For months afterward, Baich, now a Principal at consulting firm Deloitte, was forced to explain how the security lapse had happened and to defend his performance as the CISO in light of the breach. His company was ultimately forced to as a result of the breach in a deal with the FTC.
Two years later, ChoicePoint is just one in a string of major data breaches that now includes companies like Massachusetts retailer TJX, and Baich is back at RSA with a new book, a new job, and a new perspective on the problems of companies like ChoicePoint, CardSystems, or TJX, which he sees as symptoms of a broader, societal failure to recognize the value of personal data.
Chatting with InfoWorld in a hotel across from San Francisco's Moscone Center, where the RSA Conference is in full swing, Baich said that the U.S. needs a grassroots campaign to educate ordinary citizens about the need to protect their personal information.
Baich, who was accompanied by an attentive press officer from Deloitte, was circumspect when asked to comment on the recent breach at TJX but said that companies need to do a better job of understanding the "lifecycle" of information within their organizations and need to develop strategies to combat data loss that are based on risk, not merely on compliance demands or technology.
Asked to comment on TJX's decision to wait more than a month after disclosing the theft of credit card data from its network, Baich said that companies are often under orders from law enforcement to keep news of a breach secret while an investigation is ongoing. However, companies need to do a better job about protecting their interests -- asking law enforcement to put their request to suppress information about a breach in writing, then being honest in saying that the company held off on notifying the public at the request of law enforcement, for example.
Baich, who faced stern criticism from many former supporters for suggesting that the failure of ChoicePoint to vet its customers wasn't the purview of the CISO, said he now has a more holistic view of enterprise security after working on behalf of companies for Price Waterhouse Coopers and now Deloitte.
"It's allowed me to experience things differently. You can't talk about security or privacy and compliance without talking about people, policies, and processes," he said.
Among other things, companies need to plan in advance for incidents like the TJX or ChoicePoint breach and create cross-disciplinary teams, including human resources, legal, information security, physical security, and law enforcement personnel, to respond to them when they occur, Baich said.
"More than ever, companies are evaluated on their response by the press and by their shareholders," he said. "There's an opportunity to consolidate those into an effective, functioning team that takes a mature, holistic approach, but it requires organizational change."
However, even the best-intentioned companies will continue to wrestle with breaches if the public's awareness of the threat of identity theft and data loss isn't improved.
As an example, Baich cites a promotion currently going on in San Francisco by radio station KFRC 99.7 where users are asked to fax the station something with the numbers 997 in it -- including possible social security or driver's license numbers -- in order to win a prize.
Baich shakes his head. "As an employer, what can you really do to prevent your employees from doing something like that?" he asks.
"As a society, we have to mature from an ethical standpoint in the way we protect information," he said.
But companies and public sector organizations are equally in need of schooling.
As a counterpoint to the KFRC story, Baich recalls a recent hotel stay in New York City where he was asked to provide a driver's license so the hotel could make a photocopy for its records and noted about thousands of Visa applications from the Indian Consulate in San Francisco, which were sent whole to a recycling center and sat, in the open, for months before Consulate officials were notified of the problems. The documents contained detailed personal information that would be useful to identity thieves and included applications submitted by Byron Pollitt, CFO of San Francisco's The Gap, and Anne Gust, wife of California Attorney General Jerry Brown.
"These are more cultural issues than technology issues," he said. "We need a grassroots campaign to raise awareness about this," he said.