Time and again, businesses fall short in their ability to protect their customer information as criminals looking to steal data get wiser and more creative. Whether customer data is stolen or lost through hacking, physical means such as a misplaced laptop or hijacked data tapes, or an unscrupulous employee, the results are the same: customers at risk and a huge black eye for the company.
No industry grapples more with data theft and the ensuing customer relationship nightmare than the financial services sector, which will increase spending on IT security and related issues 12 percent this year to $1.8 billion, according to consulting firm Celent (Boston). How these companies respond to the seemingly inevitable security breach can change the way they are viewed by customers and the general public. Handle it right, and a company can flip the negative into a positive and earn customers' respect and appreciation. Handle it wrong, and the business will fight the stigma of being an untrustworthy organization indefinitely. >>
The good news is, the banking industry is fast making an art form out of dealing with security breaches, and its experience can serve as an invaluable guideline for any business holding sensitive customer information.
Communication Is Key
A top priority for any organization after a data theft incident is communication, says Steve Lubetkin, a former bank public relations executive who now is the managing partner of public relations firm Lubetkin & Co. Communications (Cherry Hill, N.J.). "Banks are reluctant to give too much information," he says. "The key thing that all banks need to proactively convey is a sense that they can be trusted. They need to be open and honest with customers, they need to reassure customers, and they need to give out more information than they may have been comfortable with in the past."
Nobody understands this more than Wachovia Corp. (Charlotte, N.C.), which experienced a now-famous security breach last May. Two Wachovia employees sold customer data to a fraudulent third party in New Jersey, who allegedly resold the information to collection agencies and law firms. The theft affected nearly 50,000 Wachovia customers, and the bank knew it had to act quickly to contact those customers and help them protect their identities.
Fortunately, Wachovia has had a response team for such incidents in place for two years, having spent millions of dollars on breach prevention and incident planning programs, and the development of 43 different fraud strategies -- all aimed at quickly mitigating any problems for customers and employees after a breach. Within hours of an event being recorded, a senior executive group convenes to understand the impact of the breach and develop an appropriate response, always under the pressure of a pending media blitz.
That's not always easy, though, as each incident is unique and it's often difficult to determine its ramifications. "You'll hear criticism that we didn't make notifications as soon as we knew, and the answer is, the information may not immediately have become apparent to us," says Brian McGinley, loss management director, senior vice president and group executive at Wachovia. "It's difficult to determine what data has been taken and assess likely consequences -- what can be done with the data that has gone out. A lost name, address and Social Security number versus having a card number appear on a Web site will generate a different tactic."
In many cases, a breach means the bank needs to contact affected customers by whatever means possible and offer assistance. In some cases, new account numbers or bank cards need to be issued. Wachovia's top executives make calls to customers to explain the situation thoroughly, and customers also are provided with free identity theft protection or fraud assistance packages.
Within the organization, educating employees about a breach is critical as well. Every customer-touching employee needs to be aware as soon as possible of the nature of the breach and what the institution is doing in response to help customers -- the worst-case scenario being an affected customer who calls an agent, gets vague or incorrect information about the breach, and loses confidence in the institution.
"There must be good communication within the organization before you communicate with customers," says John Carlson, senior director at BITS (Washington, D.C.), a nonprofit industry consortium composed of 100 CEOs from the country's largest financial services institutions. Many banks actually are conducting trial runs to test data-compromise reaction strategies, much as they would with any other business continuity threat, he relates. To help industry players better address the internal workings of data security, BITS recently published a best practices tool kit that includes a section on security awareness and training programs.