Click Cover to Read Digital Edition



Shared Servicing & Outsourcing
Feb. 23-24
San Francisco
ABA Mutual Community Bank Conference
March 1-5
Gaylord Palms Resort
ABA Mutual Community Bank Conference
March 22 & 23
Marriott Marquis
Washington, D.C.
Card Forum & Expo
April 8-10
More events >  

<- Back

Share |

Print Friendly and PDF

Prepare for a Data Breach Before it Happens

By: Nick Buri

A data breach can have a serious impact on your business, costing you account holders and damaging your brand reputation. How a financial institution prepares for and responds to a data breach will determine how and if it recovers. Sound grave? Consider the financial impact of a breach.

Business data breaches are most likely (74 percent) to come from an external source (2009 Data Breach Investigation Report). With a median of 37,000 records compromised in a breach, the business cost is significant. In a recent Ponemon Institute study on the Business Impact of Data Breach, 74 percent of businesses reported some customer defection and 59 percent encountered potential litigation.

No financial institution is immune. According to Ponemon, approximately 85 percent of businesses have experienced a data breach. The good news is that the methods for preventing and mitigating the impact of a breach continue to improve. So thereís no better time than the present to 1) assess your financial institutionís vulnerability to a breach and 2) incorporate steps into your response plan that fill in the gaps.

Updating the Plan

When reviewing your institutionís current data breach response plan consider how well it prevents, detects and resolves or mitigates a breach.

Business and technical control protocols should be clearly laid out, with an emphasis on prevention. Risk assessments should happen regularly, and security policies should be comprehensive. Account holder fraud protection services like new-applicant screening tools and identity theft prevention services can also serve as effective prevention methods.

Response Protocol

As your institution improves its breach response plan, add measures that help increase the speed of the response and minimize its impact on affected account holders.

Begin by establishing a method for surveying the impact of a data breach. Gather facts to determine the scope of the breach. Consider who is affected, what information was involved, how the breach occurred and whether the data was encrypted.

Next, an incident response team should review the data breach facts. The team should be a designated, cross-functional team that is created before a data breach occurs. Based on the situation, determine who will lead the response team and assign other key areas of responsibility.

Drawing from the initial fact gathering and new information discovered, the response team should document all events related to the breach as soon as possible.

Developing Strategies

Once events are documented, the response team leader should work with other team members to develop effective strategies for addressing key issues like:

Affected parties such as account holders, law enforcement, SEC, card issuers, employees, shareholders and auditors should be notified as soon as core event details are documented. Quick communication is critical to meet the demands of the 24-hour news cycle. Account holders should hear the news of a data breach from their financial institution first, not from the Internet or a social media outlet.

Proactively alerting account holders to the steps their financial institution is taking to ensure wellbeing can create a lasting effect. A McKinsey and Co. Research study on customer loyalty commissioned by Deluxe found that while 72 percent of accountholders left their institution due to a negative experience, 87 percent of account holders gave more money to their institution as a result of a positive experience.

Building Good Will

An account holder data security breach notification template can be prepared in advance of a breach. It should cover specifics surrounding the breach and the immediate actions being taking to minimize the impact on operations. The letter is an opportunity to highlight your institutionís immediate efforts to ease account holderís concerns, like 12 months of free credit monitoring service. Specifics concerning the data breach would be added to the letter following event documentation.

While creating a positive experience for customers begins with the first communication, it continues with your employees. Itís equally important to communicate details of the breach to employees, who can serve as brand ambassadors. Empower employees with tools and key messages that help them to effectively respond to customer questions and concerns with a unified voice.

With crime rates historically rising during a recession and data breaches up 47 percent in 2008 (Identity Theft Resource Center), financial institutions can no longer assume it wonít happen to them. Challenge your institution to be more prepared today.

Nick Buri is senior product manager for Deluxe Corp.ís fraud and protection team. Contact Deluxe at deluxedetect(at)

Copyright © March 2010 BankNews Media