CUNA Comment Letter

NCUA’s Proposed Rule and Guidance on Response Programs for Unauthorized Access to Member Information

December 24, 2003

Ms. Becky Baker
Secretary of the Board
National Credit Union Administration
1775 Duke Street
Alexandria, Virginia 22314-3428

Dear Ms. Baker:

The Credit Union National Association (CUNA) appreciates the opportunity to comment on NCUA’s proposed rule and guidance on response programs for unauthorized access to member information. The proposed rule will require that the credit union’s already existing security program must now address how the credit union will respond to incidents of unauthorized access to member information, and the guidance contains details of what should be included in these response programs. CUNA represents more than 90% of our nation’s nearly 10,000 state and federal credit unions. This letter reflects the views of our member credit unions and of CUNA's Consumer Protection Subcommittee, chaired by Mr. Kris Mecham, CEO of Deseret First Credit Union, Salt Lake City, Utah.

Summary of CUNA’s Position

General Comments

The proposed rule is rather brief and requires that the credit union’s already existing security program must now address how the credit union will respond to incidents of unauthorized access to or use of member information that could result in substantial harm or serious inconvenience to a member. It is the guidance that accompanies this rule that contains the details of what should be included in these response programs.

We commend NCUA for this effort in providing the substantive details of this proposal in the form of guidance for the benefit of credit unions with regard to identity theft, as opposed to imposing extensive regulatory mandates. The guidance should help credit unions in their efforts to address the increasing number of breaches of member information that has resulted in the rapid escalation of identity theft over the past several years.

We also commend NCUA for other initiatives in this area. For example, the recent NCUA technology examinations have been beneficial in providing credit unions with useful information about technology issues with regard to security.

The problem of identity theft is not just a problem caused by lack of security at financial institutions. The problem arises for a number of other reasons, such as inadvertent disclosure by the consumer, whether it is due to identity thieves pilfering through mailboxes, lack of shredding of personal information by consumers, or other similar situations. These other scenarios outside the control of the financial institution are precisely the reasons we believe it is important that significant details of the proposal remain in the form of guidance, as opposed to regulatory mandates.

Although the guidance is helpful overall, we do have suggestions for improvements to provide additional flexibility as credit unions continue to address the critical problem of identity theft.

Notice to Regulators

The proposed guidance outlines four major components that should be included in the credit union’s response program. One of the components is a suggestion that the credit union should notify NCUA or the state regulator when it becomes aware of an incident involving unauthorized access or use of member information that could result in substantial harm or inconvenience to its members.

Although we certainly agree that communication with law enforcement is very important in these situations, we question the necessity of the need to also provide notice to NCUA or the state regulator. Notification to law enforcement should be sufficient, including the filing of a Suspicious Activity Report (SAR), as required under NCUA SAR rules, which is specifically noted in the guidance.

Additional notification to the regulator is not warranted, and we do not understand the need or the use that the regulator would have with regard to the information that it received. There is the additional concern that the information may be used to the detriment of a credit union that files a significant number of these notices, such as raising an unnecessary concern about a credit union’s safety and soundness to the extent that it has a detrimental affect on a future examination and CAMEL rating.

Credit unions are also concerned that, although the information in the notices may be protected, the fact that a credit union filed notices and the number of notices filed by that credit union will be public information that can be obtained under the Freedom of Information Act. A specific concern here is that the credit union’s bonding agent will use this information to lower the credit union’s bond rating.

Therefore, from the credit union perspective, notice to NCUA or the state regulator will not affect the credit union’s efforts in working with law enforcement, and there is no indication that the regulator will be prepared to provide assistance in addressing the problems outlined in the notice. There is only the concern that providing the notices will be used to the detriment of the credit union. There is also a concern as to what should be included in these notices, as the guidance does not specify the extent and content of the information that would need to be provided.

Corrective Measures

Another component of the response program refers to corrective actions that should be taken by the credit union when there is unauthorized use or access of member information. The two corrective measures outlined in the guidance are: 1) identifying and monitoring the affected accounts; and 2) securing accounts.

We believe the provisions in the guidance with regard to monitoring accounts should be changed. The proposed guidance suggests monitoring the accounts even if misuse of the information may not occur, in which case notice to the member would not even be necessary. Many member have multiple accounts and to monitor so many accounts, especially if the exact sensitive member information that was accessed could not be affirmatively identified as belonging to a particular set of member accounts, would be extremely burdensome and would require excessive employee time and effort that may not be immediately available. This would be compounded since the guidance provides little information about what "monitoring" may entail or how long a credit union should monitor the affected accounts.

The guidance should give credit unions more flexibility to determine if account monitoring is unnecessary or not feasible. In these situations, the guidance should simply suggest that the credit union: 1) notify affected members of the security breach; and 2) provide those members with options to ensure that their accounts are secured. This could include placing special passwords on the account or changing the account number. The credit union should be allowed to develop their own internal procedures detailing the options it will provide to members in these situations, which may be in lieu of or in addition to account monitoring. The notices to members can also be used to remind members of the many options they have to verify their account activity and the need for members to monitor their own account activity.

NCUA requested comment on whether the term "securing accounts" is sufficiently clear to enable credit unions to know what is expected of them. We believe the term is sufficiently clear. Credit unions are familiar with the options available to them with regard to securing accounts and will know the best way to do so, based on the circumstances with regard to the breach of the information.

Notices to Members

Although credit unions generally support the need to provide notices to members in certain situations when sensitive member information has been compromised, there is a concern that such notices may have unattended consequences. For example, certain members who receive notices may, for whatever reason, publicize that they have received them. This may result in adverse publicity for the credit union, possibly to the extent that it may cause significant panic that could lead to a run on the credit union. Although we hope that this will never occur, we do have suggestions with regard to the member notice provisions that may help to alleviate these concerns.

The guidance contemplates that notice should be provided when there is an incident of unauthorized access to or use of member information that could result in substantial harm or inconvenience to a member. We believe there will be confusion as to how much "inconvenience" needs to be caused to the member before a notice should be issued, which may lead to notices being issued when there is only "mere" inconvenience, especially for credit unions that may choose to be especially cautious.

To alleviate this concern, and to possibly reduce unnecessary notices, we suggest that the term "inconvenience" be removed. In addition to causing confusion and additional notices, we believe that inconvenience that rises to the level of "substantial" or "serious" can certainly be considered a "substantial harm," which is already incorporated in the standard for providing member notice.

The guidance states that the notice should be provided in a "timely" manner. We believe that this should be interpreted so that credit unions can take into account certain practicalities that may lead to delay in the delivery of these notices. Perhaps this provision should be amended to suggest that the notice be provided within a reasonable time after the credit union, taking into account all circumstances, determines that a notice would be appropriate.

The guidance should recognize that in certain situations notice to members should either be delayed or not provided at all. An example would be when law enforcement may not want the notice delivered as it may alert the perpetrators that they are being investigated or because there is suspicion that the accountholder is involved in the fraud. Credit unions may also want to delay delivering notices in order to collect more information so that they can then provide better guidance to the members as to what course of action should be taken.

In the situations in which the request to delay or not deliver the notices originates from law enforcement, we also suggest that credit unions be permitted to require that such requests be clear and in writing. This should avoid possible confusion or accusations that the notice was not properly provided to the member.

The guidance suggests that credit unions should notify affected members when it becomes aware of unauthorized access to "sensitive member information." We support the flexibility as this will provide credit unions with the option as to whether to notify members about security breaches involving less "sensitive" information.

We believe the term "sensitive member information" should also specifically include the member’s date of birth, along with a personal identifier. Many credit unions commonly use this information to identify members. However, we believe the term "sensitive member information" should specifically exclude encrypted information, since information in this form is unlikely to be misused. This suggested modification should also encourage credit unions to continue efforts to encrypt sensitive information as a means to avoid the need to send notices to members.

Credit unions appreciate the examples provided in the guidance regarding situations in which notices to members should or should not be provided and the flexibility that credit unions have to determine whether notice to members is necessary. They also recognize that the examples are not inclusive, and may change over time, and that other situations will arise in the future that are not currently contemplated.

However, under the guidance, notice does not have to be given if an "appropriate investigation" concludes that misuse of the information is unlikely to occur. Credit unions would appreciate any additional examples that would help clarify the term "appropriate investigation," as well as any other additional examples that could be included in this non-inclusive list.

To help alleviate the burden with regard to the notices, we encourage NCUA to develop a sample notice that credit unions may use. Much of the content is general information, such as contact numbers and addresses for credit reporting agencies and identity theft information that is available on the Federal Trade Commission’s website. This type of general information would lend itself easily to a standardized format. NCUA should consider any credit union using the sample notice to be in compliance with these provisions of the guidance, but this should also not preclude credit unions from developing their own notices.

Service Providers

Contracts with service providers will need a clause that requires them to notify their clients when there is unauthorized access to member information. Credit unions are concerned as to how to require or enforce such a clause, other than to take their business elsewhere when the contract expires. Credit unions are optimistic, however, that vendors will be cooperative as credit unions and the general marketplace insist that such clauses be inserted, although we caution that this will take time.

Need to Delay Implementation of the Guidance

We strongly urge NCUA to allow a reasonable time period for credit unions to comply with the rule and implement the guidance. The need to modify contracts with service providers, as described above, will take time. Also, to the extent currently proposed, the need to monitor accounts will require credit unions to engage in extensive employee training and possible data processing modifications. We suggest an effective date of at least one year after the rule and guidance are issued in final form in order to provide credit unions with adequate time to fully implement their response elements into their security programs.

Thank you for the opportunity to comment on NCUA’s proposed rule and guidance on response programs for unauthorized access to member information. If Board members or agency staff have questions about our comments, please give Associate General Counsel Mary Dunn or me a call at (800) 356-9655.

Sincerely,

Jeffrey Bloch
Assistant General Counsel