Incident Response: How BB&T Handles Client Notification After a Breach

Interview With Dick Langford, VP, BB&T

By , April 6, 2009.
Incident Response: How BB&T Handles Client Notification After a Breach


See Also: Fighting Financial Fraud: Mitigation for Malware, Phishing & DDoS Attacks

hat happens after a major security breach? How do banking institutions go about notifying their customers - whose responsibility is it?

At BB&T in Winston-Salem, NC, the role is filled by Dick Langford, Vice President and Manager, Information Security Compliance Management. In an exclusive interview, Langford discusses:

How BB&T approaches client notification;
Lessons learned from security breach response;
The different ways the bank approaches customer awareness to meet all customers' needs.

Langford has 19 years experience in information protection in the financial sector. Previously with the Federal Reserve Bank of Kansas City, he has managed elements of BB&T's information protection program since 1998. His current responsibility is directing a network of over 100 Information Security Compliance Managers representing each line of business, subsidiary, and affiliate company in BB&T Corporation, thereby ensuring compliance with federal and state information protection legislation and regulations.

BB&T Corporation, headquartered in Winston-Salem, N.C. , is among the nation's top financial holding companies with $152 billion in assets. Its bank subsidiaries operate approximately 1,500 financial centers in the Carolinas, Virginia, West Virginia, Kentucky, Georgia, Maryland, Tennessee, Florida, Alabama, Indiana and Washington, D.C.

TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. The topic today is information security compliance, and we are speaking with Dick Langford, Vice President at BB&T. Dick, thanks so much for joining me today. DICK LANGFORD: It is my pleasure ,Tom.

FIELD: For our listeners that might not be familiar with BB&T, why don't you tell us a little bit about the institution and then about yourself and your role and your day-to-day responsibilities.

LANGFORD: Certainly. BB&T stands for Branch Bank & Trust Company. We are a regional bank holding company on the East Coast. We have approximately 1,500 bank operation branches located from D.C. down to Florida. We are about a $140 billion dollar organization with about 28,000 employees.

My role with the company is to assist the Chief Information Security Officer in ensuring that the organization is aware of and complaint with legislative and regulatory requirements around information protection, and I am able to achieve this with two basic tools.

I manage the awareness and education program, which communicates out to the organization and their responsibilities in this regard. And then I also have a network of information security compliance managers that are located in each one of our lines of business, subsidiary or affiliate companies, that have a dotted line relationship back to me, and those folks help us to ensure consistent implementation of our programs across the enterprise.

And then lastly I manage and direct a group that is called the Client Information Compromise Response Team, which is a virtual team of corporate representatives that respond to any event that involves the unauthorized disclosure of client non-public information. This is the team that directs the client notification aspects that are required by law.

FIELD: Now that one really fascinates me there, client notification. It is something that certainly everybody is talking about now in the wake of the Heartland Payment Systems breach. What happens at BB&T in the event of an incident such as the Heartland breach?

LANGFORD: Well, the Heartland, of course, was a breach at an external company, which impacts a lot of different banks that issue cards to clients and their consumers. We work with the card companies to identify the clients who may be at risk due to an external breach like the Heartland, and then we may institute closer monitoring of those card accounts or we may even cancel and reissue card depending on the circumstances surrounding the event.

If the unauthorized disclosure is an internal event, then we work directly with our own internal teams to identify the cause, identify the clients that might be impacted, and then ensure that we respond in compliance with the legal and regulatory requirements.

FIELD: So unfortunately Dick these are not just plans, but these are things that institutions such as yours have had to implement. What types of lessons have you learned from response to these incidents?

Follow Tom Field on Twitter: @SecurityEditor

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Privacy: What Security Pros Need to Know

The privacy profession is evolving rapidly, and security leaders increasingly need to understand...

Latest Tweets and Mentions

ARTICLE Privacy: What Security Pros Need to Know

The privacy profession is evolving rapidly, and security leaders increasingly need to understand...

The ISMG Network