Publications & Resources

April/May 2007
Focus: Risk Assessment & Disaster Planning

Are You Prepared for a Data Breach?

By Beth Lynn

Since early 2005, there have been a troubling number of consumer data breaches involving financial institutions, merchants, educational institutions and government agencies. While monetary losses from a modest-sized data breach can total in the millions of dollars, banks and credit unions face an even greater risk — the loss of trust that is the cornerstone of customer relationships.

A financial institution can take reasonable measures to prevent a mass data breach, but experience has demonstrated that it is an organization’s response to a breach that may have the greatest effect on consumer perceptions and customer retention. In fact, a comprehensive data breach plan — like a detailed business continuity plan — can mean the difference between keeping and losing a customer.

Understanding the Issue
Data breaches are not a new phenomenon; they have occurred for some time through both electronic and paper-based means. Recently, however, the growth in overall fraud activity has raised both awareness and concern among the business community, the general public and state and federal regulators.

In the past, deciding whether or not to “go public” regarding a data breach was in the hands of the financial institution. Today, various laws and regulations dictate the proper course of action.

Since 2003, 34 states have enacted legislation requiring consumer notification in the case of certain data breaches, and many of the remaining states are considering legislation. Since the issue is governed by a patchwork of state laws, federal agency guidance/regulations and broad directives in existing federal statutes, financial institutions must consult with their own legal counsel before planning or enacting a data breach consumer notification effort.

Planning Your Response

Even with the best prevention plans, it’s difficult to completely protect against a data breach. Therefore, developing an effective response strategy is as necessary as taking preventive measures. Your response plan should include the following steps:

Establish a Rapid Response Team

The time to establish and prepare a rapid response team is before a data breach occurs. Effective teams include:

Decision makers (senior level and top management)
Action team members from audit, legal, risk management, operations, IT, marketing, public relations, human resources and branch administration

Understand Regulatory Requirements

Data breach decisions are influenced or driven by the law and may be subject to contractual obligations. Conduct a thorough review of applicable federal and state laws with your financial institution’s counsel and investigate privacy laws and notifications requirements. If your institution does business in multiple states, you should decide in advance if you intend to conform to each state’s specific requirements or use the most stringent law as a model for all states.

Develop a Plan of Action

Develop a ‘response blueprint’ to outline the critical steps so that actions are timely:

Formalize the reporting process and activate the response team
Identify and establish relationships with regulators and law enforcement
Put systematic tools in place to address compromised files and data
Hold tactical and strategic discussions to define response materials
Confirm duties and responsibilities of each area with assigned personnel
Identify auditing tools needed if internal fraud is involved
Consider contracting in advance with a firm that specializes in forensic investigation and have that resource available to support you

Develop a Loss Prevention/Containment Strategy

Pre-planning is important in making decisions on how best to control or contain the damage that a breach may cause. Determine what information is available and how to best gather it. Inventory your risk management tools, including those at your processors or network/association partners, and have plans in place to activate the appropriate tools based on the fraud pattern. Plans will vary depending on the type of breach and each course of action may have direct or indirect costs.

Develop a Communications Strategy

Your communications must be comprehensive and consistent, while addressing different audiences and employing different media. Consider:

Internal communications with employees
External communications with consumers, including channels such as help lines, call centers, Web sites, ATMs and branches
Communication with the media
Customer segmentation needs
Contacting of law enforcement and regulators

Address Data Breaches at Service Providers

Since your financial institution may be ultimately responsible for notification, planning efforts should include the possibility of an outside resource being impacted by a data breach.

Test Your Plan

Consider integrating your data breach preparedness plan with your business recovery plan, including annual tests and updates.

Take Action Now

Although it’s difficult to make specific plans for an unspecified event, spending time now on your response plan can be a wise investment. It’s always easier and faster to fine-tune your plan, should a breach occur, than to start from scratch. Ask anyone who has been through a data breach event - immediate action is critical to a successful response.

Beth Lynn is a vice president at First Data Corporation and the privacy officer for First Data Debit Services in Wilmington , Del. She can be reached at beth.lynn@firstdatacorp.com. For more information on how to prepare your organization for a data breach, visit www.STAR.com/DataBreachGuide to request a full copy of the STAR Network’s Data Breach Response and Planning Guide. First Data Debit Services is a WIB-endorsed Value & Income Program Partner (VIP).