Heartland Data Breach: Doug Johnson, American Bankers Association
In an exclusive interview, Doug Johnson of the American Bankers Association discusses:
Johnson serves as Senior Policy Analyst for the American Bankers Association, where his public policy responsibilities include payments system technology and the relationship between technology, privacy, and security. He also advises the ABA and its members on a variety of other matters, including social security reform, real estate brokerage, mortgage finance, and public funds. He was responsible for the ABA's recent release of a series of tools to assess information technology risk and safeguard customer information in financial institutions. He is on the advisory board of the Financial Services Information Sharing and Analysis Center and serves on the Financial Services Sector Coordinating Council, which advises the federal bank regulatory agencies on homeland security and critical infrastructure protection issues.
Prior to joining the American Bankers Association, Johnson spent 10 years as Assistant Director of the Florida Division of Banking, where he oversaw the supervision and regulation of Florida's domestic and international banking industry. During that time, he served as an advisor to the U.S. Congressional Office of Technology Assessment, assisting in their study of the use of information technologies for the control of money laundering.
Johnson also spent time in Miami as a planning analyst for Royal Trust Bank Group, and as a bank consultant for First Research Corporation. He has Bachelors in Economics from the University of Florida and a Masters in Finance from Florida State University.
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. The topic is the Heartland Payment Systems Data Breach. We are talking with Doug Johnson, Vice President of Risk Management Policy with the American Bankers Association. Doug thanks so much for joining me today.
DOUG JOHNSON: Fine, Tom. Thank you very much for having me.
FIELD: Doug, what can you tell us about the Heartland Breach and the message that you are giving to your member institutions now?
JOHNSON: Well, Tom, of course as anyone that has been following the media on this knows, the breach has demonstrated itself to be fairly wide-ranging in terms of the number of institutions impacted, particularly if they have been following your reporting of it. I must say that you guys have been doing a good job of trying to keep track of who has been announcing what associated with the breach.
So because of the community banking concerns that have been expressed, Visa and MasterCard obviously do have their own processes whereby they communicate with the issuers of their respective cards, but it was clear that the community bankers were looking for another avenue to talk to the card networks as well. So over the last couple of days we have held a call with MasterCard and a call with Visa for our members and given our members another opportunity to ask questions of the two networks in terms of what the networks can tell them about the breach and what the reimbursement of costs process looks like, the reimbursement for fraud losses looks like in the respective networks. So I think we have been able to provide that avenue to give our members a little bit better clarity in terms of what some of those processes look like.
FIELD: Doug, for members that haven't been able to have been a part of this call or maybe are just finding out now that their consumers have been affected, what sort of advice can you give them? If you are just finding out now that your card members have been affected by this breach, what should you be doing?
JOHNSON: Well Visa and MasterCard both have for their issuers very good password-protected websites associated with the breaches. And by very good I mean that they have the information on the sites associated with some potential scripts that they can use with their customers.
The alert itself, I believe, should give them some information in terms of where else to go for additional information if they have just received an alert from either one of the networks, and so that is another avenue as well obviously. And I would certainly and strongly suggest contacting Visa and MasterCard directly if you do have any questions.
FIELD: Now what sense do you get of sort of the consistent message, if there is one, that the banking institutions are sending to their customers who certainly are going to have interest in this?
JOHNSON: Well, the most important message that banks can send their customers is the fact that any customer is completely protected, 100% protected, against any fraud that may occur against their account. And so that is the strongest message that any financial institution can send, is that we as financial institutions have their back, and we will protect them from the fraud.
FIELD: And how about for banking institutions themselves? Again, here is a breach that didn't happen to a banking institution; what could the banks and the credit unions be doing to protect themselves and their members?
JOHNSON: Well, I think that obviously every breach we have we learn new lessons in terms of how we can better protect ourselves as institutions and have the networks provide us with information associated with what they know about the breach. And I think that that is the system that we see continually improving, but needs to have even greater levels of improvement because we can always learn and we can always do better in terms of ensuring that institutions have accurate and timely information associated with any accounts which may have not necessary been compromised but may be vulnerable because some data was found in some capacity to be vulnerable.
FIELD: So Doug, a final question for you, for institutions out there, what can they turn to the ABA to for assistance?
JOHNSON: Well we have a data security site on www.aba.com, and I certainly would invite any institutions that are ABA members to look at the variety of materials that we have there. We do have some breach scripts for institutions to the extent that they have experienced a compromise and they need to communicate with their customers.
And I certainly also invite them to call either myself at the ABA. I take those calls on pretty much a daily basis in terms of institutions looking for any guidance in terms of how to deal with breaches because I think that while every institution has to make their own decision as to how to handle the breach.
We actually, I think, act best as a sounding board, where we have talked to the variety of these institutions so we can ask the right questions of the institutions so the institution can think through it themselves in terms of how they want to react.
FIELD: Doug, that is very helpful. Again, I thank you for your time and for your insight today.
JOHNSON: Sure, Tom. Glad to do it.
FIELD: We have been talking with Doug Johnson of the American Bankers Association. For Information Security Media Group, I'm Tom Field. Thank you very much.