It’s a day like any other. Sun shining, birds chirping, coffee brewing…you’re at work and things are humming along quite nicely. You’re sitting at your computer, looking at the day ahead, when suddenly, an e-mail arrives.
“Visa Fraud Control has been notified of a confirmed network intrusion…”
And just like that, your good mood is gone.
Card service managers dread e-mails like the one in this example. As you respond, you learn the extent of the impact on your credit union. At best, the attached report may contain a small number of members who will be slightly inconvenienced by a simple block-and-reissue. At worst, it will list hundreds, maybe even thousands of members who require extensive communication through letter, website, telephone, and your front line staff. This does not even address the administrative legwork of blocking and reissuing cards and managing the ensuing fraud.
This process is painful for credit union support staff and, unfortunately, is more frequent with each passing year. According to Idtheftcenter.org (2012 ITRC Breach report, 7/23/12), there have been 219 reported data breaches so far in 2012, affecting over 8.5 million individuals. This equates to 1.25 breaches per day.
As a victim in a data breach, a member’s immediate reactions could range from mild annoyance to panic and outrage. The long term effects could involve losing confidence in their credit union and the payment system. It then falls to us to preserve the integrity of the card industry and minimize a member’s inconvenience that results from a breach. These unhappy incidents can also be an opportunity to shine compared to our big bank rivals. Here are some useful tips for dealing with an information breach.
Ensure that your reaction minimizes member impact. A credit union must react; this goes without saying. However, sometimes your reaction can be invisible to your members. Analyze your list of affected cardholders, look at the data elements that were compromised, and determine if a moderated response is acceptable. Sometimes you will find that, with the data elements that were exposed, you have chargeback rights through the networks in any resulting fraud. In those cases, it might be best to merely monitor the compromised accounts rather than block and reissue the cards. Some networks can even create special rules to watch these cards.
Should you determine that your risk of fraud is great and you choose to reissue cards proactively, look for ways to minimize the impact on members. One option may be to utilize “soft blocks” and allow your member to retain their old card while they wait for their new card to be delivered.
You must communicate with compassion. Whenever logistically possible, try to contact affected members personally via telephone. While sending a letter might be easier (indeed, sometimes this is necessary due to the size of the compromise), letters can be ignored or misunderstood. Thus, a member’s first awareness of the compromise would be when his card stops working – not pleasant.
It is imperative that you select the right people to communicate with the member. Empathy, coupled with a fluid knowledge of the subject matter (staff training is important!), will be the keys to having positive conversations with the member. This task cannot be successfully executed by an employee who does not have an instinctive desire to serve the membership.
When speaking to members, express to them that you are working in their best interest. Turn laments of inconveniences into terms of safeguarding their finances. Comfort your members with Visa’s Zero-Liability* policy on fraud. Although a member response may initially be negative, most members are eventually thankful to be notified, albeit just for the chance to protect their finances.
Use the opportunity to set yourself apart. Here is where credit unions have advantages over big banks. Breaches provide an opportunity to act with distinction and take service to a higher level. For instance, a small-sized credit union is more likely to notice, through transaction history, that their compromised cardholder is on vacation. Therefore, that account can be treated with special care so as to not disrupt the member’s travels.
The occasion also serves as a reminder of the personalized service that comes with using a local credit union. It is unlikely that the member would be receiving news of the compromise via telephone call, should their card at a big bank be affected.
As much as possible, eliminate the inconveniences. If you offer instant issuance, provide them a new card that day; if not, offer to rush deliver their card.
Also consider that these complex interactions may present additional opportunities to serve your member. You may learn of fiscal needs they have, products that can benefit them, or financial niches to fill.
It often helps for staff members working compromises to be stationed in close proximity to each other. Peer education is beneficial; employees can learn from each other’s successes. Moreover, this type of work is strenuous and often negative. Employees who do a good job dealing with breaches, especially ones who use the contact to strengthen the member relationship, should be recognized.
Data compromises can turn the best days into the darkest days and have the potential to turn long-time advocates into an angry mob of upset users. The good news is that your size and your community focus can help you maneuver around a disaster rather than being tarnished by it. Keeping these points in mind and proceeding with clarity, intelligence and compassion can burn away those storm clouds and make everything a little brighter.
*Visa International Operating Regulations, Chapter 5 Visa Products and Services, Subsection “Issuer Requirements – General”
This article was originally posted on CU Insight on August 9, 2012.