Home » Publications & Resources » Article Library » 2009-10 » Preparing for a Data Breach Before it Happens

Publications & Resources

September/October 2009
Focus: Information Systems & Security

 

Preparing for a Data Breach Before it Happens

By Nick Buri

A data breach can have a serious impact on your business, costing you account holders and damaging your brand reputation. How a financial institution prepares for and responds to a data breach will determine how and if it recovers. Sound grave? Consider the financial impact of a breach.

Business data breaches are most likely (74%) to come from an external source (2009 Data Breach Investigation Report). With a median of 37,000 records compromised in a breach, the business cost is significant. In a recent Ponemon Institute study on the Business Impact of Data Breach, 74 percent of businesses reported some customer defection, and 59 percent encountered potential litigation.

No financial institution is immune. According to Ponemon, approximately 85 percent of businesses have experienced a data breach.

The good news

The methods for preventing and mitigating the impact of a breach continue to improve. So there’s no better time than the present to: 1) assess your financial institution’s vulnerability to a breach and 2) incorporate steps in to your response plan that fill in the gaps.

Updating the plan

When reviewing your institution’s current data breach response plan consider how well it prevents, detects and resolves or mitigates a breach.

Business and technical control protocols should be clearly laid out, with an emphasis on prevention. Risk assessments should happen regularly, and security policies should be comprehensive. Account holder fraud protection services like new-applicant screening tools and identity theft prevention services can also serve as effective prevention methods.

Response protocol

As your institution improves its breach response plan, add measures that help increase the speed of the response and minimize its impact on affected account holders.

Begin by establishing a method for surveying the impact of a data breach. Gather facts to determine the scope of the breach. Consider who is affected, what information was involved, how the breach occurred and whether the data was encrypted.

Next, an incident response team should review the data breach facts. The team should be a designated, cross-functional team that is created before a data breach occurs. Based on the situation, determine who will lead the response team and assign other key areas of responsibility.

Drawing from the initial fact gathering and new information discovered, the response team should document all events related to the breach as soon as possible.

Developing strategies

Once events are documented, the response team leader should work with other team members to develop effective strategies for addressing key issues like:

• Restoring data security and repairing affected systems
• Preserving the financial institution’s good name
• Minimizing impact on accountholders and employees
• Preventing additional data breaches

Affected parties such as account holders, law enforcement, SEC, card issuers, employees, shareholders and auditors should be notified as soon as core event details are documented. Quick communication is critical to meet the demands of the 24-hour news cycle. Account holders should hear the news of a data breach from their financial institution first, not from the Internet or a social media outlet.

Proactively alerting account holders to the steps their financial institution is taking to ensure wellbeing can create a lasting effect. A McKinsey and Company Research study on customer loyalty commissioned by Deluxe found that while 72 percent of accountholders left their institution due to a negative experience, 87 percent of account holders gave more money to their institution as a result of a positive experience.

Building good will

An account holder data security breach notification template can be prepared in advance of a breach. It should cover specifics surrounding the breach and the immediate actions being taking to minimize the impact on operations. The letter is an opportunity to highlight your institution’s immediate efforts to ease account holder’s concerns, like 12 months of free credit monitoring service. Specifics concerning the data breach would be added to the letter following event documentation.

While creating a positive experience for customers begins with the first communication, it continues with your employees. It’s equally important to communicate details of the breach to employees, who can serve as brand ambassadors. Empower employees with tools and key messages that help them to effectively respond to customer questions and concerns with a unified voice.

With crime rates historically rising during a recession and data breaches up 47 percent in 2008 (Identity Theft Resource Center), financial institutions can no longer assume it won’t happen to them. Challenge your institution to be more prepared today.

Nick Buri is senior product manager for Deluxe Corporation’s fraud and protection team. To receive complimentary data breach resources – including a data security breach notification template – or to learn more about Deluxe’s fraud/protection products, contact Deluxe at deluxedetect@deluxe.com. Deluxe is a WIB-endorsed Value & Income Program (VIP) Partner.

---

Unauthorized reproduction of all or part of this material without the express written consent of the author is strictly prohibited. All rights reserved.

© 2012 Western Independent Bankers, All Rights Reserved.