ALEXANDRIA, Va. (12/18/14)--The National Credit Union Administration issued a statement Wednesday saying the information breach associated with the federal examination of a California credit union is an "unfortunate, but isolated, incident," resulting from a failure to follow agency policies on securing sensitive data that have been in place since 2008.
The agency will, however, reinforce training on protecting sensitive information and review data security policies and procedures.
NCUA Executive Director Mark Treichel said in the agency statement, "The security of credit union members' personally identifiable information is a top priority for NCUA. The agency takes its responsibilities in this area very seriously and expects credit unions to do likewise. NCUA is also committed to ensuring that the data shared in exams is protected at all times."
The NCUA Tuesday confirmed to News Now the loss of a thumb drive during a federal examination of $12 million-asset Palm Springs FCU. Treichel reiterated that the thumb drive did not include passwords or PINs and that the agency has received no indication of any unauthorized access to members' accounts or attempts to gain improper access.
The executive director said that since 2008 the agency's procedures require NCUA examiners "at all times to properly secure and control electronic devices containing sensitive or confidential information." He added that the agency has conducted more than 28,000 examinations since these security policies have been in effect "without encountering a notable problem."
The NCUA said it will use this event "as an opportunity to learn."
"We are reinforcing training on protecting sensitive information, we are reviewing our policies and procedures in this area, and we are moving as quickly as possible to consider and adopt additional safeguards to protect electronic data," Treichel added. Those actions include:
The NCUA requires all staff to complete annual security awareness training, which includes training on the protection of personally identifiable information. That was last done in November. Further, field staff has been reminded of their responsibilities for maintaining information security, and field directors will review certain security policies at their next group meetings.
The agency plans additional security training in 2015.