Just recently the Framingham,
Mass.-based TJX Cos. announced that a data breach disclosed in January is far more reaching than previously
believed. In Delaware alone, fifteen credit unions have reported over 12,500 members’ debit and credit
cards were included in the breach. It isn't known whether credit union members experienced actual fraud on their
accounts, but fraud is occurring. Fraudulent use of compromised cards is being reported in Florida, Louisiana,
and Georgia, New Hampshire, and in Hong Kong and Sweden.
This is a real reminder that credit unions need to employ detection and response programs
to protect the most valuable asset that a credit union has: member information. In addition, it is scenarios
like this one that justify why all federally insured credit unions are required to have such programs to be
compliant with the National Credit Union Administration (NCUA) Regulation 748, Appendix B.
What Are the Credit Union Requirements?
So, what is a credit union required to have in the form of an information compromise
detection and response program? Appendix B of NCUA Regulation 748 encompasses all of the parameters that need
to be evident in a defined information compromise detection and response program that a credit union has implemented.
To summarize, every credit union should have some form of the following documented material as noted below to
be compliant with Appendix B.
• A written response policy & program
There should be a documented risk-based policy and program that addresses the credit union’s
approach to how the credit union will monitor and respond to information breaches involving member information
on their systems and the systems of third party vendors. A written policy should follow that addresses what
specific elements of leaked information will justify a response, what authorities that the credit union will
notify in the event of an information breach, and how the members will be notified.
• Notices to members & monitoring of accounts
When a credit union becomes aware of an incident, it should conduct a reasonable investigation
to determine the likelihood that the information has been or will be misused. If the credit union determined
that misuse has occurred or is reasonable possible, it should notify affected members as soon as possible. If
the credit union deems it wasn’t necessary to notify the member, the account should be monitored for unusual
or suspicious activity. Notices should be timely, clear and conspicuous and delivered in any manner that will
ensure that the member is likely to receive it (i.e., in writing). It should be noted that a general notice
is not acceptable as on a website or newsletter.
• Notices to authorities, credit bureaus, & credit union staff
The NCUA (through a suspicious activity report), Federal Bureau of Investigation (FBI), and
local police department should be notified depending on the occurrence as these entities can assist the credit
union with further insight and information. In addition, the credit union staff should be notified of such occurrences
and be on alert for any additional activity associated with an initial compromise of information.
Continued on page 13