You can generally count The Register to tell it like it is, combining news and analysis into a nice sixth-grade-reading-level package for people like myself. Today, they had an entertaining summary of ChoicePoint and Lexis-Nexis’ congressional testimony.

[Republic Senatory Arlen] Specter wondered aloud how a company official with enough authority to serve as liaison to law enforcement in such a matter could fail to appreciate its significance and inform others. “I can’t explain it,” [ChoicePoint President and COO Douglas] Curling allowed. However, there have been only “45 or 50 breaches,” in all, he added.

That’s funny Doug…I can explain it and I don’t make anywhere near as much as you. Maybe I’m in the wrong line of work. Basically, Doug, you don’t give a damn about the subjects in your database because they don’t pay you money. ChoicePoint, on the other hand, incents you to do things like say pretty much anything, including claiming you don’t know what the Hell you’re doing running a commercial data brokerage, rather than admit to any mistakes or wrongdoing.

I’ll be the first to admit that every industry has persistent, ongoing attacks on their business models. Retailers have shrinkage and Point-of-Sale fraud. Bars and restaurants have spillage. Data Aggregators have Identity Theft Fraud-by-Impersonation. Notice the key difference, though…Shrinkage, POS Fraud, and spillage all hit the company square in the bottom line. Identity Theft Fraud by Impersonation and attempts to prevent it expand, if anything, the demand for data services like Choicepoint. See anything wrong with this picture?

According to Curling’s statement to the committee, they’re doing three things for their victims and making four internal changes to address the problem. From his testimony:

First, we’ve arranged for a dedicated Web site and toll-free number for affected consumers where they can access additional information and take advantage of a range of tools not required by any federal or state law;
Second, we’re providing, free of charge, a 3-bureau credit report; and Third, we’re providing, free of charge, a one year subscription to a credit monitoring service.

Excuse me if I don’t burst into spontaneous applause. So what they’re doing for any victims of Identity Theft Fraud by Impersonation is admitting that yes, it sucks to be them then giving them something they can already get for free. Oh, so kind. Doug, if you’re serious about helping the victims of your screw-up, offer to cover any real losses and pay for legal help to clean up the long-term mess for anyone who suffers becuase of your failures. Anything less than that is lip service.

Moving right along to internal changes, Curling says:

In addition to helping those affected consumers, we’ve taken strong remedial action and made fundamental changes to our business and products:
• ChoicePoint has decided to discontinue the sale of information products that contain personally identifiable information unless those products and services meet one of three tests:
1. The product supports consumer driven transactions such as insurance, employment and tenant screening, or provides consumers with access to their own data;
2. The product provides authentication or fraud prevention tools to large accredited corporate customers where consumers have existing relationships; or
3. When personally identifiable information is needed to assist federal, state or local government and criminal justice agencies in their important missions.

So they’re discontinuing sale of PII to people who shouldn’t be buying PII…what a responsible thing to do. Unless, of course, they’re Large Accounts (corporates). Or Government. Or they promise it will only be used to Fight Evil.

What I’d really like to know is how much more Fraud was committed but is still going either unidentified or undisclosed? It should be pretty easy to get a handle on. Just look for any past PII sales which don’t fit into any of those categories.

• Second, we’ve strengthened ChoicePoint’s customer credentialing process. We are requiring additional due diligence such as bank references and site visits before allowing businesses access to personally identifiable information. We’re re-credentialing broad sections of our customer base, including our small business customers.

This might help, but I’d like to know if this is going to be across-the-board or sampling. Also, let’s not forget that if all this explicitly promises to do is see if there’s more than a PO Box and that the name on the bank account matches the name on the application. What’s really scary is the idea that they didn’t already do at least the bank account level of due diligence on potential customers.

• Third, we’ve created an independent office of Credentialing, Compliance and Privacy that will ultimately report to our Board of Directors’ Privacy Committee.
This office will be led by Carol DiBattiste, the out-going deputy administrator of the Transportation Security Administration and a former senior prosecutor in the Department of Justice with extensive experience in the detection and prosecution of financial fraud.

I think the credibility of Carol DiBattiste as a Privacy Officer has already been adequately discussed.

• Fourth, we’ve appointed Robert McConnell, a 28-year veteran of the Secret Service and former chief of the federal government’s Nigerian Organized Crime Task Force, to serve as our liaison to law enforcement officials. In this role, he will work aggressively to ensure that criminal activities are investigated and prosecuted to the fullest extent possible. He will also help us ensure that our security and safeguards procedures continue to evolve and improve.

This one worries me a lot. This is an admission that they fully expect that whatever they have today plus the previous three changes will not be effective in reducing abuse of their data. I know about and believe in Defense In Depth, but I also know that when the only tool in your box is a hammer, every problem begins to look suspiciously like a nail.

I’ve worked with organizations whose anti-fraud efforts were run by ex-cops and while they were great at prosecuting the ones that they found, their ability to develop preventive strategies or actually find the bad guys to prosecute was consistently piss-poor.

You don’t get security by chasing thieves, you get security by making your assets hard to steal.

Also on the block yesterday was LexisNexis CEO Kurt Sanford. I didn’t have time to do more than skim his testimony, but the Register quote pretty well sums it up:

LexisNexis has also experienced a slew of security breaches followed by a slew of cover-ups, division CEO Kurt Sanford admitted. “All but 4 or 5 of the breaches were due to compromised passwords,” he noted.

I feel like I’m beating a dead horse, but let me say it one more time…Passwords are inadequate for authenticating one’s identity. Now what were the other “4 or 5″ breaches caused by?

At least someone at the hearings displayed some evidence of Clue. Too bad it wasn’t from the industry side.

[Vermont Attorney General William] Sorrell observed that ID theft can be especially crippling because it’s an attack on credit availability, and for most Americans, access to credit is more valuable than their other assets (rather a sad comment on US economics when you think about it). He urged Congress follow California’s lead in requiring notification of important data security breaches. But the regs should be crafted to let states be more protective if they wish. “Federal legislation should be a floor, not a ceiling,” he advised.

Excuse me while I find a corner to cry in.

Dude, nice job on this entry.

I’m starting to believe the lore that the top 100 financial institutions are 0wned, etc. Pathetic is the only way to describe the response of these folks. Sigh.