1 / 20

Dionne Hill‎ Scott Schomaker Sungkuk Ji

ChoicePoint Case Analysis April 20, 2012. Dionne Hill‎ Scott Schomaker Sungkuk Ji. Agenda. Executive Summary Business Vulnerabilities Problem framework Recommendation Q&A. Executive Summary. ChoicePoint Business Vulnerabilities. Misuse. Errors. Data In. Choice Point.

ahooper
Download Presentation

Dionne Hill‎ Scott Schomaker Sungkuk Ji

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ChoicePoint Case Analysis April 20, 2012 Dionne Hill‎ Scott Schomaker Sungkuk Ji

  2. Agenda • Executive Summary • Business Vulnerabilities • Problem framework • Recommendation • Q&A

  3. Executive Summary

  4. ChoicePoint Business Vulnerabilities Misuse Errors Data In Choice Point Data Out • Maintain records • Consolidate • Databases • Expand service lines • Credit Checks • Background Checks • Direct mail lists • Collecting Business data • Purchasing Databases • Recording Public • Acquiring competitors Privacy Concerns

  5. A Framework for understanding ChoicePoint’s challenge. Choicepoint has not effectively mitigated the risks inherent in its business model.  A potential victim of its own success, negative externalities of improved access to data (misuse, errors, and invasion of privacy) threaten to undermine ChoicePoint's future operations. Value Data Errors Misuse Privacy Concerns Impact Regulatory Response Customer Revolt

  6. Solution Criteria 1 2 3 • Comply with Choicepoint’s core value and mission • Measure by capital requirements and access to information • Mitigate business risk of Choicepoint • Builds public trust and safeguards the data • Measure by risk profile analysis • Cost effectiveness • Measure by cost/benefit analysis Any solution must meet specific solution criteria

  7. As-is risk profile 2 1 3 Uncontrollable Risks Controllable Risks 1 3 Gray areas 2 • Regulatory response • Identity theft (Direct and Secondary) • Data breaches • Data error by Choicepoint • Identity verification • Data misuse • Privacy concerns • Public response

  8. Two recommendation buckets

  9. Market demands better internal controls Failure to manage bad records or quickly respond to developing issues reflects poorly on ChoicePoint and threatens the company’s reputation Future State Current State • Chief Data Security Officer • Guidelines for crisis response • Regular security audit • Data encryption • Analysis software • No special officer for protecting data security • Crisis management slow because no plan in place to respond • Exisiting mechanism in detecting fraud is ineffective • No effective protection from hacking and data breaches

  10. Proactive regulatory actions needed Regulation threatens ChoicePoint’sbusiness model and bottom-line so the company must adopt policies and advocate for regulations that both protects its model and empowers consumers. Future State Current State • Controls and Consumer Protection • All ChoicePoint products fall under FCRA • Adopt federal notice requirement improving ongoing relationship with consumer • Advocate the creation of an Administrative regime to empower consumers • Work with Electronic Privacy Information Center (EPIC) to promote prosecution • Few Controls and Protections • Fair Credit Reporting Act (FCRA) only applies to certain products • Patchwork of federal, state, and local laws, notice consistency lacking • Little assistance for consumers to rectify information errors • Privacy advocates suggest harmful legislation like Social Security restrictions ($15M-$20M cost)

  11. Reference Appendix

  12. Possible impact • Can reduce the risks of breach to legislation and identity theft Chief Data Security Officer Outline Measurability Actions required Cost Risk implication • Set up office of data security to oversee not only compliance with law enforcement bodies but also credentialing of customers • Easily measurable by breach reported • Define clear R&R for Chief Data Security Officer in the corporate level • Assign budget to organize the office and recruit • Mobilize the office • $1M/Yr • From unmanageable to manageable (Compliance to regulatory actions)

  13. Possible impact • Can reduce potential damage from lawsuit, regulatory and public response reaction Guidelines–Misuse, Error and Breach scenarios Outline Measurability Actions required Cost Risk implication • Choicepoint must have action plans in place for dealing with data breaches, misuses and errors to the public, regulatory body and impacted individual respectively • Easily measurable by reviewing manual and auditing the process • Prepare action plans by scenarios – data breaches, data misuse and data error • Assign owner with detailed action plans • Pilot the process and launch • 3M (Hiring consulting firm to develop recommendations) • From unmanageable to gray and manageable ( Negative public response and regualatory reactions)

  14. Possible impact • Can reduce the risks of data breach Regular security audit Outline Measurability Actions required Cost Risk implication • Conduct regular security audit on the process and security by both internal staff and 3rd part auditors • Easily measurable by reviewing audit report • Decide on audit schedule and auditor • Implement audit and review • 3M / Yr • From unmanageable to manageable

  15. Possible impact • Cannot root out the risk of data theft but reduce direct and derived damage from data theft and hacking Data encryption Outline Measurability Actions required Cost Risk implication • All personal data (especially SSN and driver license umber) should be stored in the enciphered form • Easily measurable by data administrator and auditor • Decide on project scope and budget • Contact service provider • Launch project • Based on the project scope and budget • From unmanageable to manageable

  16. Possible impact • Reduces size and frequency of data breaches • Highlights importance of data security to internal organization Analysis software Outline • Develop internal software to identify suspicious behavior, with the power to initial human led investigation Measurable Actions required Cost Risk implication • Data breach sizes limited to 5% of 2004 levels • Dedicate portion of analytics team to irregular customer behavior • Partner with top tier Universities to keep at cutting edge of security • $5M upfront • $2M annually • ??

  17. Possible impact • Builds consistency within the company to increase accuracy. • Signals to consumers and legislatures company is being proactive about privacy and safeguards Regulatory Action I Outline • All ChoicePoint products fall under FCRA Measurability Actions required Cost Risk implication • Success is measured by the time it takes to adopt policy change internally and potential federal adoption • Communicate policy change staff-wide • Create internal accountability mechanism • Minimal cost, more employee cost in terms of additional time • Manageable

  18. Possible impact • Changes image of company: from a threat to consumers to one that partners with them when errors occur Regulatory Action II Outline • Adopt notice requirement for ongoing relationship with consumer Measurability Actions required Cost Risk implication • Success measured by adoption • Communicate expectation to staff • Lobby Congress • Timeline for phasing in the launch • Increased personnel costs for this customer service • Varies according to error occurrence, estimate at $100K annually • From gray area to manageable

  19. Possible impact • Signals willingness for increased regulation and concern for consumer rights building trust • Creates ongoing connectivity to government regulators in positive way Regulatory Action III Outline • Advocate the creation of an administrative regime to empower consumers Measurability Actions required Cost Risk implication • Easily measurable, whether the agency is created • Communicate with legal department and lobbyist • Meet with Congressional staffers • Press releases • $250K proposed lobbying cost • No cost to ChoicePoint once agency is created • From unmanageable to manageable

  20. Possible impact • Creates partnership with top consumer advocate • Builds public trust and cost effective Regulatory Action IV Outline • Work with EPIC to craft legislation and promote prosecution of data thieves Measurability Actions required Cost Risk implication • Quantify percent of thieves to persons brought before the law • 60% prosecution rate is a good target • Audit data breach occurrences • Build cooperative relationship with EPIC • Decide on cost structure of partnership • Shared between EPIC and ChoicePoint • Estimates at $1M annually • From gray area to manageable

More Related