Data Heist: How Financial Institutions Cleaned up the Target Data Breach Mess.

• Author: Sutherland, Spencer
• Position: Lessons Learned

Ah, the holiday season. What is supposed to be the best time of the year for consumer sales turned into a nightmare for one of the country's largest retailers. Between November and December 2013, hackers accessed debit card data and personal details--names, addresses and phone numbers--of an estimated 110 million Target customers.

The data breach resulted in a huge hit to Target's bottom line, costing the company $61 million in the fourth quarter alone and a 46 percent year-over-year decline in net income. It has also left millions of consumers across the country worrying about fraudulent purchases, identity theft and the overall safety of shopping with credit cards.

While holes in Target's security measures are to blame for the breach, it's the card-issuers--including local banks and credit unions--who have had to deal with the consequences. In choosing how to respond to the breach, Utah financial institutions had a number of options, from blocking all clients' cards immediately, to waiting for more information, to doing nothing at all.

Here's how two Utah lenders tackled the problem and what they learned from the experience.

Communication is Key

"There's an old adage that when people are fearful or threatened, you can't communicate enough," says Richard Beard, president and CEO of Bank of American Fork. Though banks initially didn't have much more information about the breach than the general public, Bank of American Fork knew its customers would turn to it for information and guidance. So its employees immediately started reaching out in every way they could.

"We sent emails, posted blogs and sent letters," Beard says. "We wanted to make sure there was information available that answered the question, 'What does this mean to me?'"

Within a few days of the breach being exposed, the bank had identified all of the customers who had used their card at Target during the compromised period. Employees then contacted affected members and recommended the card be blocked. New cards were reissued inside the bank or by mail.

"Frankly, it cost us money to do that," Beard admits. "But we wanted to make sure that nobody got hurt and we were willing to eat a bit of cost to do that," By early January, cards had all been reissued and the bank was able to avoid any fraud loss.

"Our view is that the reason our community banks exist is because we are very customer relations centered," Beard adds. "A lot of these people are friends and neighbors, people we...