertoacquireC hoicePoint,Inc.aspx 3. ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress. (2006, January 26). Retrieved December 1, 2014, from http://www.ftc.gov/news-events/press-releases/2006/01/choicepoint-settles-datasecurity-breach-charges-pay-10-million 4. O'Harrow Jr., R. (2005, March 5). ChoicePoint Data Cache Became a Powder Keg. The Washington Post . Retrieved November 28, 2014, from http://www.washingtonpost.com/wpdyn/articles/A8587-2005Mar4.html 5. Gellman, B. (2013, August 15). NSA broke privacy rules thousands of times per year, audit finds. The Washington Post . Retrieved November 28, 2014, from http://www.washingtonpost.com/world/national-security/nsa-broke-privacy-rules-thousandsof-times-per-year-audit-finds/2013/08/15/3310e554-05ca-11e3-a07f-49ddc7417125_story.html 6. Sengupta, S. (2014, November 25). U.N. Urges Protection of Privacy in Digital Era. The New York Times. Retrieved November 29, 2014, from http://www.nytimes.com/2014/11/26/world/unurges-protection-of-privacy-in-digital-era.html?_r=0 7. Kroft, S. (2014, March 9). The Data Brokers: Selling your personal information. CBS News. Retrieved November 29, 2014, from http://www.cbsnews.com/news/the-data-brokers-sellingyour-personal-information/ 8. Otto, P. N., Antón, A. I., & Baumer, D. L. (2006). The ChoicePoint Dilemma: How Data Brokers Should Handle The Privacy of Personal Information. Raleigh, North Carolina: The Privacy Place, North Carolina State University. 9. Steinberg, R. M. (2011). Cost-Effective Compliance Programs. In R. M. Steinberg, Governance, Risk Management and Compliance It Can't Happen to Us - Avoiding Corporate Disaster While Driving Success (p. 24). Hoboken: John Wiley & Sons, Inc. 10. United States Government Accountability Office, (2013, September), INFORMATION RESELLERS Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace. Retrieved from Government Accountability Office Website: http://www.gao.gov/assets/660/658151.pdf 11. Paine, L., Phillips, Z., & Bettcher, K. (2008). ChoicePoint. Harvard Business School, 9-306-001. 1.
