Posted: Aug 1, 2018
Comments: 0
Author: Lou Grilli

Planning for a breach is a business requirement whether you have been breached or not.

… credit unions are no longer flying under the radar – credit unions are targets of cybercriminal activity.” – Larry Fazio, Deputy Executive Director, NCUA

The increased use of mobile platform access, for both credit union staff and members, and the migration to cloud-based services is a trend for which there is no going back. The scalability, accessibility, as well as the ability to quickly and easily deploy new services have become business necessities to remain competitive and to continue to serve the needs of members. This also means some loss of control over security and compliance. Understanding and managing the risks associated with the changing world of data security, and being prepared for breaches and how to respond, have also become business necessities. This three-part series, based in part on a presentation given by Michele L. Cohen, a principal with the law firm Miles & Stockbridge P.C., at Trellance’s immersion 2018 conference, outlines the balancing act between convenience and data, and provides a framework for preparing for breaches and what actions to take in response.

Part 1: It isn’t a question of whether a breach will happen – the question is whether it has happened already and when will it happen again…

There is no industry that’s immune to data breaches. However, the largest ones make headlines. The Democratic National Convention 2016 election cycle hack of emails followed by the 2017 hack of voter data; Sony Pictures 2014 hack, which exposed many incriminating emails; the Uber hack in 2017 which went on for nearly a year, exposing driver information and passenger data; and of course, the now infamous Equifax breach, which exposed personal and financial data on 143 million Americans, are just a few. But there are many more data breaches occurring at a record-breaking pace, which do not make headlines. Being small does not mean being immune to hackers, it may mean, however, that it’s not as interesting in a news cycle. And the most unfortunate aspect is that many breaches should have and could have been prevented. As Frank Abignale (the original Catch Me If You Can fraudster) has said, “every breach occurs because someone in that company did something they weren’t supposed to do, or somebody in that company failed to do something there were supposed to do.” Many breaches happen because people make them happen (albeit inadvertently), not because hackers do it. Given that data breaches will happen as long as people continue to make mistakes, then it becomes a matter of preparing for the inevitable.

What is at risk?

Being a victim of a breach has wide-ranging ramifications. During and following the breach there may be service delivery interruption, and chaos within the organization as internal and external investigators, police, FBI and other agencies work to determine the extent of the breach. Following the breach there are multiple legal, regulatory and commercial concerns. For example, depending on the extent and scope of the breach (and your response management), you may be sued by individuals, including possible class actions. Also, there may be regulatory enforcement, including agency actions tied to statutory violations. And, there may be third-party contract claims for business loss. But perhaps worse than monetary loss from lawsuits and regulatory action, is the loss of business standing and reputation. The negative publicity can be more punishing than legal actions. And once hacked, the victim becomes a known target. In one now famous case, the Wendy’s Co. reported in January 2016 that it was the victim of a data breach. Then, in July, it disclosed that it was the victim of a second malware attack. Once the hackers learn of a vulnerability, they will continue to probe for additional compromises.

Get more information in part 2 and part 3.

Lou Grilli

Lou GrilliLou Grilli

Lou is the AVP of Product Development & Thought Leadership at Trellance. In this role, he is responsible for managing the organization’s product portfolio, as well as providing leadership on industry trends related to data analytics and payments.

Other posts by Lou Grilli

Full biography , Contact author

Please login or register to post comments.


Featured Stories