ChoicePoint exposed itself to considerable expense, many problems, and a possible loss of brand confidence because it notified the Los Angeles Police Department, cooperated in the investigation, and notified the individuals whose records had been compromised. It could have buried the theft and possibly avoided any responsibility. Comment on the ethical issues and ChoicePoint’s response. Did ChoicePoint choose wisely? Consider that question from the viewpoint of customer, law enforcement personnel, investors and management.
Ethics is about doing the “right” thing. As ChoicePoint’s decision was possibly intended to be the right action, it was not. Close to a year prior to this incident, California put the Security Breach Notification Law into effect on July 1, 2003. This law states that California customers must be notified if personal information contained in computerized data files have been compromised by unauthorized access. Even in contacting the Police, the Police should have responded differently given their state’s law.
Customers have the right to know if and when their information has been comprised. Law enforcement, local, state or federal, should be notified as they need to conduct their investigation in hopes of catching the criminals. For investors, stocks are volatile against identity theft. Some companies go out of business because of the legal fees associated with such criminal acts. Over time, the stock can recover, if they are still in business. Management must act aggressively when they learn of identity theft haven taken place.
Given ChoicePoint’s experience, what is the likely action of similar companies whose records are compromised in this way? Given your answer, do you think federal regulation and additional laws are required? What other steps could be taken to ensure that data vendors notify people harmed by data theft?
It is hard to say what action other companies would take given this same situation. If they are small, they may just fold and not tell anyone. If the company has a reputation to uphold, then hopefully they will take the appropriate action to ensure security is restored.
I really don’t see where more laws and regulation would help. Granted, yes, it would help to ensure that companies are required to hold a large multi-million dollar policy to be able to financially correct the issue. But, there again, too much red tape on this type of regulation would probably hold the company accountable for negligent acts and they would not be entitled to $$.
Additional security measures should be implemented like biometrics. The customer information should be better regulated from 3rd party access. The data system should be implemented to ensure that strong passwords are applied and can’t be removed as well as limited/controlled access to company employees.
Visit www.choicepoint.com. Summarize the products that ChoicePoint provides. What seems to be the central theme of this business?
- LexisNexis® Health Care Solutions helps health care payers process and investigate claims more efficiently to reduce financial losses and make informed decisions. LexisNexis Health Care Solutions also helps care providers facilitate compliance and optimize their revenue cycle processes to increase cash flow and reduce write-offs.
- LexisNexis Advanced Government Solutions is uniquely positioned to help the US federal, state and local government agencies transform data into mission-critical decisions with industry-leading technology and solutions. LexisNexis enables government agencies to efficiently and securely analyze seemingly unrelated pieces of data, quickly identify and connect relevant, insightful information resulting in a multi-faceted view of your subject, leading to more accurate, timely and informed decisions around fraud, waste and abuse, crime and massive and complex data problems.
- LexisNexis Risk Solutions can optimize the integrity and efficiency of your processes, from identity verification and fraud prevention to credit decisions, anti-money laundering, and due diligence. Advanced analytics help you minimize exposure to risk by quickly uncovering patterns that identify fraud characteristics sooner. Our solutions seamlessly integrate into your systems and always provide the highest levels of security and privacy.
- LexisNexis® Risk Solutions delivers the clear results you need to predict and prevent fraud, find and approve profitable customers and improve the business metrics that matter most to your organization.
The general theme here is “Risk Solutions”. ChoicePoint/LexisNexis wants to provide you, the customer, with the necessary information to minimize your level of risk.
Suppose that ChoicePoint decides to establish a formal security policy on the issue of inappropriate release of personal data. Summarize the issues that ChoicePoint should address in this policy.
The main issue that should be address in this policy is the level of security required to obtain/release personal data. ChoicePoint must provide confidentiality and integrity to their core business, information. This policy should be set in place with the understanding that it is to prevent unauthorized access, disclosure, modification, destruction, or inappropriate use. This policy should govern all sub-policies and enforce security programs. The policy should be managed at the highest level of the organization and adhered to within all levels of the company’s organization.
- Ignoring developments that have occurred since this case was written, what statement can be made about the technical feasibility, cost feasibility, and schedule feasibility of this project? The CADE project is not feasible. If you look at the $33M that was invested and then another $84M that was spent along with the string of annual delays, this project is like the black hole.
- Use your imagination to try to understand how this situation came about. The IRS selected a team of contactors to develop the information systems that would support the modernization effort. Those contactors proposed a rule-based system, but apparently no one asked whether such a system would work on a problem this large. How could that occur? Suppose you were a non-IT manager at the IRS. Would you know to ask? Suppose you were a senior manager at one of the contractors. Would you know to ask? If you did ask and your technical people said, “No problem,” what would you do? The IRS tax system is over complicated and too complex. I can see where the rule-based suggestion was made, but this type of system should only be used on a small and simple scale. This occurred because the IRS didn’t have an answer and hire a team to make these decisions. I don’t think it would matter what position was held within the IRS, they didn’t have a clue what they were getting into and couldn’t have ever forecast what the end result would look like.
- Suppose you are a senior IRS manager. In defense of your management, you say, “We hired reputable contractors who had extensive experience developing large and complicated systems. When they told us that a rule-cased approach was the way to go, we agreed. Should we be required to second-guess the experts?” Comment on that statement. Do you believe it? Do you think it’s a justification? That statement is nothing more than an excuse. If you went to a doctor and he said you have cancer and only months to live, would you seek a second opinion? I would hope so. Experts are experts unless they can provide a turn-key solution. Reading the case material, no one could even project what this “solution” would look like, what it would cost, or how long it might take. In my opinion this is an immediate “RED” flag and another set of consultants/contractors would be brought in for a second evaluation.
- Does it seem remarkable that, according to the SEI review, no one has yet considered the time, cost, and difficulty of harvesting the rules? Clearly, the need to allocate time and labor to that problem was visible from the start of the project. How do you think such an oversight occurred? What are the consequences of that oversight? Yes, very remarkable, but hey isn’t this how government works? Looking back at the SDLC, all of these activities, tasks, deliverable, budgets, scope, resource, and equipment should be well documented and presented in the initial “business case” of this project. It is an oversight due to the lack of knowledge of what the IRS wanted. They are the ones that need to set the scope and requirements to present to the “contractors” so they know what their job is. Everyone just seemed to have this vision of what they wanted, but no knowledge or direction on how to get there. Consequences to this kind of oversight, is a total waste. Waste of dollars, time, resources, systems, equipment, and ultimately taxpayers dollars.
- Suppose it turns out that a rule-based system is infeasible for processing more complicated tax returns. What alternatives are available to the IRS? As a taxpayer, which do you recommend? I am not real sure that those that even wrote the tax forms could file their own taxes. Alternatives would be to leverage professional accountants to process the more complicated returns by hand. Even if a system was implemented to automate these returns, there should still be check and balance in place to ensure accuracy. As a taxpayer, I would vote for the manual processing.
- Google “IRS CADE problems” and read three or four articles and report on recent developments. Comment on any recent information that sheds light on your answers to question 1 through