For months afterward, Baich, now a Principal at consulting firm Deloitte, was forced to explain how the security lapse had happened and to defend his performance as the CISO in light of the breach. His company was ultimately forced to as a result of the breach in a deal with the FTC.
Two years later, ChoicePoint is just one in a string of major data breaches that now includes companies like Massachusetts retailer TJX, and Baich is back at RSA with a new book, a new job, and a new perspective on the problems of companies like ChoicePoint, CardSystems, or TJX, which he sees as symptoms of a broader, societal failure to recognize the value of personal data.
Chatting with InfoWorld in a hotel across from San Francisco's Moscone Center, where the RSA Conference is in full swing, Baich said that the U.S. needs a grassroots campaign to educate ordinary citizens about the need to protect their personal information.
Baich, who was accompanied by an attentive press officer from Deloitte, was circumspect when asked to comment on the recent breach at TJX but said that companies need to do a better job of understanding the "lifecycle" of information within their organizations and need to develop strategies to combat data loss that are based on risk, not merely on compliance demands or technology.
Asked to comment on TJX's decision to wait more than a month after disclosing the theft of credit card data from its network, Baich said that companies are often under orders from law enforcement to keep news of a breach secret while an investigation is ongoing. However, companies need to do a better job about protecting their interests -- asking law enforcement to put their request to suppress information about a breach in writing, then being honest in saying that the company held off on notifying the public at the request of law enforcement, for example.