Data In Peril

Technology leaders play a key role in mitigating and preventing customer-data breaches like the ones at ChoicePoint and Bank of America

Our customer data is safe, right?

CIOs who weren't asked that question directly in the past few weeks certainly were asking it of themselves. With embarrassing data-security breakdowns at major companies prompting public disclosures and rising calls for federal investigations and legislation, the pressure has gone up a few notches on anyone in charge of keeping personal data private.

"Are we doing anything that could compromise the security of customer data? What steps have we taken, and is there anything else we can do?" asks Ken Casey, senior VP of retail banking delivery at Canadian bank ATB Financial, echoing questions running through the minds of his peers. "It's an enormous reputational risk."

Late last month, Bank of America Corp. said it lost an undisclosed number of data-backup tapes while they were being transferred. Those tapes included Social Security numbers and charge-card data on 1.2 million federal employees. There's no evidence data on the tapes has been accessed or misused, the bank says. Specific hardware and software would be needed to read the data, according to the bank, although it wouldn't say if the data was encrypted.

ChoicePoint Inc., which maintains huge databases of information for identification and credential-verification services, may have revealed personal information about as many as 145,000 people in October when identity thieves used fake businesses to dupe the company into granting them access to consumer-data profiles. That came to light last month when ChoicePoint had to comply with the California law requiring disclosure of such personal data breaches.

Then last week, a court case revealed it wasn't the first time ChoicePoint had been scammed. A similar scheme in 2002 allowed two thieves posing as a business to use names and Social Security numbers gathered from ChoicePoint databases to commit $1 million worth of fraud, the U.S. Attorney's Office in Los Angeles charged. One of the crooks is in prison, and the other will be sentenced this week. ChoicePoint declined to comment on the incidents.

ChoicePoint also is facing a Federal Trade Commission investigation into the credential process used to screen buyers of personal information, and whether ChoicePoint met federal laws governing consumer information security, according to a ChoicePoint filing with the Securities and Exchange Commission. And the SEC is investigating stock sales by the CEO and chief operating officer in relation to the disclosures. It also faces at least two civil class-action lawsuits.

Last week, the data-security problems prompted ChoicePoint to change its business practices to restrict sales of customer information, including Social Security and driver's license numbers. It will continue to supply consumer data in some situations, including sales to large business customers for such actions as identity verification and to support transactions initiated by or benefiting a specific consumer such as screening employment or insurance applications.

	Consumers don't want personal data used without a direct benefit to them, ChoicePoint CEO Smith said last week. Photo by John Bazemore/AP

"These changes are a direct result of the recent fraud activity, our review over the past few weeks of our experience and products, and the response of consumers who have made it clear to us that they do not approve of sensitive personal data being used without a direct benefit to them," ChoicePoint CEO Derek Smith said in a statement.

These cases are having an impact across business and government. Rep. Bennie Thompson, D-Miss., and other Democrats on the House Judiciary and Homeland Security committees are seeking investigations, including looking into any homeland-security risks raised by the ChoicePoint data lapses, such as whether terrorists could use the information to get into the country or raise money. The Senate Judiciary Committee is planning hearings, and Sen. Dianne Feinstein, D-Calif., has proposed a federal law similar to California's requiring businesses to report data breaches.

When H&R Block Inc. CIO Marc West heard of Bank of America's troubles, his first reaction was to check if the two companies had any relationship that might compromise any portion of H&R Block's 21 million customer records. There was none, but West wanted to be certain. "As good as we think we are, we need to make sure our business partners are equally good, because it's our customers' data that's at risk," West says.

Technology has a clear role to play in preventing--or lessening the severity of--incidents where customer data is at risk.