StillSecure, After All These Years

A lesson I have learned in security is that most organizations can be better about security but choose not to.  They vote with their pocketbooks and budgets to manage the risk of loss with the cost of security.  A perfect example of this reality is the recent settlement by ChoicePoint with 43 states and Washington, DC.  I read about this in a blog article by Dennis Fisher on SearchSecurity. 

ChoicePoint settled all of the outstanding suits regarding its negligence in giving away almost 150,000 persons confidential information with 44 different jurisdictions for 500k.  This amounts to about $3.45 a record.  Not even a smack on the wrist, actually a joke.  Granted this is on top of a 10 million dollar fine to the FTC and a 5 million dollar payment to consumers who were effected by this.  So all together for 15.5 million, ChoicePoint is scottfree.  That sounds like a lot of money, but to a company doing a billion a year in revenue it is a mere pittance.

Clearly, ChoicePoint can make a business decision that the risk of paying the 15 million versus what it would cost to prevent this is not worth it. Other then the fines, companies embroiled in these data losses don't seem to suffer any further damage to reputation or the bottom line.  Until we make the repercussions meaningful enough, we will continue to see these type of data losses.  Its nothing personal, its strictly business.  Risk management at work.

I should point out that this was not a hack as much as a social engineering breach.  ChoicePoint in their greed to profit from all of the data they gather on everyone, was duped into giving this information out.  If they would have been slapped hard, they would think twice about failing in the trust placed in them to keeping such confidential data confidential!