After several weeks of negative publicity, the NCUA last week took responsibility for a data breach. But it also plans to share the love.
While the regulator has agreed to pay the $36,000 or so it says will be needed to clean up the mess at Palm Springs Federal Credit Union ($13.1M, Palm Springs, CA), it’s also now working to create new regulations in response, rules that some say are redundant at best.
That breach occurred in October when an examiner lost a thumb drive containing member data. The agency said earlier this month it would pay for credit monitoring for the 1,580 members as well as for staff time and any legal fees.
The data was unencrypted but did not contain PIN numbers or passwords and no breaches have been reported. But because of how it happened the breach has attracted attention beyond the credit union space. (Here’s just one example.)
The story leaked out when the credit union informed its members that data had been lost during an audit. The NCUA says it’s now investigating the mishap. And, NCUA Vice Chair Rick Metsger says he has instructed his staff to write new rules protecting member data. Board Chair Debbie Matz is on board.
“That’s a very fundamental thing to do, to make sure that if the data is lost or stolen that members’ confidential information is protected,” Matz told CU Times in a Jan. 6 article.
In a Jan. 15 statement, the regulator says it takes its own responsibilities for data protection seriously and that it’s taking “appropriate action with staff involved in the incident and reinforcing training on protecting sensitive information.”
That was several days after Matz told CU Times reporter Nick Ballasy, “Believe it or not, we really don’t like putting out more regs than we need to but we’re struggling to determine if there’s another way to do this. Of course, we’re always willing to hear suggestions from the credit union community about how to proceed.”
Metsger, meanwhile, says the incident was the first of its kind in more than 28,000 examinations in the past six years and he told the trade publication’s reporter in a Dec. 18 article: “We have a lot of small credit unions and they operate with less technology than larger ones and we’ve been preaching that everyone has to take all of this seriously — NCUA as well as individual credit unions — that no matter what your size is, the protection of data is very important.”
Practice What’s Preached
Commentators, including Callahan & Associates Vice President Chris Howard, already have taken the agency to task for not practicing what it preaches in terms of data protection and taking responsibility.
The possibility of new regulations has elicited a similar response from other industry participants.
Credit union attorney Steve Van Beek, a former NAFCU vice president, says intended protections already exist, pointing to “Guidelines for Safeguarding Member Information” in Appendix A to Part 748 of NCUA regulations. Those guidelines recommend actions to manage and control risk, including “encryption of electronic member information, including while in transit.”
“Rather than a new regulation, the NCUA could simply issue a Letter to Credit Unions reminding both NCUA examiners and credit unions of the need to protection information and further outline best practices for protecting member information throughout the examination process,” Van Beek says.
Continuity EVP Pam Perdue also calls the possible new rule “overreaching.”
“The agency caused the breach, yet new regulation would penalize credit unions by imposing greater restrictions on them. This does not seem logically consistent nor aligned with stated supervisory approaches,” she says.
Perdue says her company uses the Amazon GovCloud service to secure data, and that sister agencies of the NCUA, including the FDIC, SEC, and OCC, do much the same thing.
“The NCUA should improve its internal data handling protocols versus imposing additional burden on credit unions,” she says.
NAFCU agrees. The trade group claims a recent survey of its members found that most meet and exceed NCUA rules and recommendations on data security. (Of course, that thumb drive from Palm Springs arguably didn’t.)
The trade told the NCUA, in effect, to look in the mirror. “Rather than promulgating additional regulatory burdens on credit unions, NCUA should take a look internally at what actions the agency can take to better protect the credit unions data in its care,” says Director of Regulatory Affairs Alicia Nealon.
Then there’s the question of transparency, an issue that Callahan Chair Chip Filson raised in his latest blog. In that case, it’s about the NCUA refusing to release legal opinions it paid for with public funds and uses as the basis for policy decisions and proposals.
In the Palm Springs case, the breach wasn’t publicly acknowledged until it was reported in the media, a tactic that drew fire from one public relations pro (quoted in a CU Journal article) for being “tight-lipped.”
Matz, in the CU Times piece on Jan. 6, seemed to discount the size of the breach as too small to matter and that publicizing would call it to the attention of the wrong people. She called it “low-level” and that “it really does encourage criminal behavior, perhaps, and there’s really not a benefit to be gained by publicizing it widely.”
But then there’s still the question of whether the NCUA examiner needed such data in the first place?
“Because this breach occurred on the NCUA side of the information sharing,” Van Beek observes, “the NCUA’s first steps should be to review its internal procedures and determine whether its examiners have a legitimate need for members’ personal information.”
That may be coming. Metsger say he’s asked that the coming new rules and guidelines not only require encryption before the data is handed over to federal or state examiners, but that they also not contain passwords, PINs, or full Social Security numbers.