Incident Response: How BB&T Handles Client Notification After a Breach

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

What happens after a major security breach? How do banking institutions go about notifying their customers - whose responsibility is it?

At BB&T in Winston-Salem, NC, the role is filled by Dick Langford, Vice President and Manager, Information Security Compliance Management. In an exclusive interview, Langford discusses:

Langford has 19 years experience in information protection in the financial sector. Previously with the Federal Reserve Bank of Kansas City, he has managed elements of BB&T's information protection program since 1998. His current responsibility is directing a network of over 100 Information Security Compliance Managers representing each line of business, subsidiary, and affiliate company in BB&T Corporation, thereby ensuring compliance with federal and state information protection legislation and regulations.

BB&T Corporation, headquartered in Winston-Salem, N.C. , is among the nation's top financial holding companies with $152 billion in assets. Its bank subsidiaries operate approximately 1,500 financial centers in the Carolinas, Virginia, West Virginia, Kentucky, Georgia, Maryland, Tennessee, Florida, Alabama, Indiana and Washington, D.C.

TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. The topic today is information security compliance, and we are speaking with Dick Langford, Vice President at BB&T. Dick, thanks so much for joining me today. DICK LANGFORD: It is my pleasure ,Tom.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

FIELD: For our listeners that might not be familiar with BB&T, why don't you tell us a little bit about the institution and then about yourself and your role and your day-to-day responsibilities.

LANGFORD: Certainly. BB&T stands for Branch Bank & Trust Company. We are a regional bank holding company on the East Coast. We have approximately 1,500 bank operation branches located from D.C. down to Florida. We are about a $140 billion dollar organization with about 28,000 employees.

My role with the company is to assist the Chief Information Security Officer in ensuring that the organization is aware of and complaint with legislative and regulatory requirements around information protection, and I am able to achieve this with two basic tools.

I manage the awareness and education program, which communicates out to the organization and their responsibilities in this regard. And then I also have a network of information security compliance managers that are located in each one of our lines of business, subsidiary or affiliate companies, that have a dotted line relationship back to me, and those folks help us to ensure consistent implementation of our programs across the enterprise.

And then lastly I manage and direct a group that is called the Client Information Compromise Response Team, which is a virtual team of corporate representatives that respond to any event that involves the unauthorized disclosure of client non-public information. This is the team that directs the client notification aspects that are required by law.

FIELD: Now that one really fascinates me there, client notification. It is something that certainly everybody is talking about now in the wake of the Heartland Payment Systems breach. What happens at BB&T in the event of an incident such as the Heartland breach?

LANGFORD: Well, the Heartland, of course, was a breach at an external company, which impacts a lot of different banks that issue cards to clients and their consumers. We work with the card companies to identify the clients who may be at risk due to an external breach like the Heartland, and then we may institute closer monitoring of those card accounts or we may even cancel and reissue card depending on the circumstances surrounding the event.

If the unauthorized disclosure is an internal event, then we work directly with our own internal teams to identify the cause, identify the clients that might be impacted, and then ensure that we respond in compliance with the legal and regulatory requirements.

FIELD: So unfortunately Dick these are not just plans, but these are things that institutions such as yours have had to implement. What types of lessons have you learned from response to these incidents?