Monday, June 26, 2006

Computer Security: ChoicePoint's Lessons Learned

Computer Security: ChoicePoint's Lessons Learned
By Todd Spangler

A year and a half after mistakenly selling consumer info to criminals, the data broker says it has put in dozens of new policies and procedures to make sure such a security breach doesn't happen again.

A rash of security breaches has hit the headlines recently, chief among them the theft of a Department of Veterans Affairs' laptop with data on 26.5 million vets. Perhaps the best advice on how to respond if your company is caught in the line of fire comes from one that has been there itself: consumer data broker ChoicePoint.

In February 2005, ChoicePoint acknowledged that it had mistakenly sold personal information on thousands of individuals—as it turned out, more than 163,000 people—to bogus companies set up by Nigerian criminals (see ChoicePoint: Blur, from Baseline's June 2005 issue).

The Federal Trade Commission this January fined the Alpharetta, Ga.-based company $15 million for the disclosures.

Carol DiBattiste, ChoicePoint's chief credentialing, compliance and privacy officer, says the company has taken numerous steps in the past year to make sure such a breach never happens again.

"There's not a company around today that takes security more seriously than we do," claims DiBattiste, who joined ChoicePoint in March 2005 after serving as deputy administrator of the U.S. Transportation Security Administration. She says ChoicePoint has passed 43 security and privacy audits in the past year.

Gartner analyst Avivah Litan says ChoicePoint's security practices are now extremely strict—and appear to be among the best in any industry. "When you're fined and caught after a data breach," she says, "you really shape up."

Some of ChoicePoint's changes involved business practices. The company says it has improved customer-screening procedures, verifying their authenticity via multiple sources and by physically visiting their premises. It also now provides personally identifying information like Social Security numbers only as part of consumer-initiated transactions (as when someone applies for a home loan), as part of fraud-prevention programs or when requested by law enforcement officials.

But ChoicePoint has also tightened the screws on its information-technology infrastructure, with what DiBattiste says are more than 30 new policies and procedures.

It's enhanced user ID and password protections—if employees forget their passwords, they must take a five-question quiz (example: "What year was your Social Security number issued?") to reset it; if they fail that, they must pass a 15-question quiz with a systems administrator.

ChoicePoint has blocked access to its network from all non-U.S. Internet addresses, with a few exceptions that DiBattiste declined to detail. It has put employees at each of its 60 U.S. locations in charge of verifying the destruction of outdated consumer information, which the company is required by law to dispose of.

And the company now encrypts all data feeds to the three major credit bureaus as well as certain information stored in its databases, such as credit card numbers. DiBattiste adds that a project to move to laptop encryption "across the board" is still in the works.

Another new measure: ChoicePoint this month created a security advisory committee comprised of DiBattiste, the company's CIO, head of internal audit, the chief business officer, chief marketing officer, chief administrative officer and general counsel. The group meets regularly "to ensure we're hitting every aspect of security and privacy," says DiBattiste.
"One of the lessons we learned is that security is a moving target," she says. "The bad guys move too. So we have to constantly be in touch with the things we need to be doing to respond."

Friday, June 23, 2006

Credit Bureaus Hope to Displace FICO Score as Industry Standard

June 22, 2006

The Experian credit agency became the first to start selling its new "VantageScore" credit scoring system this week. Critics aren't impressed.

John Ulzheimer of the credit information Web site CreditBloggers said that the hype over the VantageScore was "nothing more than an effort to confuse consumers and unsophisticated lenders."

"I'm not angry at the bureaus for trying to muscle out FICO," Ulzheimer said. "[M]y question is could they have spent their collaborative time together more constructively for consumers?"

The three credit bureaus jointly developed VantageScore as an alternative to the lending score created by the Fair Isaac Company (FICO), which is the standard score used by lenders to judge a borrower's creditworthiness.

For $5.95 a pop, users can buy the Experian VantageScore and see where the new credit system ranks them in terms of attractiveness to lenders. The new VantageScore system grades consumers on a number scale from 501 to 990, with a corresponding letter grade of "F" to "A."
Experian information solutions group president Kerry Williams says the new score "responded to the clear need for an objective scoring model that works across all three reporting companies' data."

Currently, Experian and fellow credit bureau TransUnion offer their own "proprietary" credit scores with the reports borrowers can purchase, but these scores are often wildly divergent from a consumer's real FICO score.

Although the bureaus claim these scores are "educational," they're heavily advertised as being legitimate credit scores that borrowers can use to judge their credit stability. Lenders, however, largely prefer the traditional FICO score, due to its longevity and prominence in the industry.
Equifax, the third of the "Big Three" credit bureaus, has been offering its true FICO scores with its reports. The scoring formula FICO uses has been closely guarded by the company as a trade secret, and the major credit bureaus have to pay Fair Isaac a licensing fee to use it in their credit scoring and reports.

CreditBloggers founder Emily Davidson purchased her VantageScore on June 20th and compared it to her Experian FICO score. According to Davidson, the ordering process was clumsy and counterintuitive, and the score ranking did not include information from her Experian credit report.

"Experian's VantageScore was difficult to interpret and their ordering system was poorly designed," she said. "If the bureaus are serious about competing with FICO, they need to work on making this score the best in the industry for both consumers and businesses."
The new credit score system has been criticized for making the same mistake as the current credit scoring system -- relying on inadequate or inaccurate data reported to the bureaus.
Sloppy record-keeping, mixing of different consumer records, and complex dispute resolution processes mean that even if the three bureaus are sharing the same score, they're still relying on bad data to make their scoring decisions.

Sunday, June 04, 2006

Mortgage rate can't go up if lending bank is bought!

DAVID MYERS: Mortgage rate can't go up if lending bank is bought

June 4, 2006

Dear David: I was lucky enough to refinance when mortgage rates bottomed out at about 5.5% last year. Now, the bank that gave me the mortgage is being purchased by another lender. Can the new lender raise my rate?

Dear Reader: The terms of your mortgage cannot be changed simply because your current lender is being purchased by another bank. About the only thing the new lender can do is require that your monthly payments be sent to a different address.

Dear David: We are interested in creating a basic living trust, so we purchased two books about estate planning to learn more. One of the books recommends that in addition to creating a trust, people should also sign a "durable power of attorney for finances" form. Is this really necessary?
Dear Reader: You're not required to sign a durable power document to create a money-saving trust, but many homeowners choose to do so for personal reasons.

Forming a simple living trust is an inexpensive way to help ensure that your home and other assets will pass quickly to your heirs instead of going through the long and costly probate proceedings that are mandated by a typical will. When you die, the successor trustee you selected can distribute your home according to your wishes.

If you also sign a durable power of attorney form, you'll give the successor trustee the additional ability to take care of any assets that you left outside the trust. The forms are available for about $5 at most business-supply stores.

Dear David: I recently applied to refinance my mortgage. Instead of giving me a FICO credit score like I have received in the past, the lender used something called a "VantageScore." What is that?

Dear Reader: A California-based company called Fair Isaac revolutionized the credit-reporting industry several years ago when it developed the FICO score, which many lenders use today when setting the interest rate to charge on everything from mortgages to credit cards.
VantageScore was developed by the nation's three largest credit bureaus. The system assigns a letter grade to each applicant's rating -- an "A" for borrowers who are in the top 901 to 990 bracket, a "B" for those in the 801 to 900 range, and so on down to "F." The higher your VantageScore, the lower your loan rate.

VantageScore was unveiled earlier this year. Though its scoring system should be easier for most consumers to understand, only time will tell whether it can replace the FICO system.

Contact DAVID MYERS at P.O. Box 2960, Culver City, CA 90231-2960.
Copyright © 2006 Detroit Free Press Inc.