Just type "security breach" into Google just about any day of the week and you'll see a variety of different companies suffering from small to large data breaches.
Recently it was LinkedIn and CloudFare. A few months ago data from up to 1.5 million credit and debit cards from all major card brands, including MasterCard, Visa and Discover, was stolen in a massive data breach via a third-party payment processing facility. These incidences bring to light the fact that sensitive information can be breached at any point in the supply chain of companies that handle this information.
The enormous costs and far-ranging consequences of a breach truly are enterprise-wide concerns. Breaches are expensive, requiring extra staff, external legal counsel, credit monitoring services for victims, and more. The Ponemon Institute reported that the average cost of a breach was $7.2 million in 2010, or $214 per compromised customer record.
Global Payments (GPN), the public company responsible for the debit card breach, is a perfect example of how great the losses can be. GPN has lost nearly 20% in value since the disaster and VISA took them off their preferred credit card processors.
What can credit unions do to hedge against this type of breach and their consequences?
1. Choose your vendor/partners carefully. In the age of outsourcing, good chance your members' information will be "sourced out"-despite contracts guaranteeing the opposite. If it can happen to the big banks, it can happen to you. Validate the security of suppliers that handle your sensitive information, including backup tapes and documents.
2. Train your employees. Train employees on your security policies and procedures and performing periodic spot checks to measure compliance. So-called "insiders" continue to pose a threat to the security of their organizations. This is particularly true as the increasing adoption of tablets, smartphones and cloud applications in the workplace means that employees are able to access corporate information anywhere, at any time. It is essential for your credit union to put the proper information protection policies and procedures in place to counterbalance these new realities.
3. Implement a crisis communication plan. What happens when there is a breach? Do you have a crisis management plan? Notify members as quickly as possible to minimize their exposure...and yours. Develop a plan to manage the situation. Use e-mail, SMS, website and postcards. Effective and appropriate communication to members who have been impacted by a breach includes describing the type of data that was lost or taken, an estimate of probability that the data will be abused and the business recourse that your credit union will offer. Members expect the credit union to protect their data; but when that doesn't happen, they would also like to have the issue explained fully and quickly.
4. Tell members to set up e-mail/text alerts for debit and credit card transactions. When was the last time you marketed alerts as a key component in the defense against fraud? Now might be a good time to start. Once these alerts are set, any fraud is instantly communicated to the member, who can take the necessary steps to minimize the risk, e.g. tell you about the breach, e.g. change passwords, etc.
Taking these precautions is no guarantee of avoiding a publicized security breach. But they'll go a long way in properly allocating your limited budgets toward the areas of greatest risk.
John-Ashley Paul is the founder and president of CUBUS Solutions. a software company that provides an online banking platform and applications to credit unions. For info: www.cubussolutions.com.
