Case study example

Impacts of ChoicePoint’s Negligence in Information Security Question Oluwatosin’s pretexting trial at Choice point was effective because his credentials were not verified before selling information to him. He pretended to represent legal business as the loophole enabled him to create hoax business accounts, which gave him access to the database with personal financial information (Otto, Anton & Baumer, 2007). The negligence of Check point resulted to violation of privacy. ChoicePoint’s policies were proven to be insufficient and flawed in tackling fraud against the firm as the fraudsters were capable of evading being detected for a whole year. The simple mistakes by the company were the major causes of data breaches.
Question 2
The pretexting attempt of the data breach impacted the business conducted by ChoicePoint negatively as the company was forced to disclose what had transpired and inform residents about their personal, informal being compromised. The federal level charged the company with many negligence counts for failing to make use of realistic information security customs. At the same time, the Federal Trade Commission also charged the firm with violation of giving credit reports to subscribers without permissible reasons to obtain them. The company saw a decline of income and increase of expenses after the incident. At the same time, there were fines imposed on the firm by FTC fines (Otto, Anton & Baumer, 2007). ChoicePoint’s paid a $10 million fine and $5 million to compensate their customers for the losses that stemmed from the information breach. Legal expenses amounting to $800, 000 were incurred during the first quarter of the year 2006 related to the falsified data access. The company decided to restrict information product sale, which contained sensitive customer data.
Question 3
The first governance step that ChoicePoint made was employing of a chief privacy officer who reported directly to the board to govern privacy and public accountability. The briefings are done quarterly to ensure improvement of privacy and security with another detailed oversight roles. ChoicePoint has also come up with many divisions to tackle privacy and security from various angles like corporate credentialing centre. It is a conformity and privacy division, which also undertakes internal auditing (Conger, 2009). The second step is the distinct definition of the expected behaviour and offer tools to employees to make compliance simple. ChoicePoint implemented various practices to scrutinize potentially fake customer behaviour such as investigating firms, which abruptly increase their background checks. Thirdly, a firm need to write data security breach response procedures, which indicate the person who is to be notified in circumstances of privacy breach and what the firm need do for affected customers. The company was forced to implement changes to ensure that consumers reports were given to legitimate businesses only for legitimate purposes. Checkpoint established a security program with comprehensive information. The process was undertaken by obtaining audits from independent security professionals considered third parties. At the same time, the company hired a chief privacy officer to ensure comprehensive verification. ChoicePoint also stopped accepting faxed versions of business licenses. The company also increased its authentication procedures by creating customer identity with non-governmental and privately-held business undergoing re-credentialed to continue access to its databases (Conger, 2009). ChoicePoint also decided to correct several early mistakes, which had enabled the pretexting attempt by creating an independent office to deal with privacy matters. ChoicePoint employed outside help to assess its business as well as privacy practices by engaging in many audits to assess their data management practices.
References
Conger, S. (January 01, 2009). Emerging Technologies, Emerging Privacy Issues.
Otto, P. N., Anton, A. I., & Baumer, D. L. (January 01, 2007). The ChoicePoint Dilemma: How Data Brokers Should Handle the Privacy of Personal Information. Ieee Security & Privacy, 5, 5, 15-23.