Early lessons learned: Target data breach
Though an outsider may view the recent Target data breach as isolated, insiders know (or a least should know) that data breaches have happened before and will happen again. The unfortunate truth is that account compromises are a reality that is here to stay and it is important for credit unions to not only know and accept that fact, but be prepared for it.
It is crucial for credit union leaders to learn how to manage data breaches in the most efficient way possible for their credit union and the most convenient way possible for their members. The best way to manage any data breach is to have a defined approach in place prior to the occurrence of a data breach.
At this point, credit unions have experienced data breaches that fall into similar categories of scale and scope, from a small account compromise affecting one member to a large scale breach impacting numerous members. Credit unions should use these experiences, along with their knowledge of staff capabilities and membership, to come up with solutions for each category of breach. Take it a step further and have a process in place of how to execute each solution and make sure that credit union management and staff are familiar with those procedures.
When creating your credit union’s standard solutions and accompanying process, think about the following:
- Who needs to have access to sensitive member information and what steps can be taken to ensure that employees who do not need that information do not have access to it? Provide data security information to all staff, including employees that use their own devices to access to credit union data, and particularly employees with access to sensitive member information as part of their job responsibilities.
- What types of data breaches does your credit union often encounter in terms of size and scope?
- Based on size and scope think about the solution. Who will make decisions on the breach? On small breaches is there a management employee that can address the problem and solutions? For larger breaches, should you have an executive team or external entity to contain and resolve the breach? Do you have a crisis notification plan so that affected individuals have early warning in the event of a breach?
If credit unions take the time to do this they will not have to reinvent the wheel each time a breach occurs, saving credit unions time, money, and memberships. Ask yourself how difficult the Target data breach has been on your credit union. If it has been disruptive, a few simple steps might make the next one easier. As well all know, there will be a next time.