Silence Is Deadly
Overall, banks do a good job of communicating breach alerts to customers and assuaging concerns, says Jonathan Penn, principal analyst, identity and security, at Forrester Research (Cambridge, Mass.). Penn praises Wells Fargo's efforts to contact customers multiple times through multiple channels to ensure they communicated the incident thoroughly and offered services in response to a 2004 information breach. "This is in stark contrast to less-consumer-oriented businesses such as CardSystems and ChoicePoint, that initially denied the extent of the problem, tried to avoid notifying customers and never offered assistance," Penn contends.
Denial and silence are the worst things an organization can do in the age of blogs and real-time communication, says Lubetkin & Co.'s Lubetkin. Often, the decision to hush the incident is made by lawyers who want to protect companies from legal liability, which conflicts with the organization's need to protect its reputation. "If we're not communicating with customers openly, someone else is going to communicate for us, and that might not be the message we want our customers to hear," Lubetkin says. That includes bloggers who frequently have an anticorporate agenda and privacy rights advocates whose agenda may not be aligned with the needs of the business. "Institutions need to think about all these things and balance it against not saying anything, because if you don't respond to the public's need for information, you're going to get slammed."
Conversely, Wachovia's McGinley says banks willingly are taking a larger hit than they need to, spending millions of dollars to help customers even when the breaches are not their fault. "There's a misnomer out there that the banks are the bad guys in this, but in the majority of ID theft cases, the information has come from the customers themselves or when the information was held by a third party that we had no connection to," he asserts. Wachovia's attitude is to take a piece of the responsibility and talk to customers forthrightly -- which can strengthen the institution's standing in a highly competitive industry with high attrition rates. "If we do it right, we may make a customer for life because they know that when the chips are down, we'll stand by them."
That's where the industry as a whole agrees. The BITS member banks spend much of their time convening on security threats, prevention strategies and post-breach management agendas, says BITS' Carlson, an acknowledgement of the potential crisis in consumer confidence in the Internet's safety for conducting financial transactions. In September, the group established voluntary guidelines for building consumer confidence in online financial services.
Straight Shooting Wins Trust
Companies can benefit from educating the public before a breach occurs. "It's about communicating trust, being open to make sure the customer knows you are doing everything you can do to protect their information, but that the criminals are also doing everything they can do to penetrate the data," says Lubetkin & Co.'s Lubetkin. "Banks don't want to oversell the institution's ability by saying, 'Breaches will never happen again,' because the day they say that is the day it will happen again."
And it likely will, agrees Forrester Research's Penn. "The evolution of criminal tactics presently is outpacing banks' capabilities to defend against them," he says. "However, this is partly because banks are looking to fight particular threats such as phishing or spyware." That shifts the security focus to areas such as authentication when the focus should be on the purpose or result of the attacks, which is account compromise, fraud and identity theft, Penn says.
Instead of deploying a security technology to deal with yesterday's attack methods, companies need to invest in better vetting of new customers and better fraud detection, supplemented with tools such as user profiling and risk-based authentication, Penn stresses. Banks also should use existing forms of communication, such as e-mail alerts on low balances or bill payments, to provide information to customers on potentially fraudulent activity and get them involved in fighting fraud, he adds.
"Banks need to take security out of the closet and market these safeguards to consumers," taking measures such as proactively offering ID theft and fraud monitoring to new and valued customers rather than waiting until data is compromised before offering such services, advises Penn. "Such credit monitoring should be the 21st-century equivalent to the toaster banks used to give out on new accounts."
To that end, BITS members have created the Identity Theft Assistance Center, which provides free victim assistance services for customers of any of its member companies. To date, the center has helped more than 2,500 victims, according to Cheryl Charles, a senior director at BITS.
Lessons for Everyone
While the banking industry presents an appealing target to data thieves, any business that holds sensitive customer data can use the lessons this sector has learned through years of unwelcome experience. Companies can establish practices for keeping their customers' data secure while at the same time accepting the reality that criminals will forever seek out ways to break into the fortress. If those criminals succeed, smart businesses will do as the banks do -- have an established and practiced reaction plan in place, communicate forthrightly about the situation, take quick action to help their customers protect themselves from fraud, and use the incident to prove themselves a trustworthy and concerned partner to customers.
Courtesy of Security Pipeline, a CMP Media property.