1. Dionne Hill‎ Scott Schomaker Sungkuk Ji ChoicePoint Case Analysis April 20, 2012

2. 2 Executive Summary Business Vulnerabilities Problem framework Recommendation Q&A Agenda

3. Executive Summary

4. Credit Checks Background Checks Direct mail lists Collecting Business data Purchasing Databases Recording Public Acquiring competitors Maintain records Consolidate Databases Expand service lines Data InChoice PointData Out Errors Misuse Privacy Concerns ChoicePoint Business Vulnerabilities

5. 5 Choicepoint has not effectively mitigated the risks inherent in its business model. A potential victim of its own success, negative externalities of improved access to data (misuse, errors, and invasion of privacy) threaten to undermine ChoicePoint's future operations. Value Misuse Data Errors Privacy Concerns Impact Regulatory Response A Framework for understanding ChoicePoint’s challenge. Customer Revolt

6. Comply with Choicepoint’s core value and mission Measure by capital requirements and access to information 1 1 Mitigate business risk of Choicepoint Builds public trust and safeguards the data Measure by risk profile analysis 2 2 Cost effectiveness Measure by cost/benefit analysis 3 3 Any solution must meet specific solution criteria Solution Criteria

7. 1 2 3 Uncontrollable Risks Regulatory response Identity theft (Direct and Secondary) Data breaches 1 Gray areas Data misuse Privacy concerns Public response 2 Controllable Risks Data error by Choicepoint Identity verification 3 As-is risk profile

8. Regulatory Management Internal Risk Management Two recommendation buckets

9. Market demands better internal controls No special officer for protecting data security Crisis management slow because no plan in place to respond Exisiting mechanism in detecting fraud is ineffective No effective protection from hacking and data breaches No special officer for protecting data security Crisis management slow because no plan in place to respond Exisiting mechanism in detecting fraud is ineffective No effective protection from hacking and data breaches Current State Chief Data Security Officer Guidelines for crisis response Regular security audit Data encryption Analysis software Chief Data Security Officer Guidelines for crisis response Regular security audit Data encryption Analysis software Future State Failure to manage bad records or quickly respond to developing issues reflects poorly on ChoicePoint and threatens the company’s reputation

10. Proactive regulatory actions needed Few Controls and Protections Fair Credit Reporting Act (FCRA) only applies to certain products Patchwork of federal, state, and local laws, notice consistency lacking Little assistance for consumers to rectify information errors Privacy advocates suggest harmful legislation like Social Security restrictions ($15M-$20M cost) Few Controls and Protections Fair Credit Reporting Act (FCRA) only applies to certain products Patchwork of federal, state, and local laws, notice consistency lacking Little assistance for consumers to rectify information errors Privacy advocates suggest harmful legislation like Social Security restrictions ($15M-$20M cost) Current State Controls and Consumer Protection All ChoicePoint products fall under FCRA Adopt federal notice requirement improving ongoing relationship with consumer Advocate the creation of an Administrative regime to empower consumers Work with Electronic Privacy Information Center (EPIC) to promote prosecution Controls and Consumer Protection All ChoicePoint products fall under FCRA Adopt federal notice requirement improving ongoing relationship with consumer Advocate the creation of an Administrative regime to empower consumers Work with Electronic Privacy Information Center (EPIC) to promote prosecution Future State Regulation threatens ChoicePoint’s business model and bottom-line so the company must adopt policies and advocate for regulations that both protects its model and empowers consumers.

11. Reference Appendix

12. Chief Data Security Officer Set up office of data security to oversee not only compliance with law enforcement bodies but also credentialing of customers Outline Easily measurable by breach reported Measurability Define clear R&R for Chief Data Security Officer in the corporate level Assign budget to organize the office and recruit Mobilize the office Actions required $1M/Yr Cost Can reduce the risks of breach to legislation and identity theft Possible impact From unmanageable to manageable (Compliance to regulatory actions) Risk implication

13. Guidelines–Misuse, Error and Breach scenarios Choicepoint must have action plans in place for dealing with data breaches, misuses and errors to the public, regulatory body and impacted individual respectively Outline Easily measurable by reviewing manual and auditing the process Measurability Prepare action plans by scenarios – data breaches, data misuse and data error Assign owner with detailed action plans Pilot the process and launch Actions required 3M (Hiring consulting firm to develop recommendations) Cost Can reduce potential damage from lawsuit, regulatory and public response reaction Possible impact From unmanageable to gray and manageable ( Negative public response and regualatory reactions) Risk implication

14. Regular security audit Conduct regular security audit on the process and security by both internal staff and 3 rd part auditors Outline Easily measurable by reviewing audit report Measurability Decide on audit schedule and auditor Implement audit and review Actions required 3M / Yr Cost Can reduce the risks of data breach Possible impact From unmanageable to manageable Risk implication

15. Data encryption All personal data (especially SSN and driver license umber) should be stored in the enciphered form Outline Easily measurable by data administrator and auditor Measurability Decide on project scope and budget Contact service provider Launch project Actions required Based on the project scope and budget Cost Cannot root out the risk of data theft but reduce direct and derived damage from data theft and hacking Possible impact From unmanageable to manageable Risk implication

16. Analysis software Outline Data breach sizes limited to 5% of 2004 levels Measurable Dedicate portion of analytics team to irregular customer behavior Partner with top tier Universities to keep at cutting edge of security Actions required $5M upfront $2M annually Cost Reduces size and frequency of data breaches Highlights importance of data security to internal organization Possible impact ?? Risk implication Develop internal software to identify suspicious behavior, with the power to initial human led investigation

17. Regulatory Action I Outline Success is measured by the time it takes to adopt policy change internally and potential federal adoption Measurability Communicate policy change staff-wide Create internal accountability mechanism Actions required Minimal cost, more employee cost in terms of additional time Cost Builds consistency within the company to increase accuracy. Signals to consumers and legislatures company is being proactive about privacy and safeguards Possible impact Manageable Risk implication All ChoicePoint products fall under FCRA

18. Regulatory Action II Outline Success measured by adoption Measurability Communicate expectation to staff Lobby Congress Timeline for phasing in the launch Actions required Increased personnel costs for this customer service Varies according to error occurrence, estimate at $100K annually Cost Changes image of company: from a threat to consumers to one that partners with them when errors occur Possible impact From gray area to manageable Risk implication Adopt notice requirement for ongoing relationship with consumer

19. Regulatory Action III Outline Easily measurable, whether the agency is created Measurability Communicate with legal department and lobbyist Meet with Congressional staffers Press releases Actions required $250K proposed lobbying cost No cost to ChoicePoint once agency is created Cost Signals willingness for increased regulation and concern for consumer rights building trust Creates ongoing connectivity to government regulators in positive way Possible impact From unmanageable to manageable Risk implication Advocate the creation of an administrative regime to empower consumers

20. Regulatory Action IV Outline Quantify percent of thieves to persons brought before the law 60% prosecution rate is a good target Measurability Audit data breach occurrences Build cooperative relationship with EPIC Decide on cost structure of partnership Actions required Shared between EPIC and ChoicePoint Estimates at $1M annually Cost Creates partnership with top consumer advocate Builds public trust and cost effective Possible impact From gray area to manageable Risk implication Work with EPIC to craft legislation and promote prosecution of data thieves