Post-Breach PR

How to communicate with members in the wake of a data compromise

was the week before Christmas, when the news started to break.

.A. Amy Brodersen, CEO of $28 million/2,900-member Family Focus Federal Credit Union (www. family focusfcu.org), Omaha, Neb., heard about the Target data breach on her way to work on Thursday, Dec. 19, and by the time she got to the office, the phones were ringing off the hook.

"We were bombarded with phone calls from our members," she recalls. "And we were constantly, constantly in contact with our card processor, trying to figure out when we were going to get our Compromised Account Management System alert to tell us whose cards were compromised. They just kept telling us, 'Well, we're waiting, we're waiting, they're trying to figure out who it is.'

"So we were checking every hour on the hour through Thursday and Friday to get that CAMS alert, and we were telling members, 'Keep an eye on your accounts, and let us know [if you see fraudulent activity]."

As she and her staff (the CU has a total of six employees) were waiting, they sent out an email blast to members, reiterating the message.

A CU volunteer showed up to help answer the phones.

"She did great with the members, just kind of calming them down and telling them what we knew, which wasn't a lot," Brodersen says. "That was the hard part-we did not know a lot. We were just reassuring them.

"We held off on closing cards, because once you close a card, then you have to wait for a new card, and it was Christmas! It could not have been a worse time for this to happen. So we told our members we didn't want to go drastic and close their cards down until we knew they had been compromised."

Late Night

Brodersen and her colleagues were on their way out the door on Friday night at 5:15 when the CAMS alert came. There were four people still left: Brodersen, a vice president, an assistant VP of member service, and a part-time member service agent.

"We all put our purses down and we tagteamed," Brodersen says. "My two member service folks started pulling up cards, closing accounts, reordering cards. And my vice president and I got on the phones and we literally spent about six hours, until about 11:00 or 11:30 Friday night, calling every single person on that list that was compromised to let them know."

There were 150 members on the list, out of a total of 800 cardholders. Some were difficult to reach, but the CU staffers kept calling

Some of the members were out at dinner and had been planning to pay for their meal with the affected card. Brodersen had them call back and close the card after they had paid. In the end, there were only a handful whose cards had to be canceled without prior notification.

"But we still kept trying," she says. "We tried people two or three times Friday night and then again Saturday, to get hold of every member and have that personal conversation with them, to kind of ease their mind and let them know what we were doing. Our members are very important to us, and we just did not feel like we could cut their cards off without talking to them."

Be Consistent

If this sounds intense, it's because it was. But it's a perfect example of how a credit union can take a potentially negative public relations event like a credit card breach and turn it into a positive.

With consistent communication and a commitment to the members' best interest, a credit union can get the message out: This is rotten for all of us, but we've got your back and we're going to do our best to make this situation better.

"The truth is, this kind of communication is not that difficult," says Timothy Kolk, owner of TRK Advisors (www.trkadvisors.com), Peterborough, N.H. "I'm not suggesting the issue is an easy one. But these are breaches caused by other entities in the operational chain, very rarely by the issuers. So you need to develop a communication path that says, 'We're on your side and we're going to be watching for signs of trouble.'

"That's such a differentiating message for credit unions," he adds. "Banks try [to send out that message], but people don't generally believe them. Credit unions try and people usually do."

Personal Communication

Social media isn't the right platform for all kinds of marketing communication, but it's perfect for this, says Bill Prichard, manager of public relations and corporate communications at CUES Supplier member CO-OP Financial Services (www. co-opfs.org), Rancho Cucamonga, Calif.

"This is not a case of 'Let's get our marketing story out to people,"' he says. "This is need-to-know information, and that's what social media is designed for. It's designed to tell people what they want to know as it affects their lives. You can post FAQs, or you can lead people to your website for more information."

Ideally, the credit union will reach out personally to members who are directly affected, he says, and the key to that is making sure your member contact information is always up to date.

It should be an ongoing effort to make sure the credit union has a working phone number and, if possible, a current email address for every member.

Stay On Message

What should CUs make sure not to do in this situation? There are two deadly sins in catastrophe PR: not keeping people informed, and giving out misinformation. The second can happen unintentionally if a credit union doesn't communicate well within its organization and get everyone on message.

"What we advise our clients in this case is the need to marshal the facts," says Prichard. "Before you do any communicating, there needs to be a thorough conducting of fact-finding. You just have to get the facts right. They also need a crisis communications plan, to get employees first of all informed of what's going on, so that they can speak intelligently to members and to the general public."

"Sure, Not a Problem"

When $316 million/34,000-member Commonwealth One Federal Credit Union (www.cofcu.org), Alexandria, Va., received a list of cardholders who had shopped at Target during the time of the compromise, Chief Marketing Officer Suzanne A. Cook started contacting all the members on the list.

She was able to email most of them, but those with no email address on file received letters instead. Her department also posted information about the breach on Commonwealth One FCU's website and on Facebook.

The credit union elected not to close the questionable cards, instead opting to wait and monitor those accounts carefully.

"Our strategy was to act in the best interest of the members by providing as much information as possible to help them make good decisions," Cook, a CUES member, says.

"For example, someone who regularly monitors their account online and has a dozen automatic payments may not want to be forced into a new card number due to the work involved in updating all the payees," she explains.

On the other hand, there were some members who weren't on the list but were still worried about their accounts.

Cook put the word out to all credit union staff: If anyone called in and wanted a new card, regardless of whether they were on the list, the answer should be, "Sure, not a problem. We'll be happy to go ahead and do that for you."

"If it's going to give them peace of mind that we go ahead and reissue that card, that's what we want to do," she explains.

"Members who were interested in having their card replaced contacted us, and it was taken care of immediately. We also assured them of the fraud detection tools [we had] in place," she adds.

Cook says her philosophy on crisis PR is that it's best to get out there early and acknowledge that the credit union is aware of the issue and is working on the members' behalf.

Look to Card Processor

In some cases, card processors may be able to help with the effort.

Georgann Smith, VP/marketing at CUES Supplier member The Members Group (www.themembersgroup.com), Des Moines, says she sent out a kit to her credit union clients that included talking points they could share with cardholders and language they could put on their websites.

TMG also distributed talking points internally and implemented new on-hold messaging for its call center, letting callers know call volumes were increasing due to the breach and that they appreciated the callers' patience.

"Those are the kinds of things that you really take into consideration," she says. "No one wants their cards to be shut down, especially during the highest shopping season of the year. We try to make that as painless as possible for cardholders and clients."

Coming up Roses

When a credit union handles a card breach well, it can give members a sense of confidence and increase their longterm loyalty. In some cases, it can also increase members' sense of participation and ownership in the institution.

Focus Family FCU had some members who became extremely distraught at their cards being shut down on the last holiday shopping weekend, but thanks to a new technology, the CU was able to help them out of that pinch-and it made the CU look like heroes.

"We have a new next-generation Diebold ATM that has shared branching capability in the CO-OP network," says Brodersen. "When you use the machine, you can either use it as a regular ATM, or you can use it as shared branching. If you do [shared branching], it needs the card to identify you, but nothing else."

Brodersen explained to the affected cardholders that they could get cash out of the special ATM using their debit cards, even though the cards had been deactivated. As she talked with members on Friday night, she told them to come to the CU on Saturday morning and she'd walk them through getting enrolled in the program.

"I had a 19- or 20-year-old girl who, when I called her, she started bawling on the phone, she was so upset," Brodersen says. "And I said to her, 'Well, come down Saturday and we'll do this process.' So she did. She showed up Saturday morning and I walked her through the process of getting her enrolled and showed her how she could get money. She was so excited that she wasn't going to be completely shut off. And her dad came down with her, too, and he also got enrolled in the ATM."

Not every credit union will have emerged from the Target data breach with such a positive outcome. But there will always be another fraud in the future. The key is to learn from every incident, and do better and better as time goes on.

"You could say that one of the good things about a crisis is that when it's over, you have a rare opportunity to change the culture of an organization," Prichard says. "It is a wake-up call. So that should be part of the aftermath of a crisis: saying 'Let's change things here and do things better next time.'"

To Reissue, or not to Reissue?

Scottsdale, Ariz.-based Cornerstone Advisors, Inc. (www. crnrstone.com), a CUES Supplier member and strategic partner, recommends a direct approach to card fraud: As soon as you find out which cards are affected, reissue them en masse.

"Just replace all of the cards," says Managing Director of Payment Solutions Bob Roth. "It sucks, but it's a cost of doing business. MasterCard and Visa, whichever is your brand, are going to send you a list of compromised cards about the week after [a breach]. If you take that list and immediately go out and reissue cards to those folks and get in advance of it, you are really just cutting down the number of opportunities [for fraud], because a lot of that fraud happens in day four, five, six, seven, and eight."

But not everyone goes that route every time. The Target data breach, happening during the holiday season, made some credit unions especially reluctant to shut down members' cards.

"There are two approaches credit unions have been taking," says Roger Nettie, senior consultant for risk management at CUES Supplier member and strategic partner CUNA Mutual Group (www.cunamutual.com), Madison, Wis. "When they know which cards are compromised, they can reach out to the members and let them know we're going to cancel the existing card, block it, and reissue a new one. That's the most proactive way to remove any fraud coming through. The other group is saying, 'We don't know if there's going to be much, if any, fraud,' so rather than going through the expense of reissuing all those cards, they'll tighten up the neural networks and technology that they use to monitor for suspicious activity. They'll tighten the parameters on 4j those to be able to spot trends that might - be starting up, and then ~ they can proactively deal with those specific accounts."

Georgann Smith, VP/marketing at CUES Supplier member The Members Group (www.themembersgroup. com), Des Moines, says most of her clients took a waitand-see approach, tweaking their fraud parameters and temporarily limiting the size of transactions at certain types of merchants.

In some cases, a wait-and-see approach seems to work out favorably.

"We stopped reissuing on breaches back in 2010 and continue to have a .04 percent fraud-to-sales rate, in comparison to our peers' average of .08," says Suzanne A. Cook, chief marketing officer at $316 million/34,000member Commonwealth One Federal Credit Union (www. cofcu.org), Alexandria, Va. "We use [the neural network] Falcon. We monitor, using our internal and Visa-issued tools. Ultimately, if the cardholder would like a reissued plastic, we educate them that there is no assurance it won't happen again-which is why we go to the expense of the tools we use to protect them."

While Commonwealth One FCU does not automatically reissue cards, it will reissue a card to any member who asks for a new one, Cook adds.

Resources

Read another article about card security on p. 12.

Read more about cards when you search at cues.org/cu-management/ archives.

Attend CUES School of Product and Channel Management, April 28-29 in Austin, Texas, cues.org/sopcm.

Or take your marketing to a higher level at CUES School of Strategic Marketing(TM) I and CUES School of Strategic Marketing(TM) II, July 14-18 in Seattle. Register at cues.org/sosm or cues.org/sosm2.

The 2014 CUES Golden Mirror Awards(TM) are coming back to a live show! Join us July 16-between CUES School of Strategic Marketing I and liât the Museum of History and Industry in Seattle to honor CU marketers making a difference. Enter the CUES GMAs by April 21 at cues.org/gma.

Jamie Swedberg is a freelance writer based in Athens, Ga.