CUNA Comment Letter
NCUA's Proposed Rule on Guidelines for Safeguarding Member Information (Part 748)
August 14, 2000
Ms. Becky Baker
National Credit Union Administration Board
1775 Duke Street
Alexandria, VA 22314-3428
RE: NCUA's Proposed Rule on Guidelines for Safeguarding Member Information (Part 748)
Dear Ms. Baker:
The Credit Union National Association (CUNA) appreciates the opportunity to comment on NCUA's proposed rule on Guidelines for safeguarding member information. CUNA represents more than 90 percent of our nation's 10,500 state and federal credit unions.
The proposed rule amends the National Credit Union Administration's (NCUA's) existing rules regarding security programs in federally-insured credit unions. These amendments are required under the privacy provisions of the Gramm-Leach-Bliley Act. Under the privacy rules approved by the NCUA Board on May 8, 2000, credit unions must disclose their policies and practices with respect to protecting the confidentiality, security, and integrity of nonpublic personal information as part of the initial and annual privacy notices that are sent to members.
NCUA has requested comment on a number of questions and issues, which are listed below. CUNA's response is outlined after each question.
Should the Guidelines be extended to cover records for others besides "members," which would mirror the definition of "member" under the privacy rules approved by the NCUA Board in May to include certain nonmembers? That is, should the Guidelines address records for all consumers, the credit union's business account holders, or all of a credit union's records? Will this broader coverage change the security program that you would implement or would you use the broader coverage anyway rather than segregating "member" records for special treatment?
We believe the scope of the proposed Guidelines should not be extended beyond the proposed definition of "member." NCUA has supervisory authority in Part 747 to address the safety and soundness issues that arise from the inadequate security of credit union information.
The objectives of the Guidelines are to ensure the safety and confidentiality of member's records, protect against anticipated threats or hazards to the security or integrity of such records, and protect against unauthorized access to or use of such records that could result in substantial harm or inconvenience to a member or present a safety and soundness risk to the credit union. Are there additional or alternative objectives that should be included?
The proposed objectives are sufficient for the security of member information.
Should the credit union board of directors designate an Information Security Officer or other individual responsible for developing and administering the security program? What "best practices" or business models would be appropriate for assignment of these tasks?
The Guidelines should not require boards of directors to designate a person responsible for developing and administering the security program. Credit unions may very well designate a security staff person, but it is not necessary to require an official designation from the credit union board. This person will, in effect, be the "Information Security Officer" and will handle the daily responsibilities for the security program.
The appropriate "best practices" or business model for implementing the information security program will depend on the credit union's size, complexity, and unique needs. In general, credit unions will need more guidance on what types of practices are considered "best practices," which are referred to here and in the question below regarding the monitoring of compliance by service providers. Although we realize that the term "best practices" is widely used, especially in the financial institutions industry, what constitutes "best practices" in the context of information security is not widely understood in the credit union movement.
The reasons for this lack of understanding may be that the issue of information security is relatively new, especially in the context of electronic information, and that the concept of information security is evolving and will change over time. Therefore, the "best practices" in this area are also relatively new and will likely change over time. We would welcome any information that NCUA can provide credit unions now and in the future that will help them understand the meaning of "best practices" in the context of information security. This would be helpful both with regard to the issue raised in this question and in the question below regarding the monitoring of compliance by service providers.
Should the Guidelines specify how often reports on the security program should be provided to the credit union's board of directors, such as monthly, quarterly, or annually? Why would such intervals be appropriate?
It is not necessary to establish the reporting frequency. Frequent and detailed reports to a volunteer board of directors could be onerous, especially for credit unions with large complex systems or numerous vendor relationships. Also, the risk factors may vary among credit unions. The information security risks for some credit unions may be quite small and a monthly reporting requirement would present an unnecessary hardship. The Guidelines should merely require that credit unions should set standards as to how often management should report to their boards.
What degree of detail should be included in the Guidelines regarding the risk management program? What elements or other components should be included?
In general, guidelines for risk management programs should contain sufficient detail and maintain enough flexibility to enable credit unions to develop effective risk management programs. We believe NCUA's proposed Guidelines contain adequate detail and flexibility for this purpose. Additional details beyond what is contained in the proposed Guidelines could reduce a credit union's ability to tailor its program based on its own unique circumstances.
Should the Guidelines include specific types of security tests, such as penetration tests or intrusion protection tests? Should there be a degree of independence in connection with the testing and the review of the tests? Should the tests and review of the tests be conducted by those who are not employees or volunteers of the credit union? If the tests are conducted by employees or volunteers, what measures may be taken to assure independence?
Tests would be helpful for some credit unions. However, the usefulness of a specific security test may depend on a credit union's activities and uses of technologies so they may not be appropriate for all credit unions. Also, specific tests may become obsolete as technology and business practices evolve. Instead of listing specific tests, NCUA could encourage credit unions to use assessment tests that effectively test their key controls, systems, and procedures.
Regardless of whether specific tests are included in the Guidelines, we believe it is important that credit unions know what information the examiners will be looking for when they review compliance in this area. With this information, credit unions will have a better understanding of the need for tests and the specific types of tests that would be most appropriate.
Credit unions will also need to know what the examiners will be looking for because the scope of the proposed rule is broad, as it includes both electronic and physical forms of information systems. We all recognize the need for protection of electronic information, but the scope of the protections required for physical forms of information is not as clear. There are a wide variety of protections that can apply to physical forms of information that may or may not be contemplated by the proposed rule. Some issues that have been brought to our attention are the extent that this rule may or may not require enhanced security for the tracking of mail in the credit union's office and the possible increased need to ensure the security of storage and trash facilities.
Credit unions would appreciate it if they could review any models or other information NCUA plans to use for determining which physical information safeguards are material. After review, credit unions will be better able to develop an effective security program and determine the need for tests and the specific types of tests that would be most appropriate.
Requiring independence between testing and the review of the tests would pose a cost burden on credit unions. An alternative approach could be to establish a benchmark of test results. The comparison of the benchmark with the credit union's actual results would determine the level of action that a credit union would need to take.
We believe that credit unions should be permitted to allow both employees and non-employees to perform security tests, but agree that there should be a reasonable degree of independence.
Which "best practices" would most effectively monitor compliance by service providers? Do service providers accommodate requests for specific contract provisions regarding information security? If not, how does a credit union implement an effective security program? Should the Guidelines contain specific contract provisions for service providers?
Again, credit unions are unsure of how to determine the "best practices" in this area. With that in mind, we believe credit unions should include provisions in their contracts that require service providers to maintain the security, integrity, and confidentiality of any credit union information that is shared with them. Credit unions should then be able to pursue legal remedies if a service provider fails to abide by the terms of these contractual provisions.
Most service providers already accommodate requests from credit unions to modify contracts to include provisions that protect the use of credit union information. Credit unions often enlist the services of attorneys and other contract specialists to develop contract provisions that address their specific needs, including the use of credit union information. Therefore, we believe it is not necessary for NCUA to include in the Guidelines these specific contract provisions regarding service providers. If NCUA believes that suggested language may be helpful, it should be clearly noted that the use of such language is completely optional.
The Guidelines propose a standard that requires a credit union's board of directors to oversee efforts to "develop, implement, and maintain an effective information security program." Such a standard is impractical, unnecessary, and burdensome. Although we realize the board of directors is ultimately responsible for the implementation of the credit union's policies and procedures, we are concerned that this standard may require specific duties and a level of detail that may not exist in other contexts. This could impede the board's ability to delegate certain responsibilities to the management staff.
We understand that the Gramm-Leach-Bliley Act requires comparable rules for all types of financial institutions for the safeguarding of consumer information. However, unlike these other types of institutions, credit union boards are comprised of volunteer members who do not have the time or expertise to oversee the security program to the extent described under the proposed Guidelines.
We are also concerned because this will add another layer of responsibility and possible liability for those who volunteer to serve on the board of directors. This added layer would provide another disincentive for those who would otherwise volunteer to serve on the board. With this in mind, we believe the objectives of the information security program for credit unions can be accomplished without such a high level of board involvement, and that board involvement should only be to the extent necessary to accomplish the objectives of the information security program. We do not believe this level of involvement would abrogate the board's responsibilities in these matters.
Overall, we believe the burden of the proposed rule and Guidelines would be proportionally heavier on smaller credit unions and the additional paperwork that would be required may not be necessary for smaller credit unions. A possible suggestion to avoid this result would be for examiners to tailor their approach and have different expectations when reviewing credit unions' efforts in this area.
Thank you for the opportunity to comment on NCUA's proposed rule on Guidelines for safeguarding member information. If Board members or agency staff have questions about our comments, please give me a call at 202-218-7795.
Assistant General Counsel