Data breaches have dominated the headlines in recent months, forcing lawmakers to once again look for ways to require hacked companies to notify consumers when data breaches threaten their personal information. Meanwhile, credit unions and banks have been required to do so for years. It’s part of
the Gramm-Leach-Bliley Act (GLBA) security provisions.
GLBA and Part 748 of the NCUA’s regulations require federally insured credit unions to:
Appendix B to NCUA’s Part 748 provides guidance on response programs for unauthorized access to member information.
Appendix B requires every federally insured credit union develop and implement a “risk-based” response program designed to address incidents of unauthori-
zed access to member information the credit union or its service provider(s) maintain. So, Appendix B would apply if the credit union or its service provider’s information systems were hacked into, but wouldn’t apply if a member directly disclosed his account information to a third party (e.g., fraudulent website).
When a credit union becomes aware of an incident of unauthorized access to “sensitive member information,” the credit union must conduct a reasonable investigation to promptly determine the likelihood the information has been or will be misused.
Sensitive member information includes:
The credit union’s response program also must include procedures to notify members about incidents of unauthorized access to member information systems that could result in substantial harm or inconvenience to the member. The notice is a key component of the guidance that enables the member to take steps to prevent identity theft when sensitive information has been compromised.
Components of a response program
At a minimum, a credit union’s response program should contain procedures for:
It’s the credit union’s responsibility to notify its members and regulator when an incident of unauthorized access involves member information systems maintained by a service provider. The credit union may contract with its service provider to notify the credit union’s members or regulator on its behalf.
Next: Member notice