News Feed

Compliance requirements in responding to the Target breach

Mon, Jan 13, 2014

Washington, District Of Columbia

Obviously, data breaches such as has occurred at Target trigger a variety of actions by credit unions, especially closely monitoring credit and debit card usage for fraudulent transactions.  The question CUNA’s compliance attorneys have been asked by credit unions is:  What do federal regulations require we do?  Section 748, Appendix B’s “Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice” only expects member notification when “an incident of unauthorized access to member information involves member information systems maintained by a credit union’s service providers.”  Obviously, the breach occurred in Target’s systems, not credit unions’ systems.  So no member notification is required by NCUA. 

Therefore, it’s a business decision of whether -- and if so, how – a credit union wants to alert members about the Target breach.  Obviously, it’s in everyone’s interest if members are encouraged to closely monitor share draft and credit card statements on an on-going basis.

Here’s a brief reminder -- it’s not like this hasn’t happened before, just not right before X-mas and at a very large, nation-wide retailer.

Section 748 of NCUA’s regulations requires federally insured credit unions to have a security program that contains a provision for responding to instances of unauthorized access to “sensitive” member information (privately insured CUs need similar programs). Appendix B to Part 748 (“Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice”) provides credit unions with direction on how to comply.  (Banks have similar requirements.)

When a credit union becomes aware of an incident of unauthorized access to sensitive member information maintained by either the credit union or its contracted third party service provider, the credit union must conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. Sensitive information includes a member’s name, address, or telephone number, in conjunction with the member’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the member’s account. 

The Appendix B guidance states the credit union should have procedures in place to:

  • Assess the nature and scope of the incident, and identify what member information systems and types of member information have been accessed or misused.  CUNA’s note:  The card processors have of course provided this information to credit unions issuing their cards, and they continue their investigations.
  • Notify the appropriate regulator (the NCUA regional director or applicable state supervisory authority for state charters) as soon as possible after becoming aware of the incident.  CUNA’s note:  While we can safely assume that regulators are well aware of the general situation, each credit union is required to report the impact of the breach on their operations.
  • Notify appropriate law enforcement authorities, and file a timely Suspicious Activity Report (SAR) in situations involving federal criminal violations requiring immediate attention, such as when a reportable violation is on-going.  CUNA’s note:  Credit unions will of course also need to report incidents of possible fraud to their insurers and VISA and MasterCard.
  • Take appropriate steps to contain and control the incident to prevent further unauthorized access to or use of member information (e.g., monitoring, freezing, or closing affected accounts) while preserving records and other evidence.   CUNA’s very obvious note:  This will be a major on-going responsibility of credit unions for some time to come and at notable expense.
  • Notify members when warranted.  If the credit union determines that misuse of sensitive member information has occurred or is reasonably possible, it should notify the affected member(s) as soon as possible. If the credit union can determine which members’ information has been improperly accessed, it may limit notification to only those members. However, if the credit union is unable to identify which specific member’s information has been accessed, the credit union should notify all members in the group of files in question. 

CUNA’s notes on the membership notification issue:  Under NCUA’s regulations, credit unions are expected to use good judgment on notifying members who will possibly be impacted – and there’s no specific federal regulatory procedure on how and when.  The Target breach has been widely reported, but not all members may have heard about it – and it’s never a bad thing to remind all members that they need to regularly and thoroughly review their credit card and share draft statements, not just for a few weeks following this latest data breach.  Moreover, most states have laws requiring that people be notified of security breaches of their personal information -- and individual states may have more specific requirements as to who, what, when and how to do the notification. 

Links to NCUA’s Section 748 regulation and Appendix B can be found in CUNA’s eGuide to Federal Laws and Regulation under our “Security Programs” topic at http://www.cuna.org/Compliance/Compliance-E-Guide/E-Guide-Entries/Security-Program-Security-Of-Member-Information/

 

Source: CUNA