Has your credit union considered how member relations, legal compliance and brand reputation might be affected during a data breach? In this 2012 NAFCU Technology & Security Conference session recording you will learn about the risks of data breaches and how they could impact your credit union. http://www.nafcu.org/affinion
The Inspirational Story of Julio Herrera Velutini - Global Finance Leader
Data Breaches Preparedness (Credit Union Conference Session)
1. Data Breaches Preparedness – Practical Tips for
Responding
presented by Christine El Eris, Product Director, Affinion Group
Proprietary & Confidential www.affinion.com
2. What is a Data Breach?
A breach is defined as an event in which an individual name plus
Social Security Number (SSN), driver’s license number, medical
record or a financial record/credit/debit card is potentially put at
risk – either in electronic or paper format.
Presentation
Prepared www.affinion.com 2
For
3. Data Breaches Occur Every Day
Breaches are a daily news item
Yet many organizations, their IT, data security and senior management teams still
hope:
“It won’t happen to us.”
No matter how secure your web sites or data networks are, it may just be a matter
of time before
– an employee loses a laptop containing critical data
– a staffer clicks on a phishing link that launches malware or lets an attacker in to the
company network
– a third party supplier improperly handles your members’ data
– a hacker takes advantage of a vulnerability in security weakness of a third party vendor
or supplier
Presentation
Prepared www.affinion.com 3
For
4. Organizational Risks
All Sectors Are Vulnerable
Breached entities include Corporations, Healthcare, Government, Financial, Colleges &
Universities
Breaches Exposed More Data in 2011 than 2010
According to the Identity Theft Resource Center, there were 662 breaches in 2010 identified as of
12/29/2010 affecting over 16 million records
2011 saw 414 reported incidents with nearly 23 million records impacted
Complexities of the crime continue to change
Legislative Environment Increasingly Complex
Breach notification laws now in 46 states plus District of Columbia
Federal Trade Commission’s Red Flag rules
State AG expectations for post-breach response
Specter of federal regulation in the future
Increased Consumer Expectations
Your members expect MORE than just a notification and credit monitoring when their personal data
has been exposed
Presentation
Prepared www.affinion.com 4
For
5. Trends: Identity Theft
Consumer Risks
Consumers whose data has been exposed as the result of a data breach are
four times more likely to become victims of identity fraud
New account fraud has become significantly more complicated:
It takes more than 140 days to be detected
And requires more than 180 days to be resolved
And consumers incur more than $1,200 of out-of-pocket expense
Source: 2011 Javelin Strategy & Research “Identity Fraud Survey Report”
Presentation
Prepared www.affinion.com 5
For
6. How to Respond to a Data Breach Incident
Presentation
Prepared www.affinion.com 6
For
7. What NOT to Do … a Lesson from Sony
Presentation
Prepared www.affinion.com 7
For
8. Immediate First Steps
• Assemble your response team
– Who should be involved? How will you manage resources?
• Conduct a risk assessment
– Who is affected? Do you need to notify customers/clients/patients whose data was impacted?
• Comply with federal and state regulations
– How can you avoid fines? Will there be an investigation?
– How can you prepare for inevitable lawsuits?
– 46 states and the District of Columbia mandate notifications to impacted individuals (based on
residency of breached individuals, not the organization who lost the data or where the data resided)
– Become familiar with state AG opinions on notifying consumers and providing post-incident
remediation services
– Pay attention to FTC’s guidelines
– Keep your attorney included in all discussions related to the incident to protect attorney-client privilege
• Set up a call center
– What resources are required? How will you serve non-English speakers if applicable?
Presentation
Prepared www.affinion.com 8
For
9. Utilize Experts As Needed
• Implement a public relations/brand management strategy to manage and repair your
corporate reputation
• Consider a trusted third-party to manage the state-mandated notifications and provide post-
incident identity protection and credit monitoring services
• Consider a trusted third-party to conduct forensic analysis – even if you know what occurred,
it is best to out-source this function
• Employ outside counsel who are experts on data privacy law to assist your in-house counsel
• Consider pre-contracting for each of the above services
– Saves time when an event occurs
– Enables your organization to properly perform due diligence on each partner in advance and at
your own pace
Presentation
Prepared www.affinion.com 9
For
10. How Can Affinion Security Center Help?
Presentation
Prepared www.affinion.com 10
For
11. Affinion Security Center History
Identity theft market leader Comprehensive solutions
200 15 million
#1 provider of
identity theft
configurations of
benefits supported
identities protected
FCRA- and MAGIC-
certified staff using well-
services defined policies and
5 years fraud resolution
35+ years average tenure of our
procedures
$25+ million caseworkers
invested in product 15 years
development, servicing
and testing of benefits in
Next Gen Siebel CRM average tenure
solutions empowering with automated workflow used for team leaders
the last year alone
consumers to prevent, for case management and
detect and resolve fraud reporting
Financially strong The largest multi-channel reach
Scalable platform to True multi-channel
$1.4 billion accommodate 18+ Million
in 2010 revenue future growth customers offered
reach
through direct mail,
breach remediation
Cited by Inc. Magazine as one of the in-branch, online,
solutions
fastest growing private companies telephony
Marketing in
More than
24% 16
$164+ million increase in profitability
countries around
1 billion
in cash at year-end over the last 5 years unique contacts
the world
made annually
Presentation
Prepared www.affinion.com 11
For
12. Affinion’s Product Road Map – Identity Theft Solutions
Ability to Combat a Full-Spectrum of ID Fraud Issues
Credit Monitoring with Public Records Evaluate ID Fraud Risks Real time activity alerts;
the 3 bureaus credit & non-credit
Credit Header, Proprietary “Deputize the Consumer” by
Databases providing him or her meaningful,
actionable alerts to evaluate if
Peer-to-Peer File Exchange
fraud is occurring to stop it fast. Networks
Concept coined by:
Internet Directories & Web Social Media
Black Market Web and Children SSN Monitoring
Underground Chat-Rooms
Presentation
Prepared www.affinion.com 12
For
13. ASC’s End-to-End Solution
Service
Incident Notification ID Theft Ongoing
Customer Enrollment
Response List Services Drafting & Protection Support &
Support Options
Consulting Printing Services Reporting
Proactive List hygiene Drafting Pre-enrollment Prevention Full File Standard or
preparation breach FAQ Enrollment ‘a la carte’
Description
De-duping Printing support Detection requests
VRU/Call Center
NCOA services Mailing Enrollment Resolution
support Services* Online
USPS compliance
Post-enrollment USPS
remediation
Average timeline for all enrollment options being functional is 21 days from when ASC learns of a breach
The Affinion Difference
Established best 20 individuals Highly scalable Proven scale to More than 15 Over 1 Billion Breach team
practices dedicated to services to support 40 million million consumers unique contacts dedicated to
leveraging limiting notification support 700 calls annually enrolled in ID theft annually through your account
experience from costs million pieces of across 20 call protection today multiple channels, offering
hundreds of mail annually centers including completely
breaches dedicated VRU customizable
Dedicated fraud enrollment reporting at no
resolution additional
specialists charge
averaging 5 years
tenure per case
worker
Presentation
Prepared www.affinion.com 13
For
14. Case Study: Top 10 FI
Impacted Population: 4.5 Million
List Services
After a major consulting and auditing firm hired to do 'forensics' on the 60+ impacted databases had
already spent weeks working on record cleansing, BreachShield stepped in.
Our team of database experts was able to scrub the files within 72 hours.
Using our NCOA and de-duping capabilities, we reduced the mailing cost to 1/4 of the amount initially
expected.
Contact Center
To ensure an optimal customer experience and preserve SLA levels while managing increased call center
volumes, Affinion Security Center (ASC) utilized both VRU and live agent options.
40% of callers opted for the VRU, minimizing the financial impact to the client.
Positive results for the client:
• Notification process was expedited
• Proper list management and use of VRU saved the client over $1
million
Presentation
Prepared www.affinion.com 14
For
15. Case Study: Insurance Carrier
Impacted Population: 500,000
The Client Declined our Services
Instead, the simply mailed notification letters to the impacted population.
Facing increasing media and legal pressures, the client later offered a referral to an optional
ID theft protection service on their website and via their contact center.
Less than a year later, the client faced a class-action lawsuit. A major settlement component
was offering two years of ID theft protection service to the impacted population, with costs
that were much greater than Affinion Security Center’s initial price quote.
A proactive and thorough response plan would have:
1) Protected their brand from negative PR
2) Significantly reduced costs
3) Provided a robust solution to the affected population
Presentation
Prepared www.affinion.com 15
For
16. Case Study: Entertainment Company
Impacted Population: 50 Million
Flexibility to Meet Diverse Needs
An entertainment company has a breach that affected more than 50 million individual
customers. While the company was pre-contracted within the US with another provider, they
found that provider inadequate for international needs.
Starting from scratch, Affinion Security Center was able to create a solution for 10
million impacted users in less than 30 days.
Positive Result for the Client:
Media scrutiny was significantly lessened overseas.
Presentation
Prepared www.affinion.com 16
For
17. A Trusted Resource
This publication includes:
• Data breach facts and terms
• Explanations of breach
notification laws
• Suggested incident response
action plan
• Sample customer notifications
www.nafcu.org/affinion
Presentation
Prepared www.affinion.com 17
For