CUNA Regulatory Comment Call


October 29, 2003

NCUA’s Proposed Rule & Guidance on Response Programs for Unauthorized Access to Member Information

(Applies to federally-insured credit unions)

EXECUTIVE SUMMARY

Please feel free to fax your responses to CUNA at 202-638-7052; e-mail them to Associate General Counsel Mary Dunn at mdunn@cuna.coop and to Assistant General Counsel Jeff Bloch at jbloch@cuna.coop; or mail them to Mary and Jeff in c/o CUNA’s Regulatory Advocacy Department, 601 Pennsylvania Avenue, NW, South Building, Suite 600, Washington, DC 20004-2601. You may also contact us at 800-356-9655, ext. 6732, if you would like a copy of the proposal, or you may access it on the Internet at the following address: http://www.ncua.gov/RegulationsOpinionsLaws/proposed_regs/Proposed12CFRPart748.pdf

BACKGROUND

The privacy provisions of the Gramm-Leach-Bliley Act of 1999 required NCUA and the other financial institution regulators to establish appropriate standards relating to the administrative, technical, and physical safeguards for consumer records and information. In early 2001, NCUA issued a rule amending Part 748 to require such safeguards as part of all federally-insured credit unions’ security programs and provided guidance to assist credit unions in meeting these requirements, which were included in the rule as “Appendix A to Part 748 – Guidelines for Safeguarding Member Information.”

To address the increasing number of breaches or attempted breaches of member information that has resulted in the rapid escalation of identity theft over the past several years, NCUA and the other financial institution regulators have now issued proposed guidance to address these problems. Specifically, NCUA has now issued a proposed rule that amends Part 748 to require credit unions to include within their security programs a response program when there is unauthorized access to member account information. The proposed rule also includes an appendix that provides guidance on such programs, titled “Appendix B to Part 748 – Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice.”

DESCRIPTION OF THE PROPOSED RULE AND GUIDANCE

The proposed rule is very brief and requires that the credit union’s already existing security program must now address how the credit union will respond to incidents of unauthorized access to or use of member information that could result in substantial harm or serious inconvenience to a member. It is the Guidance in the proposed Appendix B to Part 748 that contains details of what should be included in these response programs, as outlined below:

Components of a Response Program

  1. Assess the situation – The credit union should assess the nature and scope of the incident and identify the member information systems and types of member information that have been accessed of misused. “Member information systems” include all of the methods used to access, collect, use, transmit, protect, or dispose of member information, including the systems maintained by service providers.

  2. Notify Regulatory and Law Enforcement Agencies – The credit union should notify NCUA or the state regulator when it becomes aware of an incident involving unauthorized access or use of member information that could result in substantial harm or inconvenience to its members. The credit union should also file a Suspicious Activity Report (SAR), as required under the SAR rules. Law enforcement, along with NCUA or the primary state regulator should be notified immediately by telephone if the incident involves a federal criminal violation that requires immediate attention.

  3. Contain and Control the Situation – The credit union should take measures to prevent further unauthorized access or use of member information, while preserving records and evidence. In connection with computer intrusions, this could include:
    • Shutting down applications or third party connections.
    • Reconfiguring firewalls in cases of unauthorized electronic intrusions.
    • Ensuring that all vulnerabilities in the computer systems have been addressed.
    • Changing computer access codes.
    • Modifying physical access controls.
    • Placing additional controls on service providers.

  4. Corrective Measures – The following are examples of measures that the credit union should take after the credit union understands the scope of the incident and has taken steps to contain and control the situation:
    • Flag accounts– The credit union should immediately identify and monitor accounts whose information may have been accessed or misused. The credit union should provide staff with instructions regarding the recording and reporting of unusual activity and, if necessary, implement controls to prevent the unauthorized withdrawal or transfer of funds from member accounts.
    • Secure accounts– When an account number, credit or debit card number, personal identification number (PIN), password, or other unique identifier has been accessed or misused, the account and all other accounts or services that can be accessed with the same numbers and passwords should be secured until the credit union and member agree on a course of action.

Consistent with existing guidance, a credit union’s contract with a service provider should require the service provider to disclose any information to the credit union regarding any breach in security resulting from an unauthorized intrusion into the credit union’s member information system maintained by the service provider. The service provider should also be required to take appropriate actions to address incidents of unauthorized access or use of the member’s information that will enable the credit union to quickly implement its response program.

Member notice

The credit union should provide the member notice when there is an incident of unauthorized access or use of member information. Notices may be restricted to those members whose information was accessed or misused if the credit union is able to determine from its records which members have been affected. If this cannot be determined, the credit union should notify each member in the groups most likely to have been affected by the incident, such as each member whose information is stored in the group of files in question.

The credit union should notify affected members when it becomes aware of unauthorized access to “sensitive member information,” unless the credit union, after an investigation, reasonably concludes that misuse of the information is unlikely to occur and takes steps to safeguard the interests of affected members, including monitoring the members’ accounts for unusual or suspicious activity. “Sensitive member information” includes a social security number; PIN; password or account number, in conjunction with a personal identifier, such as the members name, address, or telephone number; and any combination of member information that would allow someone to log onto or access another person’s account.

Here are examples of when notice should be given, unless the credit union, after an investigation, reasonably concludes that misuse of the information is unlikely to occur and takes steps to safeguard the interests of affected members:

Here are examples of when notice would not be expected, in which misuse of the information is unlikely to occur:

The notice should be timely, clear, conspicuous, and delivered in a manner that ensures that the member is likely to receive it. This may include notice by telephone, mail, or electronic notice for members who conduct transactions electronically.

Here is the information that should be included in the notice:

Here is additional assistance that the credit union may choose to offer:

The credit union may also wish to include in the notice a brochure regarding steps that can be taken to protect against identity theft that has been prepared by the financial institution regulators, which can also be downloaded from the Internet (www.occ.treas.gov/idtheft.pdf, www.federalreserve.gov/consumers.htm, www.fdic.gov/consumers/consumer/news/cnsum00/idthft.html)

QUESTIONS TO CONSIDER REGARDING NCUA’s PROPOSED RULE AND GUIDANCE ON RESPONSE PROGRAMS FOR UNAUTHORIZED ACCESS TO MEMBER INFORMATION

Eric Richard • General Counsel • (202) 508-6742 • erichard@cuna.com
Mary Mitchell Dunn • SVP & Associate General Counsel • (202) 508-6736 • mdunn@cuna.com
Jeffrey Bloch • Assistant General Counsel • (202) 508-6732 • jbloch@cuna.com
Catherine Orr • Senior Regulatory Counsel • (202) 508-6743 • corr@cuna.com