When a credit union determines that misuse of its information about a member has occurred or is reasonably possible, it should notify the affected member(s) as soon as possible. A credit union can notify only certain members if it can determine whose data were accessed improperly. If the credit union is unable to identify whose information has been accessed, it should notify all members in the group of files in question.
The credit union may deliver the notice in “any manner designed to ensure that a member could reasonably be expected to receive it.” Therefore, the credit union may choose to contact affected members by mail, telephone, or by e-mail for those who have valid e-mail addresses and have agreed to receive communications electronically.
Member notice may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the credit union with a written request for the delay. But the credit union should notify its members as soon as member notification will no longer interfere with the investigation.
Content of member notice
The member notice should be given in a “clear and conspicuous” manner, explain the incident in general terms, and:
The notice also should include the following, when appropriate:
NCUA encourages credit unions to notify nationwide consumer reporting agencies prior to sending notices that include their contact information to a large number of members.
Merchant data breaches
We’re often asked whether credit unions need to send a member notice or notify NCUA when a merchant breach affects credit union-issued cards.
The usual scenario involves a breach of a merchant’s unsecure point-of-sale system that results in fraudulent transactions on hundreds or thousands of members’ credit/debit cards.
Part 748’s Appendix B only applies to member information systems within the control of the credit union or its service provider.
But if a substantial number of members’ card numbers are stolen via a merchant breach, the same steps outlined above will likely come into play—including letting your members and regulator know what has occurred.
For more information on NCUA’s security regulation, visit CUNA’s e-Guide to Federal Laws and Regulations (cuna.org, and select “regulations & compliance”).
VALERIE Y. MOSS is CUNA’s director of compliance information. Contact CUNA’s compliance department at email@example.com.