We are facing an unprecedented time in our lives with the coronavirus upon us and people taking every imaginable precaution to “be safe” and survive the aftermath.  Having three sisters who are nurses and who love to give advice, the basic practices of good hygiene are essential and the best way to avoid this virus.  That is as far as this article will go on any medical aspects of this issue.

With the wave of fear going on, it might be a great opportunity for credit unions to look at the financial aspects of this unprecedented time and determine what other ways that members could be supported. 

Understanding that the healthcare industry is the leading industry for data breach and ID theft related issues (medical ID theft & fraud), perhaps it might be prudent to look for ways to protect members as they find themselves possibly spending more time in urgent care facilities or hospitals.  Criminals know that these healthcare operations are extremely distracted by the potential number of patients which could unfold….hopefully not….but these operations need to be prepared. For an example, in 2019, 40 million Americans were affected by health data breaches.

Members might really appreciate a symbol of protection and concern from their credit union at this time. Although you can’t provide a medical solution to offer, you could provide basic protection against the threats of medical fraud attacks and provide increased member awareness to be on guard. For those credit unions who might already have ID theft & fraud protection incorporated into services it is a fantastic time to remind members of these powerful services.

The coronavirus scams are already in full swing from the criminals and we can all expect it to only get worse as people continue to get bombarded with every imaginable negative news associated with this pandemic…driving up fear and uncertainty.

There are a wide variety of packaged solutions out on the market that incorporate fully managed ID theft & fraud recovery together with strong dark web monitoring to give members the ultimate safety net against criminal medical fraud & ID theft attacks.  If nothing else, incorporating these kinds of services signifies to members the intent to be protective in whatever means possible….and help calm fears.  It might even be practical to provide these services at no cost to the members for an extended period of time, thus showing a sensitivity to the economic effects of all of this as well.

These unprecedented times call for unprecedented action and credit unions have a powerful voice with their members to guide them and offer a positive message of identity protection and safety while they are dealing with the potential medical dangers at the same time.  Any kind of positive news at this time could be received by members in the most significant way and remind them how credit unions uniquely go beyond their walls to enhance the lives of those they serve.

Over the past year, we have seen a continued incline in data breach events. A few years ago, it was not uncommon for a data breach to make news headlines once every month or two. In 2019, that began to change. The public announcement of a new data breach has become a weekly occurrence. That's because there was a 17% increase in data breach events in 2019 over 2018.

Not too surprisingly, 2020 has started with a series of breach announcements, which is indicating another record year for attacks. But, in addition to the increased frequency of breach events, the growing number of breaches involving "harmless" data is another notable trend that many people have shrugged off as just being annoying. Breaches like the one from Microsoft, which exposed 250 million customer records, didn't alarm as many people because it lacked the SSNs, birth dates, and credit card data that have impacted other breaches, such as those from the healthcare industry. 

The recent wave of data breach activities that involve data such as email addresses, mailing addresses, phone numbers, and passwords are the breaches that can be the most dangerous because they're the ones that many consumers ignore and fail to react proactively. Many consumers (your members) do not realize that a non-financial data breach can be just as detrimental because a hacker only needs a small bit of personal data to cause havoc on someone's identity.

Your members need to be aware that criminals are keenly interested in this "non-financial" data to allow them access to more critical data. For example, the stolen Instagram passwords of 419 million users could be the gateway to financial and other sensitive accounts since over 60% of adults use the same login credentials for multiple accounts, and 44% of consumers change their passwords once a year or less.

Hackers also use inconsequential data from breaches such as PhotoSquared App, Estée Lauder, and Arizona Department of Education to round out the data that they previously collected from the same individuals.  The breach events of Equifax and Capital One exposed almost every adult (147+ million) US citizen's social security number. Having a closer to complete data file on a person allows criminals to do more damage, which is why there has been such a dramatic increase in New Account and Account Takeover Fraud in the past five years (138% higher in 2019 than in 2014).

Credit Unions have a significant Member-centric focus that sets them apart from other financial institutions. So wouldn’t it be credit union-centric to provide members with education, awareness, and protective services against ID theft & fraud events, unlike other financial institutions?  Fighting the ever-increasing complacency of consumers (members) can add another differentiating factor for your credit union.   Hundreds of credit unions are implementing value- rich ID theft recovery & monitoring programs for members that set them apart in ways that enhance member engagement and can also generate non-interest income.  
​
Members are often confused and bewildered about how to combat the risks that they know they are facing with the rapid advancement of data technologies. Cell phones and other mobile devices are especially a concern since they are typically the storing mechanism for everything about an individual. This is particularly true of the Millennial generation.   Now is the opportune time for credit unions to investigate the introduction of member protective services and education/awareness programs that will help members protect ALL of their data - even their seemingly "harmless" personal information. Because as we know, there's no such thing as a "harmless" data breach.

Recent news about the growing number of credit unions replacing “free” checking with checking accounts that include more value-added features is a clear indication that credit unions are listening to what their members really want. Consumers and credit union members want something of real value and they’re willing to pay for it.

As recent articles published in 2019 have pointed out, many credit unions have seen the pitfalls of pushing “free checking.” Often, members who have free accounts begin to feel “nickel-and-dimed” and misled due to fees such as check reorders, ATM transactions and overdrafts. Also, as stated by Ron Shevlin, a director of research for Cornerstone Advisors, “Free checking is not a springboard for a deeper relationship.”

Furthermore, in 2018, Cornerstone Advisors published survey results that indicated millennials want and are willing to pay for non-financial services that come as valued-added features with their accounts at financial institutions. According to the study, the majority of millennials want value instead of free – especially when it comes to services that provide data and identity protection. These value-added services are excellent ways for credit unions to facilitate more profound relationships.

With October being National Cybersecurity Awareness Month, it’s a perfect time for credit unions to consider offering valuable protections that members want, such as mobile phone insurance, ID theft protection and child ID theft protection. These are the kinds of protective services credit unions should strongly consider offering to their members and attaching perhaps to a checking account to build value that goes far beyond “free checking.” These services can help credit unions significantly increase member engagement and loyalty, as they become a safe harbor for the members’ wealth, identities, phones and families.

The same members who have no problem paying as much as $15 a month for subscriptions such as Netflix, Amazon Prime and Hulu will appreciate “value checking” accounts versus accounts with perceived, fake, “free” services. Credit unions have a unique opportunity with their members to create the ultimate engagement opportunity and prevent members from seeking these services from a less trustworthy online resource.
​
The increasing dangers presented by the recent avalanche of data breach events such as Capital One, DoorDash and Zynga (publisher of mobile games such as Words with Friends), creates an environment of uncertainty for all consumers – including your members. This is the perfect time to enhance your services to protect members beyond the walls of your institutions and provide them with peace of mind. Embed more valuable protective services into your financial account offerings and secure your membership for years to come.

​Over the past couple of years there has been an average of 15 million or more people attacked by an ID theft or fraud event in the United States.  Last year, the average cost to individuals facing these events had DOUBLED from 2017 to 2018. Yet, are consumers doing enough to protect themselves as their vulnerability to these events grows from the endless avalanche of data breaches?
​
Our society has created great ways to deal with other personal dangers like car accidents, heart attacks, and home fires. We willingly spend thousands of dollars per year to have protective services & insurance in place, just in case these calamities might occur in our lives. 
Interestingly, we are much more likely to experience an ID theft or fraud event than many other common catastrophes: 

• almost (3) three times more likely to have an ID theft or fraud happen to us than a car accident*;
• about (20) twenty times more likely to have an ID theft or fraud happen to us than a heart attack or stroke**; 
• and more than (40) forty times more likely to have an ID theft or fraud happen to us than a fire or flood at our home***.

The average amount we pay for car insurance nationally is $935 per year. For health insurance the average American pays between $3,600 and $9,000 annually. And homeowners pay on average $1,083 per year for their homeowners insurance. Yet, millions of Americans have no plan or protection in place for managing the fallout from an ID theft or fraud event.   

The FTC reports that 64% of Americans have had their data compromised from a data breach and 31.7% of these breach victims end up having an ID theft or fraud event happen to them. This number has continued to increase over the years despite the availability of so many ID theft companies offering protective services. Jon Iannarelli, a retired FBI Special Agent and well-known presenter on cybersecurity has stated, “Nearly every company will experience a data breach. It’s no longer a question of if it’s going to happen, it’s when.” And, as quoted years ago by Mark Pribish, a recognized ID theft and data breach expert, this simple fact remains: “no company or service can ever guarantee an individual will not become a victim of an ID theft event.”  With the number and magnitude of data breaches happening over the past several years (i.e. Equifax, Uber, US Government, Marriott, etc.) it is nearly certain that the majority of consumers, your credit union members, will become a victim of ID theft or a fraud event.  Add to this, the most recent data breach by Capital One, affecting 100 million consumers, and it is clear that some kind of member ID protection service needs to be considered.  

Just like a heart attack, car accident or natural disaster, there are steps that individuals can take to lessen the likelihood of becoming a victim, but there are no fail-proof ways of completing avoiding the occurrence. This is why consumers have medical, auto and homeowners insurance - to help them financially recover in the event of such misfortunate happenings. And, this is why it’s imperative that consumers have similar recovery protection from ID theft and other fraud events.

So, credit unions have an opportunity to ramp up their focus on this growing problem and distinguish themselves by how they protect their members. Credit unions should pursue programs & services that are available to provide much needed awareness & education to members about the growing dangers they face.  And there are services available that can provide invaluable safety nets of protection for members with incredible value propositions.  

Imagine being able to bring your members full recovery and restoration services for any kind of ID theft or fraud at rates as low as $4 or $5 per month, which would also include all forms of monitoring.  In sharp contrast to what they pay for auto insurance or homeowners insurance, this is an unparalleled value that will further engage members and solidify their loyalty to your credit union. 

The value of your members protecting their identities should be far greater than many other things that they gladly pay a higher monthly cost for, such as Netflix, Amazon Prime and ATM Fees outside of the credit union and CO-OP network.  A little education and awareness makes this clear to members and allows the credit union, who they trust, a means to now protect their members from the fast growing dangers associated with an identity theft or fraud event…affording them true peace of mind.
 
Sources: 
*Insurance Information Institution
**Bloom, Ester. CNBC; “Here’s How Much the Average American Spends on Healthcare”
***ValuePenguin
Federal Trade Commission Consumer Sentinel Network Data Book 2018

​The avalanche of data breach events in the U.S. continues to plague businesses of all sizes.  The headline news only captures the larger company breach events, but there are thousands of small to medium size businesses who face devastating consequences from criminal attacks….and we just don’t hear about it. In fact, 53 percent of mid-sized businesses have already experienced a data breach, according to a recent Cisco SMB Cybersecurity Report. 
​
Many credit unions serve the financial needs of small to medium size businesses (SMBs) with services that help them maintain and grow their hopes and dreams.   According to recent studies, lurking in the dark are criminals who are focused on infiltrating these SMBs and creating a nightmare from which many cannot recover. These organizations often have smaller cybersecurity budgets and may not be able to afford a chief security officer (CSO) or in-house security team able to take on protective and response duties.

Today, there are breach recovery and ID theft protection services available that can help protect SMB owners from a possible collapse of their life’s dream. Credit unions have the opportunity to offer this type of service to their SMBs, which can provide the ultimate safety net for your business members. These services would also create greater member loyalty and a superior “business engagement” program.

Recent statistics from the National Cyber Security Alliance indicates that your business members are the most vulnerable to cyber- attacks. And according to a recent CU Times article, the number of data breaches in 2019, so far, indicate a record breaking year ahead of us. Now is the time to take action.

Do your due diligence and research to find solutions that allow you to more completely serve your SMB accounts by supporting their financial and cyber security needs.  There are solutions that go far beyond cyber insurance to create a comprehensive cybersecurity preparedness that ensures your business members survive and properly respond when faced with a breach disaster. Let’s face it, SMBs need to be focused on their day-to-day issues and they do not want to be burdened with financial stress or the outside threats from would-be criminals. 

Credit unions can differentiate themselves in these stressful times to provide a unique solution to SMBs and position themselves for more loans and revenue in the future, which can help maximize engagement with businesses, as well. 

As the data breach tidal wave continues within the US and internationally, the likelihood of an SMB executive or a key employee having a personal ID theft event is growing and expanding.  As SMB executives & employees receive more and more breach notices, the individual threats are escalating and, more importantly, the consequences of an attack today is more devastating than ever before.  According to recent statistics from Javelin Strategy Research, out of pocket costs for victims more than doubled in two years. Therefore, SMBs are also in dire need of credit union services that would extend ID theft recovery programs to all employees, or at least the primary employees and company executives.

Again, credit unions have access to service providers who can make it possible for them to provide this kind of critical SMB support for ID theft attacks against their business member’s employees/management.  These ID theft recovery services often can go hand-in-hand with finding the best data breach recovery services from service providers. Incorporating both data breach and ID theft recovery services into your overall business member account services will create a differentiator from other competing financial institutions…to help grow the number of businesses you serve.

Credit unions should look to maximize the kind of services they can bring to their SMB members. Research your providers and find those who can bring your business accounts a suite of services to drive your value proposition as high as possible. There are residual non-interest income opportunities which credit unions can generate with a strong account value of high quality and relevant services for their business members. Hopefully potential future legislation could pave the way for credit unions to be more aggressive with commercial loans. Therefore, a stronger bonding with business accounts can result in expanded loan opportunities and access to all the business’s employees as well. The non-interest income possibilities could allow your credit union to also be more aggressive in lowering loan rates or increasing interest rates on business account deposits.

The increasing threats of data breach events for SMBs isn’t going to go away.  Criminals know that these small companies are the low-hanging fruit for attack.  It is time for credit unions to expand their vision and look at new services to attract these vulnerable SMBs.  To sum it up, the benefits to your credit union, as a result of stronger business account offerings, include an expanded fee income stream, a greater engagement level for long term dealings, and a differentiator that attracts more businesses. 

Don’t ignore the signs of the times and miss a significant opportunity to better serve and support the life-blood of American growth and prosperity...SMBs.

 I Repeat…..“Only Three Things are Certain in life: Death, Taxes, and…Data Breaches” 
In 2015, I wrote an article about the certainties of our lives being affected by a data breach event. Similar to death and taxes, there are steps that we can take to mitigate its effects on our lives, but there is no way to fully prevent it from occurring. Funny how some things just don’t change….it’s nearly four years after I wrote the initial article and the certainty of data breaches occurring is as true today as it was back then. This article explains why. ​Credit unions would serve their members well to provide protection against the fallout of breach events…which just keep happening. I have only added a few new points (in parenthesis) to the article below, but the original message remains the same. ​

If Benjamin Franklin were alive today, I believe this would be his new take on his famous quote. He would recognize the inevitable fact that data breach events, like death and taxes, cannot be stopped. They certainly can be deterred and delayed, but based on the avalanche of data breach events in the past eighteen months, as well as the industry forecast for more to come, Franklin would warn, “Be prepared.” (Over a billion people were breached in just one month last year… between November 2018 and December 2018) 

We hear about the growing laundry list of companies who are focused on finding the magic pill that will give businesses and financial institutions, as well as individuals, a sense of peace and security. These companies all pinpoint individual elements of data breach exposure and create products or services sold as “preventative” solutions. Whether it is credit monitoring services, software encryption programs, EMV chip cards, document destruction, protective data storage offerings, etc., they’re all one dimensional solutions, fighting a multi-multi-multi-dimensional problem. (Blockchain technology was the 2018 “end-all solution” for ID theft….but it too has not failed to guarantee safety) 

So many former and current FBI leaders, and other criminal investigation experts, have warned about the pure fact that it is not a matter of IF you will experience a data breach, but rather WHEN it will happen. Security firms and experts on data breach, ID Theft, and cyber security all understand that the root of the problem is actually inherent in the world’s rapid technological advancements and the public desire for increasingly more data mobility & accessibility. These factors, coupled with the human element (social engineering), are the real reasons that data breach and ID theft events are not stoppable. 

The human element is responsible for almost 70% of all data breaches, even though cyber theft events get the lion’s share of headlines in major news reports. The human element consists of much more than international organized crime or the local bad guys trying to hack into your business. It is the disgruntled employee, the negligent vendor, the absent-minded manager, or simply the misplaced laptop or thumb drive of personal data…..and the list could go on. 

So when faced with the inevitable truth about data breach and ID theft events, what is the best way for your credit union to be prepared for WHEN it happens? 

Without neglecting your efforts to “deter” these events through proper policies, awareness programs, and compliance, it is imperative to have a strong and sound plan for mitigation and restoration/recovery. Incorporate strategies and solutions to help maximize your credit union’s preparedness for, and ability to, support members in their time of need, and for your institution in its time of the unthinkable. An interesting trend that was recently revealed by a Scottsdale, AZ firm, Cornerstone Advisors, indicates that consumers, especially millennials, are turning to credit unions or other financial institutions for non-financial services such as ID theft protection. And, as reported in a CU Times article, the majority of millennials are willing to consider buying bundled services at attractive prices. 
​
The good news for your credit union is there are resources to help you accomplish all of this, while also providing an opportunity to generate non-interest income as you educate your members and provide them with protection against these data breach certainties. Something perhaps even Franklin would applaud and consider “a penny saved”…. a lot of pennies!

Synthetic identity theft is a growing threat to credit unions—costing financial institutions billions of dollars. It’s a type of fraud in which a criminal uses fake information, sometimes combined with real (usually stolen) data, to create a fictitious identity. This made-up identity is used to open fraudulent accounts and make fraudulent purchases.

Credit unions and other financial institutions often fall prey to synthetic identity theft since much of the information criminals provide them with is legitimate. Synthetic identity theft allows the criminal to steal from lenders by opening credit card, auto loan and other accounts. In January, Accenture PLC listed synthetic-identity fraud as one of the biggest threats facing financial institutions in 2018.

Synthetic identity theft may account for five percent of uncollected debt and up to 20 percent of credit losses, or $6 billion in 2016, according to some industry analysts. The problem is even more acute with auto loans. TransUnion says a record $355 million in outstanding credit-card balances was owed by people who it suspects didn’t exist in 2017, up more than 8x from 2012.
Synthetic identity fraud exploits a weakness in America’s consumer-credit system. Lenders often consider a loan applicant legitimate if the applicant has a credit report at one of the three credit bureaus. But a new “credit file”—essentially a precursor to a credit report—often gets created when someone simply applies, even if the loan gets denied. If one lender approves a loan for the fictitious individual, that information can make the file a full-fledged credit report.

How a “Phantom Borrower” is Born:

• Scammer applies for loan using fake identity
• Query to credit-reporting firm reveals no borrowing history. Applicant likely gets rejected
• Query results in a new 'credit file,' a precursor to a credit report. Suddenly, a new identity has been born
• Scammer applies for more loans, expanding credit file, giving lenders perception that applicant is real
  
  

TransUnion and Experian say it is difficult to distinguish between a “phantom borrower” and a real borrower who’s applying for credit for the first time and has identifying information that isn’t on file.

One of the reasons that more criminals are using the synthetic identity scam is because lenders have gotten better at protecting against traditional identity theft, which often involves using stolen data about real consumers. When bypassing actual consumers, scammers send fewer “red flags.”

While individuals probably won’t get a high-spending-limit card or large loan without a repayment history, some identity scammers pay bills promptly to qualify for higher limits, then default on larger loans or when credit card has been “maxed out”. It then costs financial institutions a myriad of hours to track down individuals who don’t exist.

Fortunately for lenders, synthetic identity fraud detection and prevention strategies have evolved, as well. Digital technology, neural networks and predictive analytics powered by machine learning and artificial intelligence are helping to more quickly scan large databases like those generated by data-furnishing front companies.
​
Protecting Your Credit Union from Synthetic ID Theft
Synthetic identity can cost a credit union thousands of dollars and numerous unrecoverable hours. Protecting your credit union from synthetic identity requires strong security and recovery programs.

1. Implement Strong Security Processes 
   The use of biometrics and cross-referenced background checks for identity verification can help stop synthetic identity thieves. Take extra precautions when applicants have no credit history.
   
   
2. Provide Fully Managed ID Recovery 
   Give account holders the right tools and support to keep them safe from synthetic identity theft. In the event their information is ever compromised, they’ll want to know that their credit union is there to help. Implement a Fully Managed Recovery (FMR) program that puts members’ service first and will act on their behalf during the entire identity restoration process.

​
Having greater cybersecurity preparedness needs to be the top priority for credit unions. This will help credit unions avoid becoming victims of synthetic identity fraud, as well as will create the basis for the ultimate response to any data breach or identity theft when it happens. Strong cybersecurity preparedness isn’t cheap, so credit unions must search and find solutions that also generates new income streams while delivering cybersecurity preparedness.

Source: "The New ID Theft: Thousands of Credit Applicants Who Don’t Exist” WSJ, 6 March. 2018.

With the one year anniversary of the Equifax data breach upon us, affecting over 147 million adult Americans, there is an ever increasing need for Americans to be “on guard” from the effects of this breach, and so many others like it (UBER, Sonic, UnderArmor, etc.). Credit Unions have a golden opportunity to show their members, and potentially new members, that they recognize the growing risks facing their members far outside the walls of the credit union itself.

A recent study conducted by a team of researchers at the University of Michigan School of Information shows that consumers (your members) have exhibited an optimism bias that has led to a significant degree of complacency or total lack of action in response to the Equifax breach.  Whether you call it “putting their heads in the sand”, “rolling the dice”, or exhibiting the “it hasn’t happened to me yet” syndrome, people (members) need to know they’re taking enormous risks with this complacent approach.  New account and Account Takeover fraud has increased more than 200% in the US over the past three years, thus magnifying the risks for members as they face more serious ID theft nightmares.

In a recent interview with FBI Retired-Special Agent, John Iannarelli, he explained that, “The criminals who perpetrated the Equifax breach will sit on the majority of data for as much as a year or more before using it. They know the nature of consumers is to get more complacent over time, long after a major breach. They know there will be an initial rush to have protection immediately following the breach, then folks just get lax, assuming it’s all safe and lose their vigilance. And that’s when the thieves will strike.”

The U of M report indicated that some consumers simply delay taking security related actions to protect themselves until after they know they are actually harmed.  There is a general lack of awareness about the best ways to protect themselves.  They don’t understand the extensive time and labor involved in managing the recovery efforts.  Most often they are mistaken about various monitoring services that they “believe” will prevent ID theft from happening. This lack of awareness issue includes a misinterpretation of how preventative services, or so-called “resolution services”, actually work, or don’t work, as they are led to believe from their descriptions.

Another interesting trend has recently been revealed by a Scottsdale, AZ firm, Cornerstone Advisors, which indicates that millennial consumers (members) are turning to credit unions or other financial institutions for non-financial services such as ID theft protection. And, as reported in last month's CU Times article, Millennials Open to Buying Non -Financial Services from CUs, the majority of millennials are willing to consider buying bundled services at attractive prices.

This new Cornerstone study reflects complementary results to an early 2017 study released by Assurant, Inc., which reported that the majority of surveyed US consumers were fearful of ID theft & cybersecurity.  Over 60% of the consumers indicated that they were “terrified” or “very concerned” about ID theft or cyberattacks, prompting 79% of the respondents to be “more likely” to buy protective services.

Another contributor to consumer complacency is a vast array of “technology wielding” companies urging consumers to trust in the next “magic pill” solution that will make all of the ID theft threats evaporate (i.e. remember how EMV chip cards would be the final answer?).  Recently, the hope of technology rests upon Blockchain companies to produce the fix for all identity theft.  However, subject matter experts such as Mark Pribish, VP & ID Theft Practice Leader at Merchants Information Solutions, have the insights into the reality of data breach events and their ID theft fallout, which reveal that the direct cause of many breaches and ID theft events are from human fallibility vs. technology attacks (i.e. hacking, malware). Therefore, the power of Blockchain solutions, which focuses predominantly on technology controlled data, will continue to face serious limitations as a means to end all identity theft.

In conclusion, credit unions have an excellent opportunity to take a leadership role by bringing members a real solution to preparedness against data breach & ID theft events. Pribish offers great advice in his own summation, “I recommend that companies and individual consumers focus on response and recovery—because it’s not a question of if, but when a company experiences a data breach even if your organization has implemented Blockchain technology…”  CU’s can make an enormous impact on their members with strong awareness programs and provide them bundled ID theft services with rich value propositions. Why should members be forced to find third party solutions online (via Amazon, Apple, etc.) with services from companies they do not trust at rates much higher than they’d expect from their trusted credit union?
​
So celebrate the one year anniversary of the Equifax breach with definitive action to serve your members before the next anniversary….and end your members’ confusion, complacency, and increasing vulnerability that criminals are using to their advantage.  

In light of last September’s Equifax data breach event – along with new proposed cybersecurity legislation – credit unions have an opportunity to enhance their cybersecurity best practices and generate residual non-interest income by offering identity theft and breach response services to its members.
 
Here are four lessons learned from the Equifax breach that can help protect your members and credit union:
 
Lesson #1 “the Equifax Affect,” no company can fully prevent a data breach from happening. Even Equifax, with more financial and IT resources than most companies in the U.S., wasn’t able to prevent a data breach from occuring.
 
In Equifax’s case, their data breach event affected 145 million U.S. consumers where information breached included names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers and more.
 
Lesson #2 “response and recovery,” where Equifax failed in multiple ways to respond in a timely and responsible manner.  First, and with irony, the Equifax breach happened because the company failed to fix a software flaw that federal officials had warned about months before. But to make matters worse, Equifax waited nearly six weeks to notify the public after learning of the hacking event.
 
When this crisis happened, Equifax’s failed management response resulted in its chief information officer and chief security officer “stepping down” and its CEO “retiring.”
 
Lesson #3 “the future of cybersecurity laws” could include the potential for criminal action for officers and board members of any size organization. CSOonline.com released an article titled The year ahead in cybersecurity law, where CSO states that “major legal cases and proposed state and federal legislation will shape how companies respond to and attempt to mitigate cybersecurity and data privacy risks.”
 
Lesson #4 “industry best practices should include response and recovery” as Risk and Insurance Magazine highlights in this article titled Cyber Threat Will Get More Difficult, where General Michael Hayden, former head of the Central Intelligence Agency and National Security Agency, and current principal at the security consultant the Chertoff Group, stated that “companies should focus on response, resiliency and recovery when it comes to cyber risks.”
 
According to Hayden, “companies are focusing on the vulnerability aspect, and responding by building high walls and deep moats to keep attackers out.”  He said “If you do that successfully, it will prevent 80 percent of the attackers.”
 
“But that still leaves 20 percent vulnerability, so companies need to focus on the consequences: It’s about response, resiliency and recovery,” said Hayden.
 
In an era of growing data breach risks, credit unions that offer data breach “response” services to their business accounts can differentiate themselves. These unique data breach recovery services can help to attract and retain business accounts, which will incrementally grow revenues. 
 
All businesses need strong document management policies and since financial institutions are particularly targeted by criminals,  credit unions need strong data breach response solutions themselves to help protect the institution, their members, staff and board of directors.
 
For all these reasons noted above, complying with NCUA Supervisory Priorities for greater cybersecurity preparedness needs to be the top priority for credit unions.  This will help credit unions avoid the “Equifax nightmare” and create the basis for the ultimate response to any data breach “when” it happens.  Credit unions must search and find solutions that will not only address cybersecurity preparedness, but also generate new income streams…because cybersecurity preparedness isn’t cheap.
 
Mark Pribish (mpribish@merchantsinfo.com) is the VP and ID Theft Practice Leader at Merchants Information Solutions, Inc., a leading ID theft and data breach services firm based in Phoenix, AZ.  He has authored hundreds of articles and white papers and is frequently interviewed by local and national media as an identity theft and data breach risk management expert.
 
Jim McCabe (jmccabe@veroproducts.com) is the SVP, Identity Theft Solutions, Vero, LLC, a subsidiary company of CU Direct.  Jim has developed his subject matter expertise in ID theft & data breach solutions and has contributed to industry publications & blog sites, while consistently speaking for conferences & webinars to foster awareness & education of best practices.
 
Request a WebEx by Vero to learn about unique solutions to maximize the preparedness of your CU, improve member value, and potentially increase non-interest income. 

Despite a heightened understanding and awareness of the importance of strong cyber security by everyone, the trend of data breach attacks continues to increase - impacting thousands of businesses and millions of individuals.  Last year, there was a 40% increase over 2015 in the number of businesses that were impacted by data breaches. Businesses of all sizes were hacked by criminals that used techniques such as ransomware and non-malware attacks to steal data.
 
No organization is safe from a data breach.  It’s no longer a question of “if”, but “when” a business will have its data compromised…per retired FBI special agent
  
Over the last five years, data breaches have recurrently made headline news as large businesses such as; Yahoo, Target, Home Depot, Dropbox, Ebay, JP Morgan Chase, Anthem and Living Social, were hit by hackers. Thousands of credit union cardholder members were impacted by these hacks.  Yahoo’s 2013 and 2014 hacks took 2-3 years to discover; allowing the criminals and black market even more time to devastate the victims’ identities. Most recently, restaurant chain Arby’s was hacked by malware that affected 1,000 restaurants and even more credit union members – very much like Wendy’s ’16 breach.
 
Although there are steps that organizations can take to help make themselves less vulnerable to a data breach, it is impossible for any organization to guarantee it won’t happen. 
 
Nearly two-thirds of Americans (64%) have personally been victims of data breaches. And 65% of US Consumers are terrified of experiencing an ID theft.
 
According to Pew Research Center’s most recent survey:

• 41% of Americans have encountered fraudulent charges on their credit cards.
• 35% have received notices that some type of sensitive information (like an account number) had been compromised.
• 16% say that someone has taken over their email accounts, and 13% say someone has taken over one of their social media accounts.
• 15% have received notices that their Social Security number had been compromised.
• 14% say that someone has attempted to take out loans or lines of credit in their name.
• 6% say that someone has impersonated them in order to file fraudulent tax returns.

 
To make matters worse, coinciding with the rise of data breach victims, there is now the new threat of Civil and Class-Action Lawsuits facing the businesses from these victims – driving new legal and settlement costs.
 
The aftermath of big company data breaches is almost always characterized by class-action lawsuits.  While not every litigation makes its way to the public eye, it is becoming more and more common for organizations of all sizes to face a civil or class-action lawsuit after a data breach.  The best way that credit unions and other organizations can protect themselves against litigation is to have a trusted Fully Managed Recovery System in place, such as Vero's IDProSelect.

The majority of Americans expect cyberattack on the nation’s banking and financial systems.
 
Many Americans lack confidence that various public and private institutions will be able to protect their personal information from bad elements.  While Americans often first turn to their financial institution after finding out that they’ve been a victim of a data breach, the majority of them also fear that a major cyberattack will occur on the nation’s banking and financial systems within the next five years.  Organizations that have implemented a Fully Managed Recovery System often have clients and members that have greater peace-of-mind.
 
Having programs in place for cyber security and data breach response is no longer just an option for credit unions.  For the second year in a row, the NCUA’s Supervisory Priorities have mandated that credit unions have a plan for 1) cyber security 2) member response and 3) fraud prevention.  Vero’s IDProSelect helps credit unions address these areas of NCUA's 2017 Supervisory Priorities. 
 
For more information on how your organization can protect itself from the ramifications of a data breach or to receive more information on Vero’s  IDProSelect, please contact Jim McCabe at jmccabe@veroproducts.com or call (480) 748-0403.