WASHINGTON (12/30/13)--Helping credit unions respond to the massive Target data breach with compliance requirements is the aim of the latest posting on the Credit Union National Association's CompBlog, the daily blog for compliance information and developments.
In a new CompBlog post, CUNA Senior Vice President for Compliance Kathy Thompson reminds that Section 748 of National Credit Union Administration regulations require federally insured credit unions to have a security program that contains a provision for responding to instances of unauthorized access to "sensitive" member information.
When sensitive information is accessed by unauthorized outsiders, credit unions must investigate to quickly determine the likelihood that the information has been or will be misused. Sensitive information includes a member's name, address, or telephone number, in conjunction with the member's Social Security number, driver's license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the member's account, she notes.
"The Target breach is clearly an incident triggering compliance procedures," Thompson says.
NCUA guidance states that credit unions should have procedures in place to:
Many credit unions are asking whether there is required language that must be included in notifications sent to members. The answer is "no," Thompson says: There are no specific federal regulatory procedures on how and when the notification must be sent.
It is best to notify everyone who might possibly be affected as soon as possible and in a reasonably effective way.
"Yes, we know that individual members are far more likely to know if they actually bought something at Target using their debit or credit card since Black Friday, and should already be monitoring their accounts--but regulators will expect credit unions to be proactive and alert their members," she adds.
For the full blog post, use the resource link.