Case Study on Choicepoint

ChoicePoint’s Failure to Avoid a Data Breach

Dwight N. Evans Jr.

Excelsior College

Abstract

ChoicePoint is Private Personal Information (PPI) database collection agency that sells PPI to generate revenue. ChoicePoint practiced relaxed standards in the verification of identity of businesses requesting PPI. As a result, hundreds of thousands of people’s PPI was illegally obtained and ChoicePoint was subsequently fined millions of dollars by the Federal Trade Commission (FTC). Additionally, several lawsuits against ChoicePoint tapped them more than $10 million. This case study outlines ChoicePoint’s failure to protect PPI, their unethical business practices, and what can be done to avoid data breaches in the future.

ChoicePoint’s Failure to Avoid a Data Breach

In 1997, Equifax separated its insurance information division, ChoicePoint; in hopes of relieving the company of some, governmental polices that applied directly to credit reporting agencies (Otto, Antone, & Baumer, 2006). ChoicePoint began operating as completely separate entity of Equifax, and generate most of its revenue from selling PPI to insurance companies and business services. Then in 2005, a data breach occurred when at least 50 fraudulent businesses had obtained PPI from at least 35,000 California residents (Otto, Antone, & Baumer, 2006). It was later discovered that the data breach had effected over 140,000 people nationwide.

Issue

The major underlying theme behind ChoicePoint’s data breach is unethical business practices. ChoicePoint refused to follow any type of organizational process or information security policy in regards to vetting potential customer’s identity. They sold PPI to over 50 fraudulent businesses. Furthermore, they refused to tighten its security protocol despite the warnings by law enforcement (Sullivan, 2006). In fact, ChoicePoint continued to sell PPI to alleged criminals even after the fake business’ licenses had expired, and telephone numbers...