Thursday, January 26, 2006

Data Breach Costs ChoicePoint $15 Million - But the Industry More!

In an historic settlement ChoicePoint, one of the largest re-sellers of comsumer personal data, has agreed to pay the Federal Trade Commission $15 million dollars as penance for their data breach that made headlines recently. This represents the largest civil penalty ever in the FTC's history.

This incident, the publicity that ensued, and the resulting settlement is likely to have a far reaching impact on the employment screening industry and the public it serves. Rather than enforcing reasonable and effective standards for controlling access to the information employers need to make appropriate hiring decisions, we are already seeing more restrictions on what data will be available to employers. Some of the restrictions, such as truncated dates of birth and other identifiers, are coming from within the industry in anticipation of increased government scrutiny.

Sadly, the data breaches that occurred at ChoicePoint could have easily been prevented had proper procedures been followed. The data was not stolen by hackers, nor were data tapes lost in transit. Consumer data was sold to bogus companies that used fake documentation to set up client accounts. Sources say that Choicepoint continued to sell data, such as credit reports, to these companies even after employees flagged them as suspicious. "This is an example of what can happen when a company becomes primarily sales driven", says Asset Control's President,Russ Rosenberg. "I've seen it many times in my career - a tendancy for sales to overahadow internal controls and true concern for the consumer. Data sellers see their products as quick sales and the customer gets lost in the process", Rosenberg states.

What questions should clients ask when they are shopping for a quality background screening company? First, ask if the agency is providing real court record searches and not repackaged data. Second, ask if your primary contact with the agency will be an employment screening expert and not just a salesperson. Clients need to have their questions answered by someone with human resource or security experience. Finally, ask how the agency is ensuring the security of your employees personal identifying data. "Sometimes size does matter", contends Rosenberg. "Customers tend to get lost in the behemoth sized companies. Smaller companies can give the client a more personal level of service and pricing is going to very similar".

When shopping for a background screening company don't be offended if they ask you to documentation that your business is legitimate. Their livelihood is on the line. Often agencies will ask to physically inspect your place of business, particularly if consumer credit data is involved. Current business licenses, tax ID certificates, charters, incorporation documents and other forms of documentation may be requested. Ironically, these are the same requirements imposed upon the industry by companies like Choicepoint, that they themselves chose not to follow.

Tuesday, January 24, 2006

New Jersey Schools Look Parents Straight in the Eye!

Before picking up a child at one of three Freehold Borough elementary schools parents will be required to look into a camera that will take a digital picture of their eye. This will establish positive identification and grant them access to the school. Phil Meara, superintendent of the Freehold Borough School District, described the swipe card thechnology that previously operated the doors as "obsolete". The project, funded by a school safety grant from the National Institute of Justice of more than $369,000., makes a clear statement that this school district is serious about child safety! Apparently, the Feds are interested in advancing access control technology in schools.

The Teacher-Parent Authorization Security System (T-PASS), a software application developed by Eyemetric Identity Systems, will control teacher, parent and staff employee access to each of the three campuses. The system will also allow identifying data from Driver Licenses from all 50 states to be swiped into the system to facilitate the identification process. Parents can authorize up to four adults in the system.

While the Freehold Bourough project is an expirement, it serves to illustrate just how serious some school administrators are about the need to improve campus access control. Many (I'd even go so far as to say most school districts) find this critical aspect of campus security to be extremely difficult, even impossible to administer. Yet, in the face of drug crime, sexual assault, kidnapping, and the risk of terrorism, the need for better ways to secure our schools is apparent. Notwithstanding, many schools have all but given up on efforts to prevent unauthorized entry to campuses - or, have not recognized the need to do so at all. The wholly unattended clipboard with a visitor sign-in sheet at the front entrance of a grade school is an all too often sight as I travel in my role as a school security consultant. Ironically, the pen is mostoften chained to the clipboard indicating a greater sense for the need to secure the writing instrument than for the security of the students and teachers. Unfortunately, many security controlls come about as the result of a horrible incident or public pressure rather than through thoughtful adherence to known best practices.

While technology often makes life better, it is not without encumberences. Access cards are often lost or forgotten by those they are assigned to. Electronic locks break and require maintenance. Iris recognition hardware and software software is costly and requires ongoing technical support. Moreover, the concept may be offensive to privany advocates and other segments of the community. While this technology will be that of the very near future, its widespread use in schools is questionable due to the underlying cost and maintenance expense. No access control process is wothout its costs and drawbacks.

Schools are challenged to address this basic security issue and they must start now. We encourage all schools to use those processes that are within their reach and those that are manageable given their recources. Manual processes are better than none at all. Schools that are in a position to afford more sophisticated technology are encouraged to explore those options. Access control has become commonplace as businesses strive to protect property and employees. Yet, schools lag far behind when it comes to protecting our most valuable of resources - our children. If you have not developed a workable solution to this basic aspect of campus security, be proactive and address it now before an incident occurs.