By Tom Field
April 6, 2009
What happens after a major security breach? How do banking institutions
go about notifying their customers - whose responsibility is it?
At BB&T in Winston-Salem, NC, the role is filled by Dick Langford, Vice
President and Manager, Information Security Compliance Management. In an
exclusive interview, Langford discusses:
* How BB&T approaches client notification;
* Lessons learned from security breach response;
* The different ways the bank approaches customer awareness to meet all
Langford has 19 years experience in information protection in the
financial sector. Previously with the Federal Reserve Bank of Kansas
City, he has managed elements of BB&T's information protection program
since 1998. His current responsibility is directing a network of over
100 Information Security Compliance Managers representing each line of
business, subsidiary, and affiliate company in BB&T Corporation, thereby
ensuring compliance with federal and state information protection
legislation and regulations.
BB&T Corporation, headquartered in Winston-Salem, N.C. , is among the
nation's top financial holding companies with $152 billion in assets.
Its bank subsidiaries operate approximately 1,500 financial centers in
the Carolinas, Virginia, West Virginia, Kentucky, Georgia, Maryland,
Tennessee, Florida, Alabama, Indiana and Washington, D.C.
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information
Security Media Group. The topic today is information security
compliance, and we are speaking with Dick Langford, Vice President at
BB&T. Dick, thanks so much for joining me today. DICK LANGFORD: It is my
FIELD: For our listeners that might not be familiar with BB&T, why don't
you tell us a little bit about the institution and then about yourself
and your role and your day-to-day responsibilities.
LANGFORD: Certainly. BB&T stands for Branch Bank & Trust Company. We are
a regional bank holding company on the East Coast. We have approximately
1,500 bank operation branches located from D.C. down to Florida. We are
about a $140 billion dollar organization with about 28,000 employees.
My role with the company is to assist the Chief Information Security
Officer in ensuring that the organization is aware of and complaint with
legislative and regulatory requirements around information protection,
and I am able to achieve this with two basic tools.
I manage the awareness and education program, which communicates out to
the organization and their responsibilities in this regard. And then I
also have a network of information security compliance managers that are
located in each one of our lines of business, subsidiary or affiliate
companies, that have a dotted line relationship back to me, and those
folks help us to ensure consistent implementation of our programs across
And then lastly I manage and direct a group that is called the Client
Information Compromise Response Team, which is a virtual team of
corporate representatives that respond to any event that involves the
unauthorized disclosure of client non-public information. This is the
team that directs the client notification aspects that are required by
Best Selling Security Books and More!