Heartland's Lesson: How to Handle A Data Breach
The big question is: If your institution was hit with this kind of data breach that wasn't caused by your institution, would you be ready to respond? Heartland wasn't the first big data breach from outside service providers or retailers that institutions have had to respond to in the last three years. Those out there with short memories ... remember CardSystems Solutions, TJX or Hannaford? The TJX numbers hit more than 90 million credit card accounts. Some were already expired, but institutions still had to respond to the breach and talk to customers about it.
It's pretty much inevitable: At sometime, somewhere, you or one of the companies your institution depends on as a service provider will be the victim of a data breach. If those third-party service providers have your customers' sensitive data and they're breached, it means you have to also be ready to handle the fallout. Let's face the facts - the bad guys are really good at what they do and are now flexing their bad malware muscles, readying themselves to attack again and again to get at sensitive, lucrative data.
It's pretty much inevitable: At sometime, somewhere, you or one of the companies your institution depends on as a service provider will be the victim of a data breach.
Take any good data breach incident response plan at any institution and look at it closely. What an institution (or any other entity for that matter) does in the first 24 hours after a breach (whether it occurs at your institution, or as in the case of Heartland, from an outside source) will decide if that institution can weather the storm that follows. Just looking at the national media attention that Heartland's announcement received shows anyone that what you say and do after something like this is closely scrutinized. (At current count on Google there were 860,000 results on the key words "Heartland breach")
In these hard economic times where customers' trust and confidence are at a premium, how an institution handles the news about a data breach and how it responds to its customers and the media can make the difference between keeping and losing those customers. Look at the findings of the Javelin Identity Fraud Report - it found that when a credit card fraud happens, "15 percent of all customers leave their credit card provider, 17 percent leave their current bank or credit union, and 40 percent of people defrauded through a debit card get a new relationship." So it is obvious what party pays the biggest price, even though they weren't directly responsible for a breach such as the one at Heartland - the institutions that issue the credit and debit cards. Your customer doesn't know who or what Heartland is, but they do know your institution and your brand, and they'll remember who they got the call from about the breach.
In the case of the Heartland breach, banks and credit unions around the country are beefing up their fraud monitoring and have initiated their communications response plan to reach out to their customers and members to let them know when their cards were included in the breach. Some called the customers, telling them the news that their card was being deactivated. Others sent out letters informing the customers affected that they were either having their card replaced, or closely monitored for signs of fraudulent activity. Over and over again, I've seen bank representatives saying the right things to their local reporters in the coverage of the breach and how they're handling it. Most are along the lines of: "It wasn't a breach in our systems, our systems are safe, and customers won't be liable for any fraud due to the breach." (See example of customer notification letter)
The real message for all institutions whether you have been affected in this latest breach or not is: Be prepared. It doesn't have to be a Heartland-sized data breach that would cause you to lose the trust, confidence and ultimately the business of your customers. You need an incident response plan ready to work with before, not after the breach is discovered. Your breach response plan needs to be well-thought out, with all players and tasks identified, and a set of standard operating procedures, with precision almost on a military level. Most importantly, and this can't be stressed enough, your data breach incident response plan needs to be tested, not just sit collecting dust on somebody's bookshelf or languishing on a manager's PC. It needs to be just as well-planned and tested like your disaster recovery and business continuity plans are.
In the end, it all is about staying in business and keeping the trust, confidence and business of your customers.