Choicepoint's stiock drops 10% in one day

As we have discussed elsewhere in this Blog, there is value in protecting your information assets. We've talked about the impact of information security breaches on stock price. Well, Choicepoint provides a good case in point. This was not a “hacker” attack as labeled in the popular press (further moving the definition of that word from its original meaning), but rather a traditional scam that took advantage of a lax credentialling process (yes, Irony with a capital I) that apparently is fax-based.

(Perhaps if this process were done electronically, Choicepoint's information security staff would have improved the controls. Their CISO won CISO of the Year in Atlanta last year.)

Choicepoint's stock dropped 10% yesterday. It is down to $39.30 from a 52 high of $47.95 just earlier this month.

The market is reacting to a number of things. Choicepoint handled the affair poorly, notifying only California residents as required by law and not everyone. Georgia is now looking at a privacy law similar to SB1386. Regulation means increased costs. Choicepoint is trying to recover by offering to pay for credit monitoring services (probably provided by it's former parent, Equifax) and it has stopped providing service to it's 17,000 small business customers until they can be re-credentialled. That's more costs and less revenue. Finally, lawyers are starting to look at class actions – more uncertainty means more risk means higher cost of capital.

It brings up a point made before here: good companies have good processes that protect their assets. They have good information security as a result of that, not the other way around. I think information security and IT professionals are often disappointed that the rest of management doesn't understand that.