Positioning Your Institution's Response in the Face of Data Breach
Data breaches are going to happen. The important part, says ACI Worldwide's Seth Ruden, is how an association chooses to handle them
Thu, January 30, 2014
CSO — Unless you're been living under a rock in North America, it's pretty hard to have missed news of recent high profile data breaches.
I'd venture to say these stories have made their way into the wider, global purview (note: as I write this, another report regarding a massive data breach in South Korea affecting 20 million cardholders was released). While the number of retailers and account holders impacted by these events continues to increase and make headlines, issuers and merchants alike must address ways to instill confidence in their customers in short order.
Upon hearing this type of news, cardholders immediately think "Was I impacted? What do I need to do? Will my account be closed? Will I get a new account number and new debit or credit card?" These and many more questions likely flood the support lines as customers want to understand their real-life implications and steps they need to take to protect themselves.
When associations, banks, issuers and retailers identify significant and/or high profile data breaches, they must first identify the nature of the problem, recognize the potential impact, and then develop the correct course of action for their institution. Following this, they need to best determine how to communicate with their impacted customers.
When financial institutions have a well-coordinated strategy (i.e. email, SMS, voice, mobile app, etc.) in making their customers aware of the institution's vigilance, posture and plan, they win. It goes beyond just reassuring a customer; it is an opportunity to assert a distinctive leadership role in the marketplace.
In instances where a mass block and reissue event is warranted, proactive communication -- identifying the problem, how it's going to impact your customer and what you're doing to put it right -- can be an opportunity to stand out as a financial institution, distinguished in your customer relationships. When a breach is made public, the ability to keep your customers informed via multiple channels can be a true differentiator in customer satisfaction and speed to response. For banks and processors who are solely evaluating high profile breaches through the lens of a risk or security response, this can be a segmentation opportunity.
An unfortunate reality of being in the payments business is fraud. Most in the industry accept that these events can and do happen. A lot. I would estimate that there were many hundreds (if not well into the thousands) of data breaches last year of varying size, some of which were never reported, some which were reported and then intentionally buried.