Responding to Data Breaches

CUs must have a response program for unauthorized access to member information.

August 1, 2011

Data breaches have dominated the headlines in recent months, forcing lawmakers to once again look for ways to require hacked companies to notify consumers when data breaches threaten their personal information. Meanwhile, credit unions and banks have been required to do so for years. It’s part of
the Gramm-Leach-Bliley Act (GLBA) security provisions.

GLBA and Part 748 of the NCUA’s regulations require federally insured credit unions to:

  • Ensure the security and confidentiality of member information;
  • Protect against any anticipated threats or hazards to the security or integrity of such information; and
  • Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any member.

Appendix B to NCUA’s Part 748 provides guidance on response programs for unauthorized access to member information.

Response program

Appendix B requires every federally insured credit union develop and implement a “risk-based” response program designed to address incidents of unauthori-
zed access to member information the credit union or its service provider(s) maintain. So, Appendix B would apply if the credit union or its service provider’s information systems were hacked into, but wouldn’t apply if a member directly disclosed his account information to a third party (e.g., fraudulent website).

When a credit union becomes aware of an incident of unauthorized access to “sensitive member information,” the credit union must conduct a reasonable investigation to promptly determine the likelihood the information has been or will be misused.

Sensitive member information includes:

  • A member’s name, address, or telephone number used in conjunction with the member’s Social Security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the member’s account.
  • Any combination of components of member information that would allow someone to log onto or access the member’s account, such as user name and password or password and account number.

The credit union’s response program also must include procedures to notify members about incidents of unauthorized access to member information systems that could result in substantial harm or inconvenience to the member. The notice is a key component of the guidance that enables the member to take steps to prevent identity theft when sensitive information has been compromised.

Components of a response program

At a minimum, a credit union’s response program should contain procedures for:

  • Assessing the nature and scope of an incident, and identifying what member information systems and types of member information have been accessed or misused;
  • Notifying the appropriate NCUA regional director or applicable state supervisory authority as soon as possible when the credit union becomes aware of an incident involving unauthorized access to or use of “sensitive” member information;
  • Notifying appropriate law enforcement authorities, in addition to filing a timely Suspicious Activity Report (SAR) in situations involving federal criminal violations requiring immediate attention, such as when a reportable violation is continuing;
  • Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of member information (e.g., monitoring, freezing, or closing affected accounts) while preserving records and other evidence; and
  • Notifying members when warranted.

It’s the credit union’s responsibility to notify its members and regulator when an incident of unauthorized access involves member information systems maintained by a service provider. The credit union may contract with its service provider to notify the credit union’s members or regulator on its behalf.

Next: Member notice

Member notice

When a credit union determines that misuse of its information about a member has occurred or is reasonably possible, it should notify the affected member(s) as soon as possible. A credit union can notify only certain members if it can determine whose data were accessed improperly. If the credit union is unable to identify whose information has been accessed, it should notify all members in the group of files in question.

The credit union may deliver the notice in “any manner designed to ensure that a member could reasonably be expected to receive it.” Therefore, the credit union may choose to contact affected members by mail, telephone, or by e-mail for those who have valid e-mail addresses and have agreed to receive communications electronically.

Member notice may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the credit union with a written request for the delay. But the credit union should notify its members as soon as member notification will no longer interfere with the investigation.

Content of member notice

The member notice should be given in a “clear and conspicuous” manner, explain the incident in general terms, and:

  • Describe the type of member information that was the subject of unauthorized access or use;
  • Describe generally what the credit union has done to protect the members’ information from further unauthorized access;
  • Include a telephone number that members can call for further information and assistance; and
  • bmembers of the need to remain vigilant during the next 12 to 24 months, and to promptly report to the credit union incidents of suspected identity theft.

The notice also should include the following, when appropriate:

  • A recommendation that members review account statements and immediately report any suspicious activity to the credit union;
  • A description of fraud alerts and an explanation of how members may place fraud alerts in their consumer reports to put creditors on notice that they may be fraud victims;
  • A recommendation that members periodically obtain credit reports from each nationwide credit reporting agency and have information relating to fraudulent transactions deleted;
  • An explanation of how members may obtain a free credit report; and
  • Information about the availability of the Federal Trade Commission’s (FTC) online guidance regarding steps consumers can take to protect against identity theft. The notice should encourage members to report any incidents of identity theft to the FTC, and should provide the FTC’s website address and toll-free number to access the identity theft guidance and report suspected incidents of identity theft.

NCUA encourages credit unions to notify nationwide consumer reporting agencies prior to sending notices that include their contact information to a large number of members.

Merchant data breaches 

We’re often asked whether credit unions need to send a member notice or notify NCUA when a merchant breach affects credit union-issued cards.

The usual scenario involves a breach of a merchant’s unsecure point-of-sale system that results in fraudulent transactions on hundreds or thousands of members’ credit/debit cards.

Part 748’s Appendix B only applies to member information systems within the control of the credit union or its service provider.

But if a substantial number of members’ card numbers are stolen via a merchant breach, the same steps outlined above will likely come into play—including letting your members and regulator know what has occurred. 

For more information on NCUA’s security regulation, visit CUNA’s e-Guide to Federal Laws and Regulations (, and select “regulations & compliance”).

VALERIE Y. MOSS is CUNA’s director of compliance information. Contact CUNA’s compliance department at