The CEO of ChoicePoint has spoken out in response to the recent incident involving the personal information of 145,000 Americans. He says that the company should have done things differently and that they are no longer providing services to small business because of "the response of consumers who have made it clear to us that they do not approve of sensitive personal data being used without a direct benefit to them." (I wonder if consumers see a direct benefit by their selling information to large business.)
Interestingly, he says he did not become aware of the incident until months after it occurred. This highlights a problem I blogged about a while ago (PIPEDA and Canadian Privacy Law: Handling customer complaints under PIPEDA). Too often, when incidents occur, they are dealt with by lower level employees. Senior management and the directors, who are ultimately responsible for safeguarding personal information, are kept in the dark. What might start as a minor, one-off incident snowballs as further incidents are able to pile up. As we have seen, incidents such as this can have severe repercussions for a company, undermining shareholder value (see the chart on the right, showing CPS share price) and destroying confidence of consumers. Companies that handle personal information need to make sure that all incidents are appropriately escalated to someone who has overall responsibility for the big picture. From Canadian Business magazine:
Canadian Business | News | ChoicePoint exits small business sales; CEO says he wasn't aware of breach: "
March 4, 2005 - 15:53
By HARRY R. WEBER
ATLANTA (AP) - The embattled data broker ChoicePoint Inc. said Friday that it was suspending sales of consumer information to small businesses, and the company's chief executive said he did not learn of a major breach until several months after it was discovered.
CEO Smith told The Associated Press in an interview Friday that he did not personally learn of the breach until late January, though Los Angeles County detectives made their first arrest in the case in October.
"There is no way that a CEO can know everything that is going on as it relates to an operation," Smith said. "I am not involved in the day-to-day operations of the business."
Smith claimed ChoicePoint didn't grasp the magnitude of the breach until this year.
Asked if he would resign over the matter, Smith said, "I have no intention of leaving the company."
In an AP interview last week, Smith said "we voluntarily found the breach (in October) and notified law enforcement." He said Friday that he didn't mean to include himself in that reference.
Smith said the decision to halt sales to small businesses follows "the response of consumers who have made it clear to us that they do not approve of sensitive personal data being used without a direct benefit to them."
ChoicePoint's 17,000 small business customers accounted for about five per cent of annual revenue of $900 million. As a result of suspending sales to them, ChoicePoint said it expects a decline in core revenue this year of $15 million to $20 million.
"Clearly what we did over the last week was take a very hard look at our business," Smith said. "To the extent you could rewrite history, we wish we had would have done things differently."
A similar breach involving 7,000 to 10,000 ChoicePoint records occurred in 2002 but did not become public until reported by the Los Angeles Times earlier this week.