CUNA Regulatory Comment Call
June 7, 2000
NCUA's Proposed Rule on Guidelines for Safeguarding Member Information
- The proposed rule amends the National Credit Union Administration's (NCUA's) existing rules regarding security programs in federally-insured credit unions. These amendments are required under the privacy provisions of the Gramm-Leach-Bliley Act (Act).
- The rule requires that a credit union's security program include features to ensure the safety and confidentiality of member's records, protect against anticipated threats or hazards to the security or integrity of such records, and protect against unauthorized access to or use of such records that could result in substantial harm or inconvenience to a member.
- Under the privacy rules approved by the NCUA Board on May 8, 2000, credit unions must disclose their policies and practices with respect to protecting the confidentiality, security, and integrity of nonpublic personal information as part of the initial and annual privacy notices that are sent to members.
- The rule includes an appendix containing Guidelines for safeguarding member information.
- The final version of the rule would have an effective date of November 13, 2000, although compliance will not be required until July 1, 2001.
- Comments on the proposed rule are due by August 14, 2000. Please submit your comments to CUNA by August 2, 2000.
Please feel free to fax your responses to CUNA at 202-371-8240; e-mail them to Associate General Counsel Mary Dunn at firstname.lastname@example.org or to Assistant General Counsel Jeffrey Bloch at email@example.com; or mail them to Mary or Jeff in c/o CUNA's Regulatory Advocacy Department, 805 15th Street, NW, Suite 300, Washington, DC 20005. Please contact us if you need more information. you may also contact us if you would like a copy of the proposed rule or you may access it on the internet at the following address: http://www.ncua.gov/RegulationsOpinionsLaws/proposed_regs/12cfrpart716.pdf
The privacy provisions of the Act require the NCUA and other financial institution regulators to establish appropriate standards relating to the administrative, technical, and physical safeguards for consumer records and information. The Act requires that the standards accomplish the following:
- Ensure the security and confidentiality of consumer records and information.
- Protect against any anticipated threats or hazards to the security or integrity of such records.
- Protect against unauthorized access to or use of such records that would result in substantial harm or inconvenience to any consumer.
On May 8, 2000, the NCUA Board approved the final privacy rules that are required under the Act. The rules are effective as of November 13, 2000, although compliance is optional until July 1, 2001. Under these rules, credit unions must disclose their policies and practices with respect to protecting the confidentiality, security, and integrity of nonpublic personal information as part of the initial and annual privacy notices that are sent to members.
DESCRIPTION OF THE PROPOSED RULE AND GUIDELINES
Description of the Proposed Rule
To fulfill the requirements under the Act, the proposed rule amends NCUA's existing rules regarding the security programs in federally-insured credit unions. The rule requires that a credit union's security program include features to ensure the safety and confidentiality of member's records, protect against anticipated threats or hazards to the security or integrity of such records, and protect against unauthorized access to or use of such records that could result in substantial harm or inconvenience to a member.
The NCUA Board may take administrative action if a credit union fails to establish an adequate security program. This may include cease and desist orders or civil money penalties.
As with the privacy rules approved on May 8, this proposed rule will also be effective on November 13, 2000, although compliance will be optional until July 1, 2001. Newly-chartered or insured credit unions will need to establish its security program within 90 days from the date of insurance.
Description of the Guidelines
The Guidelines clarify that "member" has the same meaning as defined in the privacy rules approved on May 8. As under the privacy rules, "member" includes certain nonmembers, such as nonmember joint accountholders, nonmembers establishing an account at a low-income designated credit union, and nonmembers holding an account in a state-chartered credit union under state law.
Under the Guidelines, the security program must include administrative, technical, and physical safeguards appropriate to the size and complexity of the credit union and the nature and scope of its activities.
The credit union's board of directors will approve the information security program and oversee efforts to develop, implement, and maintain an effective program. In order to implement such a program, the credit union's management should accomplish the following on a regular basis:
- Evaluate the impact of changing business relationships on the credit union's security program.
- Document compliance with these Guidelines.
- Report to the board of directors on the overall status of the security program.
To assess risk to member information, credit unions should:
- identify and assess the risks that may threaten the security of methods used to store, transmit, or protect member information;
- assess the procedures in place to control risk; and
- evaluate and adjust the risk assessment in light of changes to technology, the sensitivity of member information, and threats to information security.
Each credit union needs a comprehensive risk management plan, which should include the following:
- Written policies and procedures that control risk and achieve the objectives of the security program.
- Training so staff may respond to any unauthorized attempts to obtain information, including the reporting of such attempts to appropriate regulatory and law enforcement agencies.
- Testing of the elements of the security program to confirm that they control risk and achieve the objectives of the security program. Tests should be conducted by third parties or staff independent of those who develop or maintain the program. The tests should then be reviewed by third parties or staff independent of those who conducted the tests.
- Monitoring and adjusting of the security program based on changes in technology, the sensitivity of member information, and threats to information security.
The credit union will continue to be responsible for safeguarding member information when it gives a service provider access to that information. The credit union should monitor such outsourcing arrangements to confirm that the service provider has implemented an effective security program.
QUESTIONS TO CONSIDER REGARDING NCUA's PROPOSAL ON GUIDELINES FOR SAFEGUARDING MEMBER INFORMATION
(Most of these are issues raised by NCUA)
- Should the Guidelines be extended to cover records for others besides "members?" That is, should the Guidelines address records for all consumers, the credit union's business account holders, or all of a credit union's records? Will this broader coverage change the security program that you would implement or would you use the broader coverage anyway rather than segregating "member" records for special treatment?
- Are there additional or alternative objectives that should be included in the Guidelines? (These objectives are essentially those bullet points listed above under "Background" and also includes protecting against unauthorized use or access to member information that presents a safety and soundness risk.)
- Should the credit union board of directors designate an Information Security Officer or other individual responsible for developing and administering the security program? What "best practices" or business models would be appropriate for assignment of these tasks?
- Should the Guidelines specify how often reports on the security program should be provided to the credit union's board of directors, such as monthly, quarterly, or annually? Why would such intervals be appropriate?
- What degree of detail should be included in the Guidelines regarding the risk management program? What elements or other components should be included?
- Should the Guidelines include specific types of security tests, such as penetration tests or intrusion protection tests? Should there be a degree of independence in connection with the testing and the review of the tests? Should the tests and review of the tests be conducted by those who are not employees or volunteers of the credit union? If the tests are conducted by employees or volunteers, what measures may be taken to assure independence?
- Which "best practices" would most effectively monitor compliance by service providers? Do service providers accommodate requests for specific contract provisions regarding information security? If not, how does a credit union implement an effective security program? Should the Guidelines contain specific contract provisions for service providers?
- Are the proposed rule and the Guidelines too burdensome, especially for small credit unions? Do you have suggestions for relieving burden while at the same time ensuring the appropriate safeguards for member information?
- Other comments?
Eric Richard General Counsel (202) 508-6742 firstname.lastname@example.org |
Mary Mitchell Dunn SVP & Associate General Counsel (202) 508-6736 email@example.com
Jeffrey Bloch Assistant General Counsel (202) 508-6732 firstname.lastname@example.org
Catherine Orr Senior Regulatory Counsel (202) 508-6743 email@example.com