News from the Delaware Credit Union League Winter 2006 - 2007

Page 1 2 3 4 5 6 7 8 9 10 11 12 13 14

CUs MUST EMPLOY PROGRAMS TO PROTECT MEMBER INFORMATION

 

   Just recently the Framingham, Mass.-based TJX Cos. announced that a data breach disclosed in January is far more reaching than previously believed. In Delaware alone, fifteen credit unions have reported over 12,500 members’ debit and credit cards were included in the breach. It isn't known whether credit union members experienced actual fraud on their accounts, but fraud is occurring. Fraudulent use of compromised cards is being reported in Florida, Louisiana, and Georgia, New Hampshire, and in Hong Kong and Sweden.

    This is a real reminder that credit unions need to employ detection and response programs to protect the most valuable asset that a credit union has: member information. In addition, it is scenarios like this one that justify why all federally insured credit unions are required to have such programs to be compliant with the National Credit Union Administration (NCUA) Regulation 748, Appendix B.

What Are the Credit Union Requirements?
    So, what is a credit union required to have in the form of an information compromise detection and response program? Appendix B of NCUA Regulation 748 encompasses all of the parameters that need to be evident in a defined information compromise detection and response program that a credit union has implemented. To summarize, every credit union should have some form of the following documented material as noted below to be compliant with Appendix B.

• A written response policy & program
   There should be a documented risk-based policy and program that addresses the credit union’s approach to how the credit union will monitor and respond to information breaches involving member information on their systems and the systems of third party vendors. A written policy should follow that addresses what specific elements of leaked information will justify a response, what authorities that the credit union will notify in the event of an information breach, and how the members will be notified.
• Notices to members & monitoring of accounts
   When a credit union becomes aware of an incident, it should conduct a reasonable investigation to determine the likelihood that the information has been or will be misused. If the credit union determined that misuse has occurred or is reasonable possible, it should notify affected members as soon as possible. If the credit union deems it wasn’t necessary to notify the member, the account should be monitored for unusual or suspicious activity. Notices should be timely, clear and conspicuous and delivered in any manner that will ensure that the member is likely to receive it (i.e., in writing). It should be noted that a general notice is not acceptable as on a website or newsletter.
• Notices to authorities, credit bureaus, & credit union staff
   The NCUA (through a suspicious activity report), Federal Bureau of Investigation (FBI), and local police department should be notified depending on the occurrence as these entities can assist the credit union with further insight and information. In addition, the credit union staff should be notified of such occurrences and be on alert for any additional activity associated with an initial compromise of information.

Continued on page 13