Close this search box.

Compliance: How Should CUs Respond to a Data Breach

With cybersecurity a top priority in 2017 for the financial services industry, CUNA’s compliance staff explored what credit unions should do in the event of a data breach at the institution or its service provider in a recent CompBlog entry.

Part 748 of NCUA’s regulations requires federally insured credit unions to develop and implement “risk-based” response programs to address “instances of unauthorized access to member information in member information systems.”

“Member information systems” consist of “all of the methods used to access, collect, store, use, transmit, protect, or dispose of member information,” including systems maintained by the credit union and/or its service providers.

When a credit union becomes aware of an incident of unauthorized access to sensitive member information in member information systems, the institution is required to conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused.

Sensitive member information includes:

  • Data such as a member’s name, address, or telephone number used in conjunction with the member’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the member’s account; or
  • Any combination of components of member information that would allow someone to log onto or access the member’s account, such as user name and password or password and account number.

Credit unions must have a response system that includes procedures to notify to notify members about incidents of unauthorized access to member information systems that could result in substantial harm or inconvenience to the member.

At a minimum, a credit union’s response program should contain procedures for:

  • Assessing the nature and scope of an incident;
  • Notifying the appropriate NCUA regional director, and, in the case of federally insured state-chartered credit unions, its applicable state supervisory authority, as soon as possible;
  • Notifying appropriate law enforcement authorities, in addition to filing a timely Suspicious Activity Report in situations involving federal criminal violations requiring immediate attention;
  • Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of member information (e.g., monitoring, freezing, or closing affected accounts) while preserving records and other evidence; and
  • Notifying members when warranted, as mentioned above.

When an incident of unauthorized access to member information involves member information systems maintained by a contracted service provider(s), it is the credit union’s responsibility to notify its members and regulator. However, a credit union may authorize or contract with its service provider to notify the credit union’s members or regulators on its behalf.

Additional details can be found at CUNA’s CompBlog.

In addition to CompBlog, CUNA’s Compliance Community contains discussion boards and a number of other resources for credit union compliance professionals around the country.

Source: CUNA News Now

Print Friendly and PDF