Stanford CIS

Monitoring and compliance in the ChoicePoint settlement

By Stanford Center for Internet and Society on

In January 2006, Choicepoint and FTC settled a case claiming that Choicepoint, a consumer-profiling company, violated the FTC Act and the Fair Credit Reporting Act. Some security analysts, calling this the largest civil penalty in history, are hopeful that the $15M penalty will inspire other actors in the data-collection market to better protect their data.

One important aspect of the settlement requires that Choicepoint be assessed by "a qualified, objective, independent third-party professional" every two years until 2026. The settlement specifies that the person performing the assessment should have one of several third-party certifications--CISSP, CISA,  GIAC--or be similarly qualified. See Section IV of the stipulated order.

Holding one of these industry-generated credentials would demonstrate some baseline knowledge of corporate information security. However, unlike CISSP or CISA, the GIAC certifications do not require that the exam-sitter have any practical experience before becoming credentialed. Some of the GIAC certifications, as well, have next to nothing to do with information security.

Letting the industry define its own standards of excellence may be a good idea, but when government agencies like the FTC rely on industry  expertise to protect consumers, agencies should be mindful that not all industry certifications are created equal.

Published in: Blog