Question 4. What are the key risk areas that ChoicePoint (and the data broker industry) as a whole need to address to protect its information and to minimize the negative perception (and the resultant likelihood of restrictive laws being passed) of the industry as a whole? [20 points]
Because the personal data industry is relatively new, there are not well defined data protection regulations. Regulations should be done at the federal level to maintain consistency and uniformity. Federal laws should stablish what information is collected, what is the retention period for the different types of data and what would be the procedure to dispose of the information. In the same way, these laws should dictate the minimum security requirements for any company in the data broker industry comply with.
…show more content…
Data broker companies are putting at risk the identity of people that don’t even know that their data is been collected and sold to third parties, like marketers or magazines, No company should collect or transmit personal information, and only with legitimate reasons, unless the person gives consent before. The company should notify the person when someone requests their information, and whenever there is a breach the person needs to be warned so he/she can take steps to diminish the negative effects this can cause. In case of a data breach, the company that was in possession of the data should be liable and required to cover the expenses of any financial damage caused by the breach including clearing any negative information sent to the credit bureaus, as well as to provide credit monitoring plans. Question 5. To what extent did each of the following three areas (technology, people, and process) play in the ChoicePoint data breach? Explain. [20 points]
Information Commissioner’s Office (2012) Introduction to The Data Protection Act 1998. [Online] Available from: http://www.ico.org.uk/~/media/documents/library/Corporate/Research_and_reports/ico_presentation_EVOC_20120528.ashx [Accessed: 11th October 2013]
In this document I will be discussing the laws that are related to security and privacy of datas, I will explain how they relate to the security and privacy of data.
1. What are some of the emerging IT security technologies that should be considered in solving the Problem related to the case?
Another mistake that Choicepoint is responsible is allowing unrestricted access to data. In this scenario, “…customers were able to access virtually any of its data, not just that to which they were supposedly entitled.” (p. 10) The problem here is no mechanisms were put into place to restrict access to data not authorized
By the end of 2004, ChoicePoint was running a business in the personal data industry with almost $920 million annual revenues. Beside Acxiom and Lexis-Nexis, ChoicePoint was either first or second in that industry. Although ChoicePoint 's focus was on securing the data, the collected consumers ' personal information, and control the access of companies and individuals to it, ChoicePoint was not hiring any Information Security Management standard which can lead to the weaknesses in ChoicePoint 's Information Security Management practices.
2. Identify three commercially available technology solutions (products or services) which could be used to address cybersecurity problems specific to DR / BCP. Use the five pillars of information assurance (confidentiality, integrity, availability, authenticity, non-repudiation) when identifying a DR/BCP issue as a cybersecurity problem. Examples: loss of integrity (damaged backup tapes), loss of availability (servers can’t be accessed due to power loss), etc.
When Equifax’s unit was spun off as a publicly traded company named ChoicePoint, their initial focus is to expand the company beyond credit-reporting to data brokerage, another intention was to provide the business an escape from the laws that restricted the type and amount of information a credit agency can sell. The company gathered data, assembled it into proprietary databases, and sold products that allowed clients to assess risk and to detect fraud. ChoicePoint acquired various companies that added data and data capabilities to ChoicePoint’s existing database. These capabilities range from data sharing within multiple databases, to creating electronic maps, to biometrics. With an expanded set of data, ChoicePoint became a frontier in data
Personal data is quickly becoming a commodity in today's high technology world. This information is used by banks, investment and brokerage companies, credit card merchants, government agencies (local, state and federal), and consumer product-based companies. Most people probably don't realize the amount of information that's shared between companies, or how often it's done. Many companies sell and share customer data to help sell products and find out what new products they should produce. Other uses include gathering information about inventory levels to help better determine what types of products are bought at which store, when and how often. This can be used for inventory and production, to make sure that the store (or
Question 3. Design an information security metrics program that would provide ChoicePoint executives with visibility into the effectiveness of the security program in preventing future data breaches. What information security metrics would you recommend and why? [20 points]
The EU General Data Protection Regulation (GDPR) was designed to harmonize the data privacy laws across Europe. This is mainly done to protect and empower the EU citizens data privacy and to reshape the way organizations approach data privacy. Let’s understand the requirements of Europe’s GDPR privacy and how it affects US companies.
To protect our personal information, the Data Protection was introduced in 1998; it is law which is aimed to protect our personal data stored on computers or in a paper filling system. The Act also controls how our personal information is used by organisations, businesses and the government. In addition, this Act also requires companies and individuals to keep personal information to themselves. As well as that, the Act provides legal rights to people who have information stored about them.
There are principles that all businesses must follow within the Data Protection Act (DPA) 1998. This act is in place to protect the sharing and storing of anyone’s personal information.
Question 1. What weaknesses in ChoicePoint Information Security Management practices likely contributed to their data breach? Please explain how they contributed and what Choice Point could do to strengthen these areas.
2.1. Personal Data about our customers is an important part of our business and we shall only use your Personal Data for the following purposes and shall not keep such Personal Data longer than is necessary to fulfill these purposes:
In Europe, ever since the first proposal for harmonized data protection laws were made by the EU in 1973, one of the fundamental principles of data protection law has been that of data retention or data conservation (the obligation of the data user or controller to keep data for a limited period of time only) (Warner, 2005). Since the late 1960s data retention has been subject to quasi-legal restrictions in Europe. The first proposal for harmonized data protection laws in Europe was made by the Council of Europe in 1973 (Warner 2005).