Leadership Laboratory

Leadership Lab: Information Technology and the Law

This series of essays explores the many aspects of technology law relating to computer and information security.

Let Credit Card Industry Allocate Data Security Risks by Negotiation - March 12th, 2007
Data Thefts - Give the Public the Disclosure It Seeks - March 22nd, 2007
Network Neutrality - Updated July 3rd, 2007
Can Cyber Criminals Consent to Being Watched and Foiled? - May 14th, 2007
The Dangers of Too Much Data Privacy - May 28th, 2007
Assembly Bill (AB) 779 Suffers from Sloppy Draftsmanship - October 12th, 2007
New Merchant Liability for Losing Credit Card Data - June 14th, 2007
ChoicePoint Marked New Era in Data Security Law - May 31st, 2007

ChoicePoint Marked New Era in Data Security Law

May 31st, 2007
By Benjamin Wright, J.D.


Until 2002, the conventional wisdom in corporate IT departments dictated that breaches of security were not disclosed to the public. Publicity would just inspire copycats and reward the electronic burglar with publicity. If a hacker obtained sensitive personal information such as Social Security number or credit card number, the conventional wisdom said it was better not to tell the individual to whom the number pertained because he would be unduly alarmed and would not know what to do.

California Senate Bill 1386

But for the conventional wisdom, the beginning of the end came with passage of California Senate Bill 1386 in September 2002. Usually, under 1386, an enterprise holding private information (name plus social security number, driver’s license number or financial account number + password) in electronic form about a California resident must promptly notify the resident if the enterprise suspects a breach in security. Keeping a break-in secret was no longer an option in California.

But that law mattered only in California, right? Not really, because the holder of a database rarely knows for sure whether any given identity in the database is or is not a California resident. A California resident can have a postal address is South Carolina. Database owners suffering break-ins find they are at risk if they do not give notice to the folks with Vermont or Florida addresses because someone with such an address might be a California resident.

ChoicePoint Limited Notices to California

Nonetheless, a company named ChoicePoint seemed to think it knew enough about the people in its database that it could distinguish the residents of California from the residents of other states. And indeed, ChoicePoint’s database contained a great deal of detailed information about people, as it was used for qualifying such matters as insurance coverage and government services. When ChoicePoint discovered a massive security breach in 2005, it sent notices to California residents, but declined to send notices to affected people in other states.[1] Outside California, ChoicePoint seemed to be applying the old conventional wisdom.

ChoicePoint’s decision met with a firestorm. The media broadly publicized ChoicePoint’s strategy of sending notice only to California. And within the public the reaction was, if notice is good enough in California, why isn’t it good enough in New Jersey or Oregon?

 With lightening-quick speed, an astonishing number of non-California state attorneys general (AGs) -- 38 to be exact -- dashed off an “open letter” to ChoicePoint, demanding that notice be sent to the affected people in other states as well.[2]

ChoicePoint capitulated and announced it would send notice to affected individuals nationwide.

California Legislation Becomes De Facto National Law!

Notice what happened here. California passed an IT security law, and two and a half years later the law reflected public policy nationwide. When the 38 AGs signed onto the open letter, they were not applying California law in their states. Neither were they applying legislation from their states that specifically requires notice as 1386 requires in (no such legislation existed in those states at that time). Rather they were applying just their own sense of public policy and political pressure. They drew from their general authority as official champions of “fair dealing” in their states to say that if a database holder is going to afford notice to one group of victims, then it ought to afford notice to all.

In practical terms, the AGs said the standard set in California is what is “fair” and, therefore, it is the law in the other 38 other states as well.

The old conventional wisdom was effectively declared dead . . . nationwide. This story bears witness to how quickly technology law -- where traditional state-to-state differences in interest are of little relevance -- can develop and change.

 Since 2005, many state legislatures have passed legislation inspired by California's Senate Bill 1386.

ChoicePoint's Poor Decision

In hindsight, ChoicePoint’s decision to send notice only to Californians looks boneheaded. ChoicePoint apparently thought it could limit negative consequences by adhering only to a strict reading of existing law. But the politics and emotions surrounding database break-ins called for a more savvy response. By sending notices only to California, ChoicePoint energized the media, as well as politicians (AGs) outside California, and thus attracted a disproportionate measure of criticism and negative publicity.

Even if ChoicePoint honestly believed the massive break-in was limited to people with California addresses, it should have made clear it intended to send notice to people from other states if it found evidence that their information had been compromised.

Social Security Numbers and Privacy Protection

ChoicePoint suffered dearly for its security break-in. In light of ChoicePoint's experience, what should enterprises be doing?

First, they should attempt to store less (and rely less on) dangerous data like Social Security numbers. Georgia Tech University, for example, has announced that it no longer relies on Social Security numbers as student identification numbers.[3]

 Second, months after ChoicePoint's scandal, the company took some painful steps that can serve as a model for other enterprises. "ChoicePoint said it would no longer sell data to private investigators, debt collectors, or businesses such as check-cashing outfits, unless they are associated with an accredited bank. ... The company [also] has created an Office of Privacy, Credentialing and Compliance, which oversees policies regarding the company's compliance with local, state and federal privacy laws, regulations and company policies, as well as the credentialing of customers." [4] In other words, ChoicePoint took a hard look at its business, and took some bold, expensive steps to protect privacy going forward.

 We discuss these and related issues in greater depth in the courses I author and teach, Legal Issues in Information Technology and Information Security.[5]

==
Benjamin Wright is an attorney based in Dallas, Texas, and instructor for a series of courses on IT security law, promoted by the SANS Institute.[6] He is the author of numerous books on technology law.
==
1. Associated Press, “Big ID Theft in California,” Wired News, Feb. 16, 2005, http://www.wired.com/news/business/0,1367,66628,00.html
2. Associated Press, “38 AGs Send Open Letter to ChoicePoint,” 18 February 2005
3. Press Release, "Tech Becomes Georgia’s First State University to Stop Using Social Security Number on Student IDs," February 28, 2003, http://www.gatech.edu/news-room/release.php?id=91
4. Joris Evers, "ChoicePoint overhaul completed, company says," C/net News, June 29, 2005, http://news.com.com/ChoicePoint+overhaul+completed%2C+company+says/2100-1029_3-5768426.html?tag=item
5. http://www.sans.org/training/description.php?tid=862
6. http://www.sans.org