Post-Breach PR
By Swedberg, Jamie | |
Proquest LLC |
How to communicate with members in the wake of a data compromise
was the week before Christmas, when the news started to break.
.
"We were bombarded with phone calls from our members," she recalls. "And we were constantly, constantly in contact with our card processor, trying to figure out when we were going to get our Compromised Account Management System alert to tell us whose cards were compromised. They just kept telling us, 'Well, we're waiting, we're waiting, they're trying to figure out who it is.'
"So we were checking every hour on the hour through Thursday and Friday to get that CAMS alert, and we were telling members, 'Keep an eye on your accounts, and let us know [if you see fraudulent activity]."
As she and her staff (the CU has a total of six employees) were waiting, they sent out an email blast to members, reiterating the message.
A CU volunteer showed up to help answer the phones.
"She did great with the members, just kind of calming them down and telling them what we knew, which wasn't a lot," Brodersen says. "That was the hard part-we did not know a lot. We were just reassuring them.
"We held off on closing cards, because once you close a card, then you have to wait for a new card, and it was Christmas! It could not have been a worse time for this to happen. So we told our members we didn't want to go drastic and close their cards down until we knew they had been compromised."
Late Night
Brodersen and her colleagues were on their way out the door on Friday night at 5:15 when the CAMS alert came. There were four people still left: Brodersen, a vice president, an assistant VP of member service, and a part-time member service agent.
"We all put our purses down and we tagteamed," Brodersen says. "My two member service folks started pulling up cards, closing accounts, reordering cards. And my vice president and I got on the phones and we literally spent about six hours, until about 11:00 or 11:30 Friday night, calling every single person on that list that was compromised to let them know."
There were 150 members on the list, out of a total of 800 cardholders. Some were difficult to reach, but the CU staffers kept calling
Some of the members were out at dinner and had been planning to pay for their meal with the affected card. Brodersen had them call back and close the card after they had paid. In the end, there were only a handful whose cards had to be canceled without prior notification.
"But we still kept trying," she says. "We tried people two or three times Friday night and then again Saturday, to get hold of every member and have that personal conversation with them, to kind of ease their mind and let them know what we were doing. Our members are very important to us, and we just did not feel like we could cut their cards off without talking to them."
Be Consistent
If this sounds intense, it's because it was. But it's a perfect example of how a credit union can take a potentially negative public relations event like a credit card breach and turn it into a positive.
With consistent communication and a commitment to the members' best interest, a credit union can get the message out: This is rotten for all of us, but we've got your back and we're going to do our best to make this situation better.
"The truth is, this kind of communication is not that difficult," says
"That's such a differentiating message for credit unions," he adds. "Banks try [to send out that message], but people don't generally believe them. Credit unions try and people usually do."
Personal Communication
Social media isn't the right platform for all kinds of marketing communication, but it's perfect for this, says
"This is not a case of 'Let's get our marketing story out to people,"' he says. "This is need-to-know information, and that's what social media is designed for. It's designed to tell people what they want to know as it affects their lives. You can post FAQs, or you can lead people to your website for more information."
Ideally, the credit union will reach out personally to members who are directly affected, he says, and the key to that is making sure your member contact information is always up to date.
It should be an ongoing effort to make sure the credit union has a working phone number and, if possible, a current email address for every member.
Stay On Message
What should CUs make sure not to do in this situation? There are two deadly sins in catastrophe PR: not keeping people informed, and giving out misinformation. The second can happen unintentionally if a credit union doesn't communicate well within its organization and get everyone on message.
"What we advise our clients in this case is the need to marshal the facts," says Prichard. "Before you do any communicating, there needs to be a thorough conducting of fact-finding. You just have to get the facts right. They also need a crisis communications plan, to get employees first of all informed of what's going on, so that they can speak intelligently to members and to the general public."
"Sure, Not a Problem"
When
She was able to email most of them, but those with no email address on file received letters instead. Her department also posted information about the breach on Commonwealth One FCU's website and on
The credit union elected not to close the questionable cards, instead opting to wait and monitor those accounts carefully.
"Our strategy was to act in the best interest of the members by providing as much information as possible to help them make good decisions," Cook, a CUES member, says.
"For example, someone who regularly monitors their account online and has a dozen automatic payments may not want to be forced into a new card number due to the work involved in updating all the payees," she explains.
On the other hand, there were some members who weren't on the list but were still worried about their accounts.
Cook put the word out to all credit union staff: If anyone called in and wanted a new card, regardless of whether they were on the list, the answer should be, "Sure, not a problem. We'll be happy to go ahead and do that for you."
"If it's going to give them peace of mind that we go ahead and reissue that card, that's what we want to do," she explains.
"Members who were interested in having their card replaced contacted us, and it was taken care of immediately. We also assured them of the fraud detection tools [we had] in place," she adds.
Cook says her philosophy on crisis PR is that it's best to get out there early and acknowledge that the credit union is aware of the issue and is working on the members' behalf.
Look to Card Processor
In some cases, card processors may be able to help with the effort.
TMG also distributed talking points internally and implemented new on-hold messaging for its call center, letting callers know call volumes were increasing due to the breach and that they appreciated the callers' patience.
"Those are the kinds of things that you really take into consideration," she says. "No one wants their cards to be shut down, especially during the highest shopping season of the year. We try to make that as painless as possible for cardholders and clients."
Coming up Roses
When a credit union handles a card breach well, it can give members a sense of confidence and increase their longterm loyalty. In some cases, it can also increase members' sense of participation and ownership in the institution.
Focus Family FCU had some members who became extremely distraught at their cards being shut down on the last holiday shopping weekend, but thanks to a new technology, the CU was able to help them out of that pinch-and it made the CU look like heroes.
"We have a new next-generation Diebold ATM that has shared branching capability in the CO-OP network," says Brodersen. "When you use the machine, you can either use it as a regular ATM, or you can use it as shared branching. If you do [shared branching], it needs the card to identify you, but nothing else."
Brodersen explained to the affected cardholders that they could get cash out of the special ATM using their debit cards, even though the cards had been deactivated. As she talked with members on Friday night, she told them to come to the CU on Saturday morning and she'd walk them through getting enrolled in the program.
"I had a 19- or 20-year-old girl who, when I called her, she started bawling on the phone, she was so upset," Brodersen says. "And I said to her, 'Well, come down Saturday and we'll do this process.' So she did. She showed up Saturday morning and I walked her through the process of getting her enrolled and showed her how she could get money. She was so excited that she wasn't going to be completely shut off. And her dad came down with her, too, and he also got enrolled in the ATM."
Not every credit union will have emerged from the Target data breach with such a positive outcome. But there will always be another fraud in the future. The key is to learn from every incident, and do better and better as time goes on.
"You could say that one of the good things about a crisis is that when it's over, you have a rare opportunity to change the culture of an organization," Prichard says. "It is a wake-up call. So that should be part of the aftermath of a crisis: saying 'Let's change things here and do things better next time.'"
To Reissue, or not to Reissue?
"Just replace all of the cards," says Managing Director of Payment Solutions
But not everyone goes that route every time. The Target data breach, happening during the holiday season, made some credit unions especially reluctant to shut down members' cards.
"There are two approaches credit unions have been taking," says
In some cases, a wait-and-see approach seems to work out favorably.
"We stopped reissuing on breaches back in 2010 and continue to have a .04 percent fraud-to-sales rate, in comparison to our peers' average of .08," says
While Commonwealth One FCU does not automatically reissue cards, it will reissue a card to any member who asks for a new one, Cook adds.
Resources
Read another article about card security on p. 12.
Read more about cards when you search at cues.org/cu-management/ archives.
Or take your marketing to a higher level at
The 2014 CUES Golden Mirror Awards(TM) are coming back to a live show! Join us July 16-between
Copyright: | (c) 2014 Credit Union Executives Society |
Wordcount: | 2482 |
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News