When Bad Things Happen to Good Data

Odds are good that this issue of Credit Union Times contains news of one or more data security breaches, a system outage, fraud ring, or merchant data compromise. Never before have technical disruptions been so visible. Never have members had such little tolerance for “glitches”. Fraud and data security concerns are not new, but the publicity surrounding them has made the art of damage control an important leadership discipline. The days when credit unions had the luxury of days or weeks to respond to warning signs are long past. In the “perfect storm” that can arise from today’s transparency and immediacy, how does a savvy credit union “get it right” when things go horribly wrong? News of the misfortune of others catches our attention each week. Whether the story is a state government misplacing media with sensitive data, a merchant reporting unauthorized access to transaction and cardholder data or a local magnetic stripe and PIN skimming operation targeting your cardholders at gas pumps and convenience stores, we would be wise to learn from the misfortunes of others. Taking these lessons to heart, here are principles that credit unions can use to prepare for the day when bad things happen to good data. oThink Ahead — Thinking ahead and considering a variety of worst-case scenarios is a form of risk management that enables the credit union to respond quickly based upon contingencies in place. These contingencies can include details as simple as the presence of instant issue card machines in branches to assist members who need replacement cards. Having alternate channels available, such as participation in the shared branch network, provides flexibility in ensuring service levels to members. Adequate preparation can transform a bad PR situation into an opportunity to strengthen ties with members. oBuild Goodwill — Make it a priority and a goal within your communications plan to establish good rapport and relationships with key vendors and local law enforcement and community leaders. Building up goodwill in advance enables the credit union to draw upon the support of others in times of need. When faced with unexpected adversity, it is especially important that the leaders promote a positive tone and provide encouragement to staff who are on the frontline restoring member confidence.

oCommunicate Cleanly — Credit unions may not yet equate the impact of a stolen laptop to an event like a natural disaster or power outage. Much as you would establish a command center with sufficient phone and data capacity to manage in a disaster scenario where new information may emerge from hour to hour, remember your command center may be needed for communicating regarding situations you have not yet considered. A command center will ensure that actions are taken based upon the most complete set of information and will eliminate duplicate lines of communication and help to ensure a consistent message. One goal of your command center should be to free up those tasked most directly with remedying the error to focus on the “doing” while assigning others to coordinate communications to all constituents (including board members, media, sponsor groups, and key providers/partners). oManage to Metrics — Choose measures that provide meaningful ways to assess and monitor the issue and the success of your efforts. There is a world of difference between saying “thousands of cards were compromised” and “3% of our total card base was compromised and our goal is to get new cards to those affected members within three business days.” Metrics and specific targets will provide clear direction to guide recovery efforts and will build confidence among members and staff. Just as important as the guidelines to follow are a few pitfalls to avoid: oIgnoring the Storm Clouds — It is human nature to avoid hard problems until they have reached critical mass. Instead, it is best to keep abreast of emerging threats through industry publications and an ongoing dialogue with peer credit unions. Organizations that cultivate an environment of trust and open communication can preempt problems by listening to the warning signs, and by taking measured steps toward a larger goal, such as adding security breach considerations to your overall business continuity plan.