Project #54341 - Information Technology Case Analysis 3 1/2 pages (not including title page, abstract and reference page)

Paper will be

Paper Formatting


These papers must be formatted according to APA 6

th Edition standards including the title and reference page.


Papers MUST include the following sections:

Title Page:

Include name, paper title, course title, instructor’s name, and date.



120 words maximum



Discuss the purpose of the paper in succinct, declarative sentences. The introduction should offer a preview of the paper, its value, and be based upon the concepts studied in the course.

Discussion Content:

This section should include 3 elements: 1) a brief examination of the issue, concept, or consequences of actions taken, 2) the concepts or theoretical applications that pertain to this topic, and 3) a discussion of your position on this topic, supporting your argument from the text or other appropriate sources. It is highly recommended you make use of appropriate headings to guide your reader.


Include a summative paragraph which includes a restatement of key points in your discussion.


A minimum of four academic references per page (not including your text) MUST be used to support your discussion. Document all sources according to APA style.


55 Million Data Breach at ChoicePoint

ChoicePoint is a leading data broker and credentialing ser¬vice. It maintains 19 billion public records on more than 220 million U.S. citizens. The company buys personal data, including names, Social Security numbers, birthdates, employment data, and credit histories, and then sells the data to businesses and government agencies. Marketing, human resources, accounting, and finance departments rely on ChoicePoint’s data for customer leads, background checks, and verification. Roughly 70 percent of ChoicePoint’s revenue is generated by selling consumer records for insurance claim verifications and workplace background screenings.

ChoicePoint was exposing the data to risk by ignoring its policy to verify that potential customers were legitimate before selling data. Disaster was foreseeable. In early 2000, without doing an adequate background check, ChoicePoint provided hackers with customer accounts, which they used to illegally access databases and steal confidential data. By May 2008, that security lapse had cost the company over $55 million in fines, compensation to potential victims of identity theft, lawsuit settlements, and legal fees. Then in June 2008, the company also paid $10 million to settle a class action lawsuit.

Disclosing the Problem Publicly

On February 15, 2005, ChoicePoint reported that personal and financial data of 145,000 individuals had been “compromised.” All of the individuals were at risk of identity theft after Olatunji Oluwatosin, a Nigerian national living in California, had pretended to represent several legitimate businesses. Ironically, Oluwatosin’s credentials had not been verified, which enabled him to set up over 50 bogus business accounts. Those accounts gave him access to databases containing personal financial data. Oluwatosin was arrested in February 2005, pleaded guilty to conspiracy and grand theft, and was sentenced to 10 years in prison and fined $6.5 million. The state and federal penalties facing ChoicePoint were much larger.

Privacy and antifraud laws required that ChoicePoint disclose what had happened. California’s privacy breach legislation requires that residents be informed when personal information has been compromised. Outraged attorneys general in 44 states demanded that the company notify every affected U.S. citizen. At the federal level, ChoicePoint was charged with multiple counts of negligence for failing to follow reasonable information security practices. In 2005, the company was hit with the largest fine in Federal Trade Commission (FTC) history—$15 million. The FTC charged ChoicePoint with violating:

  • The Fair Credit Reporting Act (FCRA) for furnishing credit reports to subscribers who did not have a permissible purpose to obtain them and for not maintaining reasonable procedures to verify its subscribers’ identities.
  • The FTC Act for false and misleading statements about privacy policies on its Web site.
    On March 4, 2005, in what was a first for a publicly held company, ChoicePoint filed an 8-K report with the SEC warning shareholders that revenue would be adversely affected by the data breach. In January 2006, with the public announcement of the extent of the fines, ChoicePoint’s stock price plunged.

The Solution

When a company violates SEC, federal, or state laws, the solution to its problem is going to be dictated to it. The solution to ChoicePoint’s risk exposure was mandated by the FTC. The company had to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes. In addition, the FTC ordered ChoicePoint to establish and maintain a comprehensive information security program and to obtain audits by an independent third-party security professional biyearly until 2026. To reassure stakeholders, ChoicePoint hired Carol DiBattiste, the former deputy administrator of the Transportation Security Administration, as chief privacy officer (CPO).
The Results

ChoicePoint reformed its business practices and data security measures, which were too lax relative to its risk exposure. The company had to stop putting risky business practices that focused on short-term revenues ahead of long-term profitability. This business decision is a necessary and ethical trade-off.
ChoicePoint’s data breach brought businesses’ security policies to national attention. It signaled the need for improved corporate governance. Although there is no generally accepted definition, corporate governance refers to the rules and processes ensuring that the enterprise adheres to accepted ethical standards, best practices, and laws. Companies that collect sensitive consumer information have a responsibility to keep it secure. Together with high-profile frauds and malware, data breaches have triggered an increase in laws and government involvement to hold companies and their management accountable for lapses in governance. Yet, since ChoicePoint’s record-setting data breach, many other infosec incidents and data thefts of greater magnitude have occurred.

Sources: Compiled from, Gross (2005), Kaplan (2008), Mimoso (2006), and Scalet (2005).

Questions (around 1 page response each)

  1. What was the root cause of the data breach?
  2. How could this data breach have been prevented?
  3. In your opinion, were the fines imposed on ChoicePoint sufficient (high enough) to deter such an incident from happening again? Explain your answer.
  4. In your opinion, how effective are the changes implemented by ChoicePoint at deterring or defending against data breaches? Explain your answer.



Subject Business
Due By (Pacific Time) 01/25/2015 12:00 am
Report DMCA

Chat Now!

out of 1971 reviews

Chat Now!

out of 766 reviews

Chat Now!

out of 1164 reviews

Chat Now!

out of 721 reviews

Chat Now!

out of 1600 reviews

Chat Now!

out of 770 reviews

Chat Now!

out of 766 reviews

Chat Now!

out of 680 reviews
All Rights Reserved. Copyright by - Copyright Policy