I recently wrote a series of episodes in what I called a Privacy Miniseries on LinkedIn in which I shared the true story of my best friend "Michelle's" experience with her wallet being stolen and the ensuing saga that involved identity theft, fraud, and, in an interesting twist, my best friend taking an active role that lead to the arrest and confession of the thief. The following is the series "Epilogue," which includes lessons learned and take-aways for businesses in dealing with such customer experiences.
While Michelle's story is compelling and of personal nature, there are several take-aways for businesses to consider as well. The reality today is that information security and attempts to bypass that security are here to stay. Forward-thinking businesses accept this and will remain diligent in not only seeking opportunities to continually improve their data security position, but also using these situations as opportunities to further distinguish their businesses from that of their competitors.
1. Identity Theft is an Opportunity. As I have written seemingly forever, data breach in business is not a matter of IF, but WHEN. And, like the third little pig, if the company prepares well in developing and implementing a sound data governance program, it will weather the breach better than those that do not. More importantly, the business's efforts will also be rewarded with more customers staying with the business when the storm passes.
Supporting your customers through identity theft, even an event that had nothing to do with your business, is yet another opportunity to deepen the business relationship with your customer and develop customer loyalty. As Michelle described, identity theft is very much a traumatic experience and can be isolating. Victims are looking for help wherever they can find it to help minimize the negative effects of actions taken by a faceless foe. They have enough to deal with without fighting with a company over bad charges or other business practices that, in the big picture, serve only to further alienate customers.
• Outliers. Develop sound data governance practices that help you establish what is "normal" in your business operations. Doing so will enable you to detect and report abnormalities or deviations in any system activity and transactions. Perhaps it is detecting multiple attempts to log into an account, high volumes of data moving out of your network at one time, or maybe flagging purchases that lay outside the normal spectrum for a particular customer (as was the case for Michelle and Khaki's). Whether the controls are technical in nature (flags in your CRM system) or procedural (training employees to review activity logs for such outliers), you can proactively monitor for behavior that might indicate fraudulent activity. Customers appreciate it when they get an unsolicited "heads up" or inquiry into charges or activity on their accounts. Banks and credit card companies have done this for years. These businesses do not have a patent on this customer and security-focused practice.
• Take it personally. When your customer comes to you reporting concerns with ID theft or other security issues involving their data, take those concerns seriously and have a solid policy and procedure to assist them in minimizing any risks within your control. Who knows? Their concerns might be shared by ALL your customers, and may be the first sign of a breach of YOUR system. (Remember, most breaches are not discovered by the company itself).
As we discussed with Michelle, no one will take your privacy as seriously as you do. While a business can never take a customer's privacy or security as personally or intimately as the consumer herself, it can respond with the same level of urgency. In doing so, a business gains loyalty from a customer that is scared and dealing with so many more problems that one charge at their store-- a possibly a heads up to bigger problems within their systems.
2. Chips! No one can use just one. October 1 is the "EMV Deadline" for card issuers and vendors to support chip technology over the outdated and less secure magnetic stripes. Make sure your business understands its obligations under the Payment Card Industry's Data Security Standards (PCI-DSS) and any agreements with card issuers.
3. Trust, but Verify. Train your employees to actually look at the back of credit and debit cards to make sure they are signed and the signatures match the signature of the individual presenting the card. If the card has no signature or reads "SEE ID" in the signature block, then train your employees to verify the individual's form of identification matches the name on the card and the picture of the individual presenting the card. This is a low-tech (and inexpensive) way to stop fraud in its tracks and prevent your business from losing money when those charges are reversed.
4. Train your employees to be antisocial. In line with the points made above, train your employees to protect against social engineering attempts to access people's accounts fraudulently. This is still the most common way identity thieves and criminals gain access to accounts by using a little information, such as an address or date of birth, and parlaying it into a story which enables the thief to convince a customer service representative to not only get access to an account, but change the credentials for future access. Never heard of this? This famous hack will give you the idea.
It's a tough time to be in business. The climate in the era of data breach can seem unfair, overwhelming and relentless when it comes to security. Businesses today must not only protect their own information against theft and misuse from attacks inside and outside their company, they must also strive to not be part of the problem in either facilitating identity theft or fraud through bad business practices or a lack of data governance.
But, as with any problem, there is also an opportunity. Businesses can use such unfortunate opportunities as data breach or their customers' reporting of identity theft as a chance to distinguish themselves from their competitors by shining when the storm comes to their door. Companies can do this by responding to data breach quickly and effectively because they have done their due diligence and invested in sound data governance practices. Or, companies can do so by efficiently and quickly assisting their customers as they struggle to mitigate the harms of identity theft and fraud. Both are good for business.