Bank Board Letter — June 2014
Paul Schaus

The onslaught of data breaches at Target, Neiman Marcus, Michaels and Sears affecting tens of millions of customers has highlighted the need for community banks to have a plan for notifying customers whose debit or credit cards might be compromised, and a process to determine whether to replace those cards.

But how do banks decide where to draw the line? Should they immediately reissue all of their cards, wait to hear back from customers about losses from such breaches, or strike some sort of middle ground?

Regardless of size, a bank must gauge the impact on its customers. But banks must act quickly — they cannot procrastinate, or they will face too many losses. Sometimes thieves wait months to make fraudulent transactions using stolen cards or bogus cards they make themselves from stolen personal information. Customers may relax their monitoring and miss fraudulent transactions, which could add up quickly once the fraudsters begin using them — and the monetary losses for banks could skyrocket.

Spending money at the outset on card reissuance could save banks money, but whether that is feasible depends on the volume of customers’ cards impacted at each bank.

JPMorgan Chase in New York City replaced 2 million Chase Bank credit and debit cards, just weeks after Minneapolis-based retailer Target Corp. announced that the personal data of up to 70 million customers was stolen between late November and mid-December when its in-store network was hacked and customers’ credit and debit card information was stolen.

JPMorgan emailed notices to affected customers, letting them know many of its 5,600 Chase branches were open at least one Sunday in January, to enable customers to get replacement cards on the spot. In future incidents of data breaches necessitating reissuance of debit or credit cards, Chase Merchant Services will be able to automatically update Chase cards stored in the Chase Wallet mobile app.

A smaller bank, the $134 million-asset First Mountain Bank in Big Bear, Calif., temporarily suspended all of its debit cards for several days in December after Target announced its breach, and then issued a message in red block letters on its website, warning customers to monitor their checking accounts for fraudulent activities. First Mountain then reissued debit cards upon customer request.

Other institutions, such as the $4.2 billion-asset Pennsylvania State Employees Credit Union in Harrisburg leveraged social media. When the credit union learned that more than 28,000 of its customer cards could have been impacted, it not only emailed the affected customers, but also posted a warning message alerting customers on its Facebook page. Within several days, the post had over 5,300 views, 191 likes, 52 shares and 60 comments.

The most conservative bankers would likely just cancel all affected cards after data breach notifications, and then reissue new cards before researching within their databases. But generally the smarter bankers would first determine the extent of the impact on their particular institution — whether just a small group of customers was impacted or the impact was widespread. For example, if there was not a Target store within the bank’s market, then likely it would not have been many clients, but if most of their branches were in the same markets as Target stores, then they might just decide to do a mass reissue.

The key is to take action in a timely manner, since losses can easily mount. Procrastination is not a good strategy. Banks must be proactive and conduct reviews of customers within their databases to determine who might have shopped at the affected retailer that announced a breach. And banks cannot wait to notify their customers that they also need to monitor their accounts. Banks can determine later whether to reissue cards, depending on the volume of those actually impacted.

Considering such massive data breaches are on the rise, banks should develop some type of response plan before any of their customers are affected. Hopefully every bank is prepared for this type of problem and already has procedures and policies in place. Banks should play out “what-if ” scenarios, have a process to determine whether the impact is high or low, whether there have been any fraudulent transactions, and then react accordingly.

The $464-asset StonehamBank in Massachusetts put a data breach response plan in place after the bank’s customers were impacted by the TJMaxx breach in 2007. After the bank learned that roughly 900 of its customer cards were impacted by the Target breach, StonehamBank used FoxtrotOne’s software program to determine which cards were actually compromised, and which might have been or could subsequently be compromised. The bank immediately reissued the compromised cards, but sent letters and emails to customers in the latter group, alerting them to monitor their accounts for fraudulent transactions. Stoneham also disabled signature transactions for those cards to minimize fraud, but allowed customers to still use their PINs for their own transactions.

Although sophisticated software can be useful, not all community banks need to invest in such solutions. They should be able to find ways to monitor their own databases using inhouse technology.

Smaller banks may also choose to have their staffs personally call some of their higher-value customers, instead of emailing or using automated messages, as in the case of the $40 millionasset BOND Community Federal Credit Union in Atlanta, Ga. BOND staffers called hundreds of customers to let them know their cards had been compromised and that their reissued cards would be arriving in the mail within several weeks.

A larger institution may not have that capability, but it can provide additional support to customers. Bank of America now has a webpage on its site, Understanding Data Compromise, that defines breaches, how the bank is notified of compromises by the credit card companies or law enforcement agencies, what customers can expect when a compromise occurs, what Bank of America will do to monitor their accounts, and what customers should do once their cards are reissued — including alerting companies that receive recurring online payments from them that their card numbers have changed.

Paul Schaus is president of CCG Catalyst, a consulting firm providing strategic direction and focused guidance for banks. For more information, visit