ALEXANDRIA, Va. (12/18/14)--National Credit Union Administration board member J. Mark McWatters called on his agency Wednesday to "unambiguously" take responsibility for a lost flash drive of sensitive data that went missing during the federal examination of a California credit union. McWatters made the comments in an email sent to the Credit Union National Association.
The NCUA Tuesday confirmed a data breach caused by the loss of that flash drive containing member information during an examination of Palm Springs FCU.
After the NCUA released an official comment on the situation Wednesday from its executive director, Mark Treichel (see related story: NCUA issues statement on info breach involving FCU exam), McWatters contacted CUNA to make the following observations he said reflect his understanding of the facts as presented by NCUA staff.
McWatters said, "An officer of the Palm Springs Credit Union gave an NCUA examiner an unencrypted flash drive containing sensitive and confidential information. While in the possession of the NCUA examiner the flash drive went missing and has not been recovered.
"The credit union sent a letter to its members notifying them of the data breach. The letter stated that the breach was caused by 'auditors' or during an audit process. NCUA staff reviewed the letter before it was sent to the credit union members.
"NCUA should have unambiguously taken responsibility for the breach. The credit union was not at fault and the credit union's auditors were not at fault. NCUA was at fault. Any attempt to shift culpability to unnamed auditors was ill advised. NCUA performs an examination and supervision function and not an audit function.
"The resolution of this matter and the payment of any amounts in settlement of any claims to the credit union, it's members or other persons should be addressed in an open and fully transparent meeting of the NCUA board.
"In my view, the NCUA (Office of Inspector General)should consider investigating this matter."
When contacted by CUNA for comment, NCUA Chief of Staff Steve Bosack offered the following information about the agency's notification process:
"NCUA follows the data breach guidance from the U.S. Office of Management and Budget (OMB). According to OMB's Recommendations for Identity Theft Related Data Breach Notification: 'Whenever possible, to avoid creating confusion and anxiety, the actual notice should come from the entity which the affected individuals are reasonably likely to perceive as the entity with which they have a relationship (i.e. their credit union).
"'(P)ublic announcement of the breach could itself cause criminals engaged in fraud under the guise of providing legitimate assistance, to use various techniques, including email or the telephone, to deceive individuals affected by the breach in disclosing their credit card numbers, bank account information, SSNs, passwords, or other sensitive information…'
"When determining the level of risk of identity theft, 'the agency should consider not simply the data that was compromised, but all of the circumstances of the data loss, including...the means by which the loss occurred, including whether the incident might be the result of a criminal act or is likely to result in criminal activity...and the evidence that the compromised information is actually being used to commit identity theft...for example, as a general matter, the risk of identity theft is greater if the covered information was stolen by a thief who was targeting the data (such as a computer hacker) than if the information was inadvertently left unprotected in a public location, such as a brief case in a lobby.'
"OMB's supplemental guidance to agencies, Safe Guarding Against and Responding to the Breach of Personally Identifiable Information, cites: 'Chilling Effects of Notices. A number of experts have raised concerns about unnecessary notification and the chilling effect this may have on the public. In addition, agencies should consider the costs to individuals and businesses of responding to notices where the risk of harm may be low. Agencies should exercise care to evaluate the benefit of notifying the public of low-impact incidents.'
"A lost thumb drive at a 1,600-member credit union, with no evidence of theft or misuse, would qualify as a 'low-impact incident.' In fact, this is the only incident we know of among tens of thousands of NCUA exams conducted since the OMB guidance was established in 2006."