Since early 2005, there have been a troubling number of consumer data breaches involving financial institutions, merchants, educational institutions and government agencies. While monetary losses from a modest-sized data breach can total in the millions of dollars, banks and credit unions face an even greater risk — the loss of trust that is the cornerstone of customer relationships.
A financial institution can take reasonable measures to prevent a mass data breach, but experience has demonstrated that it is an organization’s response to a breach that may have the greatest effect on consumer perceptions and customer retention. In fact, a comprehensive data breach plan — like a detailed business continuity plan — can mean the difference between keeping and losing a customer.
Understanding the issue
Data breaches are not a new phenomenon; they have occurred for some time through both electronic and paper-based means. Recently, however, the growth in overall fraud activity has raised both awareness and concern among the business community, the general public and state and federal regulators.
In the past, deciding whether or not to “go public” regarding a data breach was in the hands of the financial institution. Today, various laws and regulations dictate the proper course of action.
Since 2003, 34 states have enacted legislation requiring consumer notification in the case of certain data breaches and many of the remaining states are considering legislation. Since the issue is governed by a patchwork of state laws, federal agency guidance and regulations and broad directives in existing federal statutes, financial institutions must consult with their own legal counsel before planning or enacting a data breach consumer notification effort.
Planning your response
Even with the best prevention plans, it’s difficult to completely protect against a data breach. Therefore, developing an effective response strategy is as necessary as taking preventive measures. Your response plan should include the following steps:
1. Establish a rapid response team.
The time to establish and prepare a rapid response team is before a data breach occurs. Effective teams include:
2. Understand regulatory requirements.
Data breach decisions are influenced or driven by the law and may be subject to contractual obligations. Conduct a thorough review of applicable federal and state laws with your financial institution’s counsel and investigate privacy laws and notifications requirements. If your institution does business in multiple states, you should decide in advance if you intend to conform to each state’s specific requirements or use the most stringent law as a model for all states.
3. Develop a plan of action.
Develop a “response blueprint” to outline the critical steps so actions are timely:
4. Develop a loss prevention and containment strategy.
Pre-planning is important in making decisions on how best to control or contain the damage a breach may cause. Determine what information is available and how best to gather it. Inventory your risk management tools, including those at your processors or network and association partners and have plans in place to activate the appropriate tools based on the fraud pattern. Plans will vary depending on the type of breach and each course of action may have direct or indirect costs.
5. Develop a strategy for communications.
Your communications must be comprehensive and consistent, while addressing different audiences and employing different media. Consider:
6. Address data breaches at service providers.
Since your financial institution may be ultimately responsible for notification, planning efforts should include the possibility of an outside resource being impacted by a data breach.
7. Test your plan.
Consider integrating your data breach preparedness plan with your business recovery plan, including annual tests and updates.
Take action now
Although it’s difficult to make specific plans for an unspecified event, spending time now on your response plan can be a wise investment. It’s always easier to fine-tune your plan, should a breach occur, than to start from scratch. Ask anyone who has been through a data breach event — immediate action is critical to a successful response.
Beth Lynn is a vice president at First Data Corp. and the privacy officer for First Data Debit Services in Wilmington, Del. She can be reached at beth.lynn(at)firstdatacorp.com. For more information on how to prepare your organization for a data breach, visit www.STAR.com/DataBreachGuide to request a full copy of the STAR Network’s Data Breach Response and Planning Guide. First Data Debit Services is a WIB-endorsed Value & Income Program Partner (VIP).
Copyright April-May 2007 Western Banking (BankNews Publications)