Friday, February 17, 2006

Happy Anniversary, ChoicePoint

Data privacy changed dramatically on February 15, 2005. That was the day the world learned that data aggregator ChoicePoint sold 150,000 or so consumer dossiers to Nigerian scam artists posing as small businesses.

Because some of those dossiers contained credit profiles of California citizens, provisions of that state’s data protection law, SB 1386, were evoked, requiring ChoicePoint to notify about 35,000 people that they were at risk of credit fraud and identity theft.

That’s when things started getting interesting.

Observers, including journalists and privacy advocates, started pressuring ChoicePoint for more information. If the breach included information for 35,000 Californians, how many files from the other 49 states were included? Why weren’t those individuals being notified?

Initially, ChoicePoint dug its heels in the ground. The company had done no wrong, it said, and was tricked into selling the consumer data. Furthermore, ChoicePoint was cooperating with authorities to help track down the real criminals. But as the volume of protest rose, eventually ChoicePoint relented and sent notices to all those they said had been affected by the incident.

Significantly, ChoicePoint’s actions in the days following the February disclosure established a precedent with major implications. Since that time, organizations whose consumer data has been compromised have been under pressure to disclose such breaches, even when California SB 1386 has not come into play. Many states have either passed or are currently debating law modeled after SB 1386, and Congress is debating a federal law on the issue of consumer data protection. We can agree that much good has come of the ChoicePoint breach.

But this is a blog that examines communications, and it is important to note that, from a public relations standpoint, ChoicePoint did everything wrong related to the breach.

The sale of information to the Nigerians, according to ChoicePoint, happened months earlier. They knew they had a potential crisis on their hands, and they had plenty of time to prepare for any number of crisis contingencies related to the breach. From everything I was able to observe at the time, there was no plan in place. Or, if ChoicePoint did have a plan, it was a lousy one.

ChoicePoint blamed the Nigerians, claiming no responsibility for the lack of a process requiring it to vet the legitimacy of its transactions. Even when it became clear the breach had affected consumers across the country, ChoicePoint clearly didn’t want to take the time and expense to do the right thing and treat everyone equally. It would comply with California law, but everyone else was on their own.

Their attitude immediately following the disclosure was less than contrite. It was downright arrogant, but that arrogance only served to keep the spotlight on ChoicePoint, until the pressure got to be too much. Market reaction also came into play as ChoicePoint stock took a major hit.

Ironically, within a few weeks, and while ChoicePoint was still dealing with their public relations fiasco, Bank of America lost storage tapes containing 1.2 million customer records – including federal employees and members of Congress. BoA’s breach was nearly ten times larger than ChoicePoint's, but BoA moved quickly to take responsibility and initiate notification as well as other steps to help protect consumers. Instead of taking the heat off of ChoicePoint, the BoA breach offered contrast to ChoicePoint’s reaction. BoA’s reputation certainly took a hit, but the damage was minimal. ChoicePoint remained (and remains) imprinted in the public’s memory as the poster child for bad data protection behavior.

To be fair, ChoicePoint has gotten its act together since that time. They hired a high-profile chief privacy officer, former Transportation Security Administration executive Carol DiBattiste, empowering her with real authority over issues related to compliance and data protection. ChoicePoint has also instituted sweeping change within the organization to address the conditions that led to the infamous breach. Their public communications have improved, as well, and they have made an effort to keep the public and market informed of these ongoing changes.

Observation: Where to begin? Any organization should, as a matter of course, conduct an objective audit of its operations and consider all the worst case scenarios and have a crisis communications plan in place, especially for situations where the worst case involves potential harm to people. ChoicePoint seemed to have had no such plan. Under these conditions you simply cannot wing it and expect to emerge unscathed. ChoicePoint’s reputation suffered severe damage, and it remains tainted by the incident. Going further, it is critically important to understand where your risk lies and take steps to address those areas before there is a problem.


Post a Comment

Links to this post:

Create a Link

<< Home