By Ann Davidson, VP of Risk Consulting at Allied Solutions.
The enormity of the Equifax® data breach has left a wake of fear and frustration among businesses and consumers alike. Names, social security numbers, birth dates, addresses, driver’s license numbers, and other pieces of private data were stolen from an estimated 143 million American consumers earlier this year.
Below are a number of things you can do to better protect your business and consumers from potential fraud exposures in the wake of this massive data breach:
1. Plan: Implement rigorous security measures to better catch fraud attempts before they occur
- When authenticating an account user, require personal information (i.e. high school crush, best friend from childhood, pet’s name) along with identifying information for access to the account to help prevent the identity theft of your consumers.
- Require that the account holders have a password or passcode to access their account
- Use multi-factor authentication:
- Who you are: Inherence factors, such as biometric methods
- What you have: Possession factors, such as ATM card numbers
- What you know: Knowledge factors, such as password, pin or secret question
- Don’t just rely on SSNs, birth dates, home addresses or driver’s license numbers for granting account access.
- Adopt advanced tools, like biometric authentication, for verifying the identity of account holders.
- Verify you have up-to-date contact information for all of your members’ accounts, including consumer cards and online accounts.
- Set up a website with information regarding how you plan to communicate with your account holders about updates related to the Equifax cybersecurity breach.
- Post and share contact resources and information for consumers so they know where to go to have their questions or concerns addressed.
- Share educational resources and tools with your account holders that aim to help them prevent and manage identity theft and fraud.
- Train staff on fraud warning signs and job-relevant fraud prevention/response procedures.
- Proactively build a response plan, so you can swiftly implement the plan should any fraud exposures occur. See our Data Breach Preparedness Checklist for recommendations on building a strong plan.
- Monitor likely points of entry for fraud, such as:
- New membership requests
- New products or services requests
- Change of account holder information for existing members, such as change of address
- Purchase institutional coverage that ensures your financial institution should a cyber attack occur.
- Consider partnering with an identity theft vendor that offers “deeper” fraud monitoring services for consumers, namely:
- Dark web monitoring
- Social security monitoring
- Address change monitoring
2. Respond: Act swiftly and efficiently to help protect your business’s finances and brand, should an exposure occur
- Set-up a designated resource or hotline for handling account holders’ concerns and questions related to the breach, such as:
- Answering questions about fraud and identity theft
- Assisting with credit and other monitoring services enrollment
- Assisting with placement of fraud alerts
- Offer professional identity fraud investigation and fraud remediation services.
- Consider providing credit/other monitoring services at no-cost for consumers.
- Contact Allied Solutions’ risk consultants if you are experiencing an uptick in identity fraud so we can help you to minimize the fraud exposure.
- Notify law enforcement and regulators about the exposure.
- Work with internal or external resources to notify your members about the breach:
- Draft notification letters
- Distribute employee scripts
- Create FAQs for website
- Write and send press releases
- Contract with external resources to provide printing and mailing services for notification letters.
- Contract with external resources to provide specialized legal assistance and forensic investigative services, if necessary.
- Send out educational information to your consumers, about recommended steps they should be taking to protect themselves from identity theft, such as:
- Monitoring accounts daily
- Registering for free fraud monitoring services
- Purchasing comprehensive identity theft protection
- Use multiple channels to communicate with account holders – email, direct mail, text, etc. – so you are reaching them through their preferred channel and device.
3. Recover: Evaluate fraud damage and response effectiveness so you can modify your breach prevention and response measures accordingly
- Evaluative questions to ask:
- Where did the fraud occur, and what could you have done to better protect that point of compromise
- Are there security tools you need to purchase or replace to more effectively prevent breach exposures?
- Where were critical errors made in following the plan’s procedures?
- Where did the procedures come up short in providing the direction that the team needed?
- What steps/issues could have been avoided with proper pre-planning or different procedures?
- Once you have answered all of these questions:
- Prioritize next steps for improving your breach prevention and/or response processes.
- Implement prioritized changes immediately.
- Train employees on lessons learned and new processes.
- Set-up a timeline for adopting all other changes.
As you work to mitigate the impact of the Equifax breach, we strongly urge you to also share breach information and updates with your consumers, while also educating them about how they can prevent and manage the risk of identity theft. Watch Allied’s recent webinar for more best practices for educating and protecting your members in light of the Equifax breach.
Also, for a dive into the root causes of fraud and for advice and tools on how to prevent future attacks listen to our fraud series webinar here.
Sign up for Allied’s Risk Alert newsletter if you are interested in receiving regular fraud and security related insights and education.
Allied Solutions is the NAFCU Preferred Partner for Insurance—Bond, Creditor Placed (CPI), Guaranteed Asset Protection (GAP), and Mechanical Breakdown Protection (MBP); and rateGenius. Learn more at www.nafcu.org/allied.