Time and again, businesses fall short in their ability to protect their customer information as criminals looking to steal data get wiser and more creative. Whether customer data is stolen or lost through hacking, physical means such as a misplaced laptop or hijacked data tapes, or an unscrupulous employee, the results are the same: customers at risk and a huge black eye for the company.
No industry grapples more with data theft and the ensuing customer relationship nightmare than the financial services sector, which will increase spending on IT security and related issues 12% this year to $1.8 billion, according to consulting firm Celent. How these companies respond to the seemingly inevitable security breach can change the way they are viewed by customers and the general public. Handle it right, and a company can flip the negative into a positive and earn customers' respect and appreciation. Handle it wrong, and the business will forever fight the stigma of an untrustworthy organization.
The good news is the financial services industry is fast making an art form out of dealing with security breaches, and its experience can serve as an invaluable guideline for any business holding sensitive customer information.
Communication Is Key
A top priority for any organization experiencing a data theft incident is communication, says Steve Lubetkin, managing partner of Lubetkin & Company Communications, a public relations counseling firm, and a former bank public relations executive. "Banks are reluctant to give too much information," he says. "The key thing that all banks need to proactively convey is a sense that they can be trusted. They need to be open and honest with customers, they need to reassure customers, and they need to give out more information than they may have been comfortable with in the past."
Nobody understands this more than Wachovia Corporation, whose most famous security breach incident occurred last May, when two employees sold customer data to a fraudulent third party in New Jersey, who allegedly resold the information to collection agencies and law firms. The theft affected nearly 50,000 Wachovia customers, and the bank knew it had to act quickly to contact those customers and help them protect their identities.
"A lost name, address, and social security number versus having a card number appear on a Web site will generate a different tactic."
Fortunately, Wachovia has had a response team for such incidents in place for two years, having spent millions of dollars in breach prevention and incident planning programs and developing 43 different fraud strategies -- all aimed at quickly mitigating any problems for customers and employees after a breach. Within hours of an event being recorded, a senior executive group convenes to understand the impact of the breach and develop an appropriate response, always under the pressure of a pending media blitz.
Brian McGinley, loss management director, SVP and group executive at Wachovia
In many cases, a breach means the bank needs to contact affected customers by whatever means possible and offer assistance. In some cases, new account numbers or bank cards need to be issued. Wachovia also provides its customers with free identity theft protection or fraud assistance packages. The company even has top executives make calls to customers to thoroughly explain the situation.
Within the organization, educating employees about a breach is critical as well. Every customer-touching employee needs to be aware as soon as possible of the nature of the breach and what the institution is doing in response to help customers -- the worst-case scenario being an affected customer who calls an agent, gets vague or incorrect information about the breach, and loses confidence in the institution.
John Carlson, a senior director at BITS