Bank Systems & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:00 AM
Eileen Colkin Cuneo
Eileen Colkin Cuneo
Connect Directly


What if the worst happens and your customers' data is stolen or goes missing? Take a few tips from the financial services industry, which is fast making an art form out of dealing with security breaches.

Time and again, businesses fall short in their ability to protect their customer information as criminals looking to steal data get wiser and more creative. Whether customer data is stolen or lost through hacking, physical means such as a misplaced laptop or hijacked data tapes, or an unscrupulous employee, the results are the same: customers at risk and a huge black eye for the company.

No industry grapples more with data theft and the ensuing customer relationship nightmare than the financial services sector, which will increase spending on IT security and related issues 12% this year to $1.8 billion, according to consulting firm Celent. How these companies respond to the seemingly inevitable security breach can change the way they are viewed by customers and the general public. Handle it right, and a company can flip the negative into a positive and earn customers' respect and appreciation. Handle it wrong, and the business will forever fight the stigma of an untrustworthy organization.

The good news is the financial services industry is fast making an art form out of dealing with security breaches, and its experience can serve as an invaluable guideline for any business holding sensitive customer information.

Communication Is Key
A top priority for any organization experiencing a data theft incident is communication, says Steve Lubetkin, managing partner of Lubetkin & Company Communications, a public relations counseling firm, and a former bank public relations executive. "Banks are reluctant to give too much information," he says. "The key thing that all banks need to proactively convey is a sense that they can be trusted. They need to be open and honest with customers, they need to reassure customers, and they need to give out more information than they may have been comfortable with in the past."

Nobody understands this more than Wachovia Corporation, whose most famous security breach incident occurred last May, when two employees sold customer data to a fraudulent third party in New Jersey, who allegedly resold the information to collection agencies and law firms. The theft affected nearly 50,000 Wachovia customers, and the bank knew it had to act quickly to contact those customers and help them protect their identities.

"A lost name, address, and social security number versus having a card number appear on a Web site will generate a different tactic." -- Brian McGinley, Wachovia

Fortunately, Wachovia has had a response team for such incidents in place for two years, having spent millions of dollars in breach prevention and incident planning programs and developing 43 different fraud strategies -- all aimed at quickly mitigating any problems for customers and employees after a breach. Within hours of an event being recorded, a senior executive group convenes to understand the impact of the breach and develop an appropriate response, always under the pressure of a pending media blitz.

Brian McGinley, loss management director, SVP and group executive at Wachovia
That's not always easy, though, as each incident is unique and it's often difficult to determine its ramifications. "You'll hear criticism that we didn't make notifications as soon as we knew, and the answer is the information may not immediately have become apparent to us," says Brian McGinley, loss management director, SVP and group executive at Wachovia. "It's difficult to determine what data has been taken and assess likely consequences -- what can be done with the data that has gone out. A lost name, address, and social security number versus having a card number appear on a Web site will generate a different tactic."

In many cases, a breach means the bank needs to contact affected customers by whatever means possible and offer assistance. In some cases, new account numbers or bank cards need to be issued. Wachovia also provides its customers with free identity theft protection or fraud assistance packages. The company even has top executives make calls to customers to thoroughly explain the situation.

Within the organization, educating employees about a breach is critical as well. Every customer-touching employee needs to be aware as soon as possible of the nature of the breach and what the institution is doing in response to help customers -- the worst-case scenario being an affected customer who calls an agent, gets vague or incorrect information about the breach, and loses confidence in the institution.

John Carlson, a senior director at BITS
"There must be good communication within the organization before you communicate with customers," says John Carlson, senior director at BITS, a nonprofit industry consortium composed of 100 CEOs from the country's largest financial services institutions. Many institutions are actually conducting trial runs to test data-compromise reaction strategies, much as they would with any other business continuity threat. To help industry players better address the internal workings of data security, BITS recently published a best practices toolkit (PDF) that includes a section on security awareness and training programs (PDF).

1 of 3
Comment  | 
Print  | 
More Insights
Register for Bank Systems & Technology Newsletters
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.