CUNA Regulatory Comment Call
October 29, 2003
NCUAs Proposed Rule & Guidance on Response Programs for Unauthorized Access to Member Information(Applies to federally-insured credit unions)
- NCUA has issued a proposed rule and guidance to address the increasing number of breaches or attempted breaches of member information that has resulted in the rapid escalation of identity theft over the past several years.
- The proposal amends Part 748 of NCUA rules regarding security programs. The proposed rule requires that the credit unions already existing security program must now address how the credit union will respond to incidents of unauthorized access to or use of member information that could result in substantial harm or serious inconvenience to a member. The Guidance in the proposed Appendix B to Part 748 contains details of what should be included in these response programs.
- Under these response programs, the credit union should assess the situation, notify regulatory and law enforcement agencies, contain and control the situation, and take corrective measures. The Guidance also provides additional information to assist credit unions in taking these actions.
- As outlined in the Guidance, the credit union should provide the member notice when there is an incident of unauthorized access or use of member information. Specifically, the credit union should provide the notice when it becomes aware of unauthorized access to sensitive member information, unless the credit union, after an investigation, reasonably concludes that misuse of the information is unlikely to occur and takes steps to safeguard the interests of affected members, including monitoring the affected members accounts for unusual or suspicious activity.
- The Guidance outlines the information that should be included in the notice and provides examples of situations when notice should and should not be given.
- Comments are due to NCUA by December 29, 2003. Please submit your comments to CUNA by December 19, 2003..
Please feel free to fax your responses to CUNA at 202-638-7052; e-mail them to Associate General Counsel Mary Dunn at firstname.lastname@example.org and to Assistant General Counsel Jeff Bloch at email@example.com; or mail them to Mary and Jeff in c/o CUNAs Regulatory Advocacy Department, 601 Pennsylvania Avenue, NW, South Building, Suite 600, Washington, DC 20004-2601. You may also contact us at 800-356-9655, ext. 6732, if you would like a copy of the proposal, or you may access it on the Internet at the following address: http://www.ncua.gov/RegulationsOpinionsLaws/proposed_regs/Proposed12CFRPart748.pdf
The privacy provisions of the Gramm-Leach-Bliley Act of 1999 required NCUA and the other financial institution regulators to establish appropriate standards relating to the administrative, technical, and physical safeguards for consumer records and information. In early 2001, NCUA issued a rule amending Part 748 to require such safeguards as part of all federally-insured credit unions security programs and provided guidance to assist credit unions in meeting these requirements, which were included in the rule as Appendix A to Part 748 Guidelines for Safeguarding Member Information.
To address the increasing number of breaches or attempted breaches of member information that has resulted in the rapid escalation of identity theft over the past several years, NCUA and the other financial institution regulators have now issued proposed guidance to address these problems. Specifically, NCUA has now issued a proposed rule that amends Part 748 to require credit unions to include within their security programs a response program when there is unauthorized access to member account information. The proposed rule also includes an appendix that provides guidance on such programs, titled Appendix B to Part 748 Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice.
DESCRIPTION OF THE PROPOSED RULE AND GUIDANCE
The proposed rule is very brief and requires that the credit unions already existing security program must now address how the credit union will respond to incidents of unauthorized access to or use of member information that could result in substantial harm or serious inconvenience to a member. It is the Guidance in the proposed Appendix B to Part 748 that contains details of what should be included in these response programs, as outlined below:
Components of a Response Program
- Assess the situation The credit union should assess the nature and scope of the incident and identify the member information systems and types of member information that have been accessed of misused. Member information systems include all of the methods used to access, collect, use, transmit, protect, or dispose of member information, including the systems maintained by service providers.
- Notify Regulatory and Law Enforcement Agencies The credit union should notify NCUA or the state regulator when it becomes aware of an incident involving unauthorized access or use of member information that could result in substantial harm or inconvenience to its members. The credit union should also file a Suspicious Activity Report (SAR), as required under the SAR rules. Law enforcement, along with NCUA or the primary state regulator should be notified immediately by telephone if the incident involves a federal criminal violation that requires immediate attention.
Contain and Control the Situation The credit union should take measures to prevent further
unauthorized access or use of member information, while preserving records and evidence. In connection
with computer intrusions, this could include:
- Shutting down applications or third party connections.
- Reconfiguring firewalls in cases of unauthorized electronic intrusions.
- Ensuring that all vulnerabilities in the computer systems have been addressed.
- Changing computer access codes.
- Modifying physical access controls.
- Placing additional controls on service providers.
Corrective Measures The following are examples of measures that the credit union should take after
the credit union understands the scope of the incident and has taken steps to contain and control the situation:
- Flag accounts The credit union should immediately identify and monitor accounts whose information may have been accessed or misused. The credit union should provide staff with instructions regarding the recording and reporting of unusual activity and, if necessary, implement controls to prevent the unauthorized withdrawal or transfer of funds from member accounts.
- Secure accounts When an account number, credit or debit card number, personal identification number (PIN), password, or other unique identifier has been accessed or misused, the account and all other accounts or services that can be accessed with the same numbers and passwords should be secured until the credit union and member agree on a course of action.
Consistent with existing guidance, a credit unions contract with a service provider should require the service provider to disclose any information to the credit union regarding any breach in security resulting from an unauthorized intrusion into the credit unions member information system maintained by the service provider. The service provider should also be required to take appropriate actions to address incidents of unauthorized access or use of the members information that will enable the credit union to quickly implement its response program.
The credit union should provide the member notice when there is an incident of unauthorized access or use of member information. Notices may be restricted to those members whose information was accessed or misused if the credit union is able to determine from its records which members have been affected. If this cannot be determined, the credit union should notify each member in the groups most likely to have been affected by the incident, such as each member whose information is stored in the group of files in question.
The credit union should notify affected members when it becomes aware of unauthorized access to sensitive member information, unless the credit union, after an investigation, reasonably concludes that misuse of the information is unlikely to occur and takes steps to safeguard the interests of affected members, including monitoring the members accounts for unusual or suspicious activity. Sensitive member information includes a social security number; PIN; password or account number, in conjunction with a personal identifier, such as the members name, address, or telephone number; and any combination of member information that would allow someone to log onto or access another persons account.
Here are examples of when notice should be given, unless the credit union, after an investigation, reasonably concludes that misuse of the information is unlikely to occur and takes steps to safeguard the interests of affected members:
- An employee of the credit union obtained unauthorized access to sensitive member information.
- A cyber intruder has broken into a credit unions unencrypted database that contains sensitive member information.
- Computer equipment containing sensitive member information has been lost or stolen.
- The credit union has not properly disposed of member records containing sensitive member information.
- A third-party service provider has experienced any of the above incidents.
Here are examples of when notice would not be expected, in which misuse of the information is unlikely to occur:
- The credit union is able to retrieve sensitive member information that has been stolen and reasonably concludes, after investigation, that the retrieval occurred before the information was copied, misused, or transferred to another person who could misuse it.
- The sensitive member information may have been improperly disposed of, but the credit union can establish that the information was not retrieved or used before it was destroyed.
- A hacker accessed files containing only member names and addresses.
- A laptop computer containing sensitive member information was lost, but the data is encrypted and may only be accessed with a secure access device.
The notice should be timely, clear, conspicuous, and delivered in a manner that ensures that the member is likely to receive it. This may include notice by telephone, mail, or electronic notice for members who conduct transactions electronically.
Here is the information that should be included in the notice:
- Description of the incident in general terms and the information that was the subject of unauthorized access or use.
- A telephone number that the member may call for further information and assistance.
- Reminder that the member be vigilant over the next 12 24 months and to promptly report incidents of suspected identity theft.
- The credit union will assist the member to correct and update information in any consumer report relating to the member.
- The member should notify each nationwide credit reporting agency (CRA) to place a fraud alert in the members consumer report.
- The member should periodically obtain credit reports from each CRA and have the information relating to fraudulent activities deleted.
- The member has the right to obtain a free credit report if the member has reason to believe that the file at the CRA contains inaccurate information due to fraud, along with contact information regarding the CRA.
- The availability of online guidance from the Federal Trade Commission (FTC) regarding steps that can be taken to protect against identity theft and to encourage the member to report incidents of identity theft to the FTC. This should include the FTCs website (www.ftc.gov/idtheft), as well as the telephone number (1-877-IDTHEFT) that the member may also use.
Here is additional assistance that the credit union may choose to offer:
- Toll-free telephone number that members may call for assistance.
- Helping members in notifying CRAs of the incident and in placing a fraud alert in the members consumer reports.
- Information about subscription services that provide notification to the member whenever there is a request for the members credit report. The credit union may offer to provide such a subscription for a limited time, free of charge.
The credit union may also wish to include in the notice a brochure regarding steps that can be taken to protect against identity theft that has been prepared by the financial institution regulators, which can also be downloaded from the Internet (www.occ.treas.gov/idtheft.pdf, www.federalreserve.gov/consumers.htm, www.fdic.gov/consumers/consumer/news/cnsum00/idthft.html)
QUESTIONS TO CONSIDER REGARDING NCUAs PROPOSED RULE AND GUIDANCE ON RESPONSE PROGRAMS FOR UNAUTHORIZED ACCESS TO MEMBER INFORMATION
- Should any of the components of the response program be clarified? If so, how?
- Should each component of the response program be retained. If not, which components should be
deleted and why?
- Are there additional components that should be included in the response program to address incidents
of unauthorized access or use of member information?
- NCUA recognizes that there is a spectrum of standards as to when notice of misuse or unauthorized
access of information should be delivered to the member. On one end would be notice whenever there is
the mere possibility of misuse. The other end would be notice only when the credit union knows that
the information is misused. The proposed Guidance chooses a standard that is in the middle of the
spectrum, in which notice is provided when it becomes aware of unauthorized access to sensitive member
information, unless the credit union, after an investigation, reasonably concludes that misuse of the
information is unlikely to occur and takes steps to safeguard the interests of affected members,
including monitoring the affected members accounts for unusual or suspicious activity. Is this the
appropriate standard? If not, why is it not appropriate and what threshold should apply with regard
to triggering notice?
- Sensitive member information is defined as a social security number, PIN, password, or account number
in conjunction with a personal identifier. This would also include any combination of member information
that would allow someone to log onto or access another persons account, such as user name or password.
Are there any other types of information that should be included in this definition, such as mothers
maiden name or drivers license number?
- Please describe the potential burden of the notice provisions. For example, what burden do you anticipate
when members ask questions after receiving the notice? Should NCUA consider how the burden will vary depending
on the size and complexity of the credit union and how should the Guidance change as a result?
- The Guidance describes the corrective action a credit union should take when there is an incident of
unauthorized access, which includes secure accounts. Is the Guidance with regard to securing accounts
sufficiently clear to enable credit unions to know what is expected of them?
- To what extent will contracts between credit unions and service providers need to be modified, if at all,
to comply with the proposed rule and Guidance? How much burden, if any, will the Guidance impose on
- Besides for sensitive member information, should notice be provided in other extraordinary circumstances
that compel the credit union to conclude that unauthorized access to information will likely result in
substantial harm or inconvenience to the member?
- The proposed Guidance includes examples of when notice should and should not be given. Should these examples
be modified? Are there other examples that should be included? Please explain why these modifications or
additional examples should be included?
- Other comments?
Eric Richard General Counsel (202) 508-6742 firstname.lastname@example.org |
Mary Mitchell Dunn SVP & Associate General Counsel (202) 508-6736 email@example.com
Jeffrey Bloch Assistant General Counsel (202) 508-6732 firstname.lastname@example.org
Catherine Orr Senior Regulatory Counsel (202) 508-6743 email@example.com