Right, Ready Security Breach Response

By Marilyn Kennedy Melia

Safe, secure and reliable.

No matter how a bank fashions its brand, it wants the public to associate it with these attributes. And until relatively recently, it was easy for federally-insured institutions to inspire rock-solid confidence.

But last year saw an all-time high of 1,093 data breaches.

And just recently, the breach at Equifax is the biggest, and most alarming. That’s because such a treasure trove of data—the names, addresses, social security numbers, and birthdates of some 143 million Americans—is now in the hands cyber criminals.

Recently, banks have had a relatively good record in guarding their own data: In 2016, the banking/credit/ financial sectors accounted for just 4.8% of breaches, according to a report from the Identity Theft Resource Center and CyberScout.

Still, banks are on the front line, fielding calls from worried customers who heard news about a data theft from a retailer they frequent, or who spot suspicious activity on their credit or debit account.

In fact, it’s when bank credit and debit card issuers receive calls from customers requesting chargebacks—and the bank issuers then report these to the networks—that breaches are discovered. That’s because the networks use sophisticated analytics to determine whether chargebacks can be traced to consumers who all frequented a certain retailer, for instance.

It’s your problem.                                                          

No doubt, your bank may have fielded calls from customers worried about the Equifax debacle.

No matter the type of breach:

  • Credit card numbers stolen from a retailer
  • A bank’s ATM the target of “skimming,” where debit numbers and PINs are recorded by criminals
  • Or an incident like Equifax

—Experts have the same advice: Be proactive and customer-friendly.

With the Equifax incident, some 200,000 credit card numbers were swiped. But that’s of relatively minor consequence when compared to the 143 million individual consumers who had their four key identifiers compromised. With the latter set of data, criminals can steal the identity of consumers, and set up phony credit card accounts and loans.

A role for marketing.

“For marketing people, it’s important that they take the lead to be on the side of the customer,” said Rolland Johannsen, senior consulting associate of Capital Performance Group. If a bank can press Equifax to get the names of their customers who were impacted, they should then alert customers.

Moreover, Johannsen added, if banks offer identity theft protection, they should consider offering it free to impacted customers. The goodwill engendered is worth the cost, in his estimation.

At the very least, a bank should be ready to answer customer questions regarding Equifax and other breaches.

Indeed, different breaches demand different responses.

Know the drill.

“All banks—large and small—should have an incident response for different types of data breaches and incidents,” said Kyle Moreland, COO of Johnson City Bank in Texas. “This may include an online data breach, a vendor data breach, or even a card skimmer on an ATM the bank owns.”

Considering the range of breach type and severity, it’s also important to have a drill at least once a quarter to be ready to handle various scenarios, said Moreland, who also handles marketing for Johnson City Bank.

Tabletop drills—where staffers and management discuss what should happen under different hypothetical incidents—prepare a bank for quick response, Moreland explained. Another best practice is to draft sample texts for customer letters or public statements that explain various types of breaches.

Indeed, the Gramm-Leach-Bliley Act in 2005 provides guidance on a pre-determined response.

The appropriate response is predicated on the threshold of a breach, according to Bess Hinson, an attorney with Nelson Mullins Riley & Scarborough in Atlanta.

She remembers the big Target breach several years ago, where many millions of cards were compromised. “Many banks went ahead and proactively reissued more than 17 million debit and credit cards.”

One of the earlier, very large-scale breaches, the Target incident was a learning experience for financial institutions.

For instance, Hinson explained, banks may choose not to proactively reissue cards to large numbers of customers. Reissuing is relatively expensive—several dollars or more per card. If the network and the bank security experts say losses are contained and the situation is being carefully monitored, many banks may assure customers they are watching the situation, while also encouraging customers to examine their account charges.

However, some banks may find it prudent to replace a card, if a customer requests it.

“Getting a card into a cardholder’s hand immediately upon their request can keep the card ‘top of wallet,’” noted Rob Dixon, product director at CPI Card Group, which produces cards.

Skimming demands quick action.

On a Sunday this past June, Moreland was happy for the drills his bank conducted.

Responsible for periodically checking voicemails left during closed hours (Johnson City Bank has only one office), Moreland picked up a message from a customer who saw a device was on one of the two ATMs outside the bank.

Thieves capture card data with cameras and other devices put on an ATM, a practice known as “skimming.” They try to make the device inconspicuous.

“I immediately called the ATM vendor and had the machine shut down. Then I called the police,” he said.

By the time the police came to inspect the ATM, the device that thieves placed on it to capture customer card data had already been removed.

The next step was to examine video, which showed when the skimmer was installed, and when it was taken off.

During that time frame, about eighty transactions occurred, many from Johnson City Bank customers. But there were also some “foreign” transactions. “We treated all the customers the same,” Moreland said, whether they were bank customers or held a card from a different bank that was used at the ATM.

Each of the 80 or so customers was called on the phone—and most went to the bank Monday morning to pick up a new card. Of course, such quick, personal service was possible because of the bank’s size and one location.

But as soon as any customers impacted by a breach are identified, quick communication is called for, said Tiffani Montez of Aite Group. “Share how the breach impacts your customers, how the issue is being handled, what (if anything) more they should do to protect themselves, and when they can expect another update. And most importantly, what they can expect next.”

We’re monitoring the situation.

In many cases where merchants and retailers are breached, it is impossible to quickly know how many customers’ accounts were involved—or even when thieves will attempt to use the information. “Dark websites contain information that may stay for sale for long periods of time,” said Molly Wilkinson, executive director of Electronic Payments Coalition.

In those instances, financial institutions and networks have sophisticated software to monitor fraud. Moreover, state laws require merchants to notify all customers affected, Hinson explained.

Rob Keys, public relations manager for Arvest Bank—which operates autonomous, community-oriented banks in sixteen markets—said that in any breach situation, “We will prepare our front line with sample Q-and-A’s for customers who may come in.”

Some customers prefer to deal with branch personnel, noted Dixon from CPI Card Group. He pointed to a 2016 study from The Financial Brand indicating that 32% of customers choose to go into a branch, with 31% using a call center. Increasingly, customers are also relying on email or online chat.

In fact, Keys pointed out, it’s in the online world that data criminals thrive—and where impacted customers may vent.

That’s why, Keys added, in addition to preparing bank front-line staffers, “We also alert our social media team” to watch for comments on breaches so that the bank can respond appropriately.

Marilyn Kennedy Melia is a banking and personal finance writer based in Chicago. Email: [email protected].