ARLINGTON, Va. (11/17/14)--While a data breach of a credit union brings with it a number of headaches for the institution and its members, proper notification can be a "legal nightmare" due to the varying laws around the country. Several legal experts spoke on the topic at the Credit Union Cybersecurity Symposium in Arlington, Va., last week.
A data breach is generally defined in the legal community as "the unauthorized acquisition of personally identifiable information that compromises the security, confidentiality or integrity of personal information or processes managing personal information," a definition built from the most common language used by states.
"The notification requirements are the fundamental difference between a breach and an incident," said Ian Harper, a cybersecurity professional and former chief information officer at a credit union. "When we talk about a breach, what we talk about is an event that requires you to notify the individual whose private information has been compromised about the fact that their information has been not necessarily made public, but you've lost control of it."
The National Credit Union Administration's position on member notification is "if a credit union determines that misuse of its information about a member has occurred or is reasonably possible, it should notify the affected member as soon as possible."
The NCUA defines sensitive member information as "a member's name, address or telephone number, in conjunction with the member's Social Security number, driver's license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the member's account."
Forty-seven states, as well as the District of Columbia, Puerto Rico, Guam and the Virgin Islands, have breach notification laws, with Alabama, New Mexico and South Dakota being the exceptions.
In addition, 24 have standard definitions of privacy information, 27 have additional privacy information definitions to consider, 41 allow for risk analysis prior to notification, 22 require notification of the state's attorney general, seven require notification within a given timeframe and each state has different required information required on a notification letter.
Randy Gainer, an attorney who represents victims of data breaches, estimated that credit unions that have been breached should be prepared to pay for notification costs (which average $2.3 million per breach), credit monitoring costs (which average $5.5 million per breach), regulatory fines and more.
According to Harper, a financial institution's vulnerability to legal action opens as soon as members are notified.
"If you have to publicly announce or provide notification to an individual, expect a class action lawsuit, at least one," Harper said. "That's pretty much standard fare with a data breach."
The inaugural Credit Union Cybersecurity Symposium was hosted by the National Association of State Credit Union Supervisors, in partnership with the Credit Union National Association.