Incident Response: How BB&T Handles Client Notification

What happens after a major security breach? How do banking institutions go about notifying their customers - whose responsibility is it?

At BB&T in Winston-Salem, NC, the role is filled by Dick Langford, Vice President and Manager, Information Security Compliance Management. In an exclusive interview, Langford discusses:

How BB&T approaches client notification;
Lessons learned from security breach response;
The different ways the bank approaches customer awareness to meet all customers' needs.

Langford has 19 years experience in information protection in the financial sector. Previously with the Federal Reserve Bank of Kansas City, he has managed elements of BB&T's information protection program since 1998. His current responsibility is directing a network of over 100 Information Security Compliance Managers representing each line of business, subsidiary, and affiliate company in BB&T Corporation, thereby ensuring compliance with federal and state information protection legislation and regulations.

BB&T Corporation, headquartered in Winston-Salem, N.C. , is among the nation's top financial holding companies with $152 billion in assets. Its bank subsidiaries operate approximately 1,500 financial centers in the Carolinas, Virginia, West Virginia, Kentucky, Georgia, Maryland, Tennessee, Florida, Alabama, Indiana and Washington, D.C.

TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. The topic today is information security compliance, and we are speaking with Dick Langford, Vice President at BB&T. Dick, thanks so much for joining me today. DICK LANGFORD: It is my pleasure ,Tom.

FIELD: For our listeners that might not be familiar with BB&T, why don't you tell us a little bit about the institution and then about yourself and your role and your day-to-day responsibilities.

LANGFORD: Certainly. BB&T stands for Branch Bank & Trust Company. We are a regional bank holding company on the East Coast. We have approximately 1,500 bank operation branches located from D.C. down to Florida. We are about a $140 billion dollar organization with about 28,000 employees.

My role with the company is to assist the Chief Information Security Officer in ensuring that the organization is aware of and complaint with legislative and regulatory requirements around information protection, and I am able to achieve this with two basic tools.

I manage the awareness and education program, which communicates out to the organization and their responsibilities in this regard. And then I also have a network of information security compliance managers that are located in each one of our lines of business, subsidiary or affiliate companies, that have a dotted line relationship back to me, and those folks help us to ensure consistent implementation of our programs across the enterprise.

And then lastly I manage and direct a group that is called the Client Information Compromise Response Team, which is a virtual team of corporate representatives that respond to any event that involves the unauthorized disclosure of client non-public information. This is the team that directs the client notification aspects that are required by law.

FIELD: Now that one really fascinates me there, client notification. It is something that certainly everybody is talking about now in the wake of the Heartland Payment Systems breach. What happens at BB&T in the event of an incident such as the Heartland breach?

LANGFORD: Well, the Heartland, of course, was a breach at an external company, which impacts a lot of different banks that issue cards to clients and their consumers. We work with the card companies to identify the clients who may be at risk due to an external breach like the Heartland, and then we may institute closer monitoring of those card accounts or we may even cancel and reissue card depending on the circumstances surrounding the event.

If the unauthorized disclosure is an internal event, then we work directly with our own internal teams to identify the cause, identify the clients that might be impacted, and then ensure that we respond in compliance with the legal and regulatory requirements.

FIELD: So unfortunately Dick these are not just plans, but these are things that institutions such as yours have had to implement. What types of lessons have you learned from response to these incidents?

LANGFORD: Well, I would say the most fundamental lesson is that you can never overestimate the value of a client's information, especially from the perspective of the client. You know clients are more sensitized to the risk of identity theft than ever before. The national news stories that raise this awareness continue to escalate concerns and fears amongst clients in that regard, so you have to respect their right that you would protect their information.

Another lesson is that you just can't communicate quickly enough about an event to the client because it can take up to a week or longer to fully analyze an event to identify the individuals who should be contacted, etcetera. No matter how quickly you notify clients of an event that has involved their information, there are always some that want to know why you didn't notify them sooner. So it is really imperative that you have defined process, you have team members with authority who can accelerate that client notification process.

FIELD: Now customer awareness, as you know, is a huge priority with banking regulators these days, and it sounds like you are ahead of the game in a lot of ways. In your estimation, Dick, what are you doing well in terms of customer awareness and where would you like to improve?

LANGFORD: Well, over the years we have made our clients more and more aware of what we are doing to try and protect their information and then more importantly perhaps is what they can do to protect themselves.

Our primary method of communicating to our clients about this is through our website, www.bbt.com, where we have privacy and security pages and information directed toward that audience. That of course is impacting those people that are online, primarily our online banking clients.

You have another constituency that perhaps isn't as active online, so we have to look at more traditional methods at getting the word out to them, everything from a statement stuffer to brochures in our branches, etcetera. So I think the more that you can communicate to your clients in that regard the better off that you are going to be.

And of course, we have a very strong internal communication and education effort to make sure that our employees can answer client concerns and questions about it as well.

FIELD: Well, that's good because your employees, as you know, become ambassadors to the clients, and they are interfacing with them consistently throughout the day.

LANGFORD: Absolutely.

FIELD: Now do you find yourself also going into some of the newer technologies, mobile devices and such, to reach even some of those younger customers that are even more tech savvy than the ones that have been online consistently?

LANGFORD: Well, I think you do have to look at your client base and make your message available appropriately to the demographics of that particular grouping, but you also have to be very cautious in reaching out to clients in that the methods that you use cannot confuse the client, especially when you have phishing.

For instance, we do not directly contact our clients with email messages about the protection of their information simply because there is so much phishing against bank brands going on constantly. So you just have to be very cautious to make sure that the way that you approach your clients cannot be confused for phishing or other fraudulent activity that might be directed toward them.

FIELD: You make a good point there that the issue of phishing certainly hasn't gone away, and it has gotten stronger.

Dick, sort of stepping back in the bigger picture of your role in terms of information security compliance, what are the biggest regulatory compliance concerns right now for you at BB&T?

LANGFORD: I think the number one concern that I would relate today would be the number of state laws that are continuing to come forth on a regular basis. The count is hard to keep up with, but it somewhere over 40 different states at this point, I believe, that have information protection laws on the books and many of them have unique requirements. So keeping track of whatever your client base is and then what the individual requirements for those states are can be a very daunting task. You know it is becoming much more difficult and costly to maintain compliance with all of these state laws that are popping up.

FIELD: Well, it keeps you busy I'm sure, Dick, but it sounds like in a lot of ways BB&T is ahead of the curve in terms of customer awareness certainly, and client notification. so I appreciate you taking some time to today to share your insights and experiences with us.

LANGFORD: I'm glad to do so. I've been here working with BB&T for about 10 years to develop the program, and while we do believe that we are ahead of the curve in many aspects of the program, there is a lot of work yet to be done and the clients, of course, are always our ultimate concern.

FIELD: Well, better to start from a position of strength than not Dick, so thank you so much.

LANGFORD: Tom, it has been a pleasure.

FIELD: We've been talking with Dick Langford with BB&T. For Information Security Media Group, I'm Tom Field. Thank you very much.





Around the Network