Compliance Blog

Blog Home
Feb 10, 2009
Categories: Cybersecurity and Data Security

Notification?; NCUA Closed Board Meeting

Posted by Anthony Demangone

This Heartland situation is a real pain.  And it just seems to be getting larger and larger.  Many credit unions are learning that sensitive member information has been compromised due to the Heartland breach.  But that leads to another question.

Do we have to notify the member or NCUA?

Here's my initial thought.  NCUA?  Assuming that Heartland is not your vendor, nope.  Member?  That's not as clear.

Here's where I am coming from.  NCUA's security regulation (Part 748) does require you to notify NCUA and possibly notify your members when there is unauthorized access to sensitive member information under your control. This would include information maintained by service provides on your behalf. 

The Heartland situation is a breach.  Sure.  But not one involving information under your control.  Or on your behalf.  For that reason, the situation falls outside of Part 748 and the notification requirements.

NCUA.  Now, just because you don't have to notify NCUA doesn't mean they won't find out.  Examiners have the right to access whatever they want.  So if they ask, you pretty much need to tell them.  But I'll leave that up to you.

Members.  Now, just because you don't have to notify members via Appendix B (the response program), don't forget that the security regulation has Appendix A.  Appendix A requires credit unions to implement reasonable controls to mitigate known risks to sensitive member information.  So, it might make sense for you to mitigate risks by alerting members to this situation.  At the end of the day, though, it seems to be a business decision.

Oh, and don't forget your reputation.   If I were a member affected by this, I'd want to know sooner, rather than later.  But that's just me.

We're producing a Q and A on this subject for the next newsletter.  Members - if you want a copy of it now, just email me.

Note: This anaylsis assumes that Heartland is not your vendor.  If they are your vendor and handle information on your behalf, then Part 748 and both appendixes do apply.  Then NCUA and member notices comes right back on the table for your consideration.

***

NCUA announced that it will hold a closed board meeting today.  Here's the agenda.  The agenda notes that the board will consider an action under Part 207 of the Federal Credit Union Act.  That section deals with insurance, conservatorships, and liquidations.

Stay tuned.

Categories