Preparing for a Data Breach: Cybersecurity Factors Credit Unions Should Consider; CFPB's Updates to eRegulations
Written by Shereefat Balogun, Regulatory Compliance Counsel
Cybersecurity has been top of mind for many credit unions. Just about every other day, we hear about another high-profile data breach, as seen here, here, and here. The growing rise of these attacks, and the evolving level of sophistication used by hackers pose heightened concerns for many entities, including litigation risk, compliance risk, and reputation risk. Below is a checklist of things to consider that may assist in mitigating the impact of a potential data breach.
- Complete an inventory of the applicable international, federal, and state laws. It is important to be aware of the various privacy and consumer protection laws that apply to the credit union's business, and which may impose certain standards and obligations on the collection and protection of personally identifiable information (PII). Familiarity of, and compliance with, the applicable laws should be assessed, including the following federal laws:
- Gramm-Leach-Bliley Act (GLBA): The GLBA requires credit unions to explain to their members the type of nonpublic personal information they collect and disclose to third parties; inform their members of their right to opt-out if they do not want their information shared with non-affiliated third parties; and protect the confidentiality and security of their members' personal information. These provisions are implemented by Regulation P.
- Children's Online Privacy Act (COPPA): COPPA applies to: (i) operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children, and (ii) operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children. Credit unions may unintentionally access information through standard website tracking methods like cookies, apps, or similar internet devices that often collect nonpublic personal information. Entities covered by COPPA must comply with the FTC's regulations concerning the collection, use, disclosure, and protection of personal information of children under 13.
- Fair Credit Reporting Act (FCRA): The FCRA promotes the accuracy, fairness, and privacy of consumer information contained in the files of consumer reporting agencies (CRAs). Credit unions that furnish information to CRAs, or use that information for certain purposes, may have obligations under the FCRA. For example, the FCRA's affiliate marketing requirements, as implemented in Regulation V, target the use of information that a third party obtains from an affiliate to market the third party's products. An example of this would be a CUSO using covered information obtained from a credit union to market the CUSO's investment products (or vice versa).
- CAN-SPAM Act: CAN-SPAM applies to commercial emails, and imposes certain limitations, including the requirement of an unsubscribe mechanism that allows recipients to opt-out of future commercial emails.
- Telephone Consumer Protection Act (TCPA): The TCPA was enacted to address unsolicited telemarketing and sales calls. To prevent these calls, the TCPA limits the time of day telemarketers can call residences, requires the maintenance of do-not-call lists, and requires all companies conducting telemarketing to transmit caller identification (caller ID) information. The TCPA also restricts the use of autodialers, and artificial and pre-recorded messages to cell phones and residential landlines.
- UDAAP: Under Dodd-Frank, it is unlawful for any provider of consumer financial products or services to engage in any unfair, deceptive, or abusive act or practice. See, 12 U.S.C. § 5531(a); 5536(a)(1). The CFPB has used its UDAAP authority in the data security realm. While the CFPB lacks substantive authority over data security, that does not stop the CFPB from taking an action under UDAAP to monitor and enforce data security. As you may recall, in March 2016, the CFPB took action against online payment platform Dwolla, alleging that it deceived consumers about its data security practices.
- State Laws: In addition to the federal laws described above, credit unions should be cognizant of their individual state laws that may govern data security and privacy. For example, forty-seven states, in addition to the District of Columbia and Puerto Rico, have passed laws requiring notice to consumers when there is a data breach involving personal information.
- Develop a Written Information Security Program. Each credit union should have a comprehensive written information security program and plan that addresses what personally identifiable information the credit union collects, where and how it is maintained, and who has authority to access the information. The program must be designed to ensure the security and confidentiality of member records from anticipated threats or hazards, including from hackers. See, 12 CFR 748 App. A. Section 748.0 of NCUA's rules and regulations requires each federally insured credit union to have a written security program within 90 days of insurance by the NCUSIF. Appendix A to Part 748 sets forth guidelines for safeguarding member information. In general, the guidance requires credit unions to have documented policies and procedures that implement and address the credit union's information security program.
- Develop a Cybersecurity Incident Response Program. Incident response programs address the action steps a credit union should take in the event of a data breach. The regulatory requirements for a credit union's incident response program are contained in Appendix B to Part 748. Appendix B provides guidance on response programs for unauthorized access to member information, including standards for providing members with timely notice of unauthorized access or use of member information. It is also good practice to include the when, and what type of, recourse will be offered to victims of a breach.
- Review agreements and contracts. It is also important to understand what the credit union's contractual obligations are with respect to personal data as triggered by your agreements with your members. This would assessing the credit union's reliance on third party service providers as it relates to data sensitive functions. Although credit unions can outsource certain tasks and functions, compliance and risk mitigation still remains with the credit union. Contracts with third party service providers should include protocols that address the collection, storage and protection of customer information, as well as how to respond to customer claims of identity theft.
- Review any disclosures or statements to members, including marketing materials, to ensure that credit union is not overpromising how personal information is secured. As mentioned above, credit unions are required to explain to their members how it collects, maintains and share nonpublic personal information. At least one regulator has made clear that it sees these disclosures and statements as promises, and has stated that it could be an unfair practice for a company to store, share, or use information in a way that's inconsistent with the promises made when the information was collected. As a result, a credit union may want to consider whether it is making overzealous promises that it may not be able to commit to.
- Establish an Employee Training Program. Regulators also expect credit unions to conduct regular, mandatory training across all departments, not just the IT department. For example, all employees should know how to identify and prevent successful phishing attempts.
It is vital that every credit union has measures in place to mitigate against a potential data breach such risks. In addition to the factors described above, there are other resources that compliance officers may use when reviewing the credit union's cybersecurity risk program. For example, NCUA maintains a list of cybersecurity resources on its website, including:
- FFIEC Joint Statement on Cybersecurity of Interbank Messaging and Wholesale Payment Networks (***just issued yesterday, June 7, 2016)
- FFIEC IT Examination Handbook, Information Security;
- NCUA Risk Alert 13-Risk-01, Mitigating Distributed Denial-of-Service Attacks; and
- NCUA Letter to Credit Unions 05-CU-20, Phishing Guidance for Credit Unions and Their Members
Also, NAFCU has some additional resources that may also be helpful:
- NAFCU Cyber Cafe, FFIEC Updates the Management Section of the IT Handbook;
- NAFCU Cyber Cafe, Getting a Head Start on Cybersecurity Exam Preparation;
- NAFCU Cyber Cafe, FFIEC Releases Cybersecurity Self-Assessment Tool;
- NAFCU Cyber Cafe, Preventing, Detecting and Responding to Cyber Incidents;
- NAFCU Cyber Cafe, Strengthening Cyber Resilience in Business Continuity Plans;
- NAFCU Compliance Blog, FFIEC Joint Statement on Cyber-Attacks Involving Extortion;
- NAFCU Compliance Blog, Compliance Team Update; NCUA Issues Letter to CEOs on Encrypting Exam Data;
- NAFCU Compliance Blog, FFIEC Releases Cybersecurity Assessment Tool;
- NAFCU Compliance Blog, FFIEC Shellshock Vulnerability Alert; Cybersecurity Awareness; Consumer Compliance Outlook; Outlook Live Webinar on Fair Lending; and
- NAFCU Compliance Blog, Cybersecurity: An Essential Function.
- Coming Soon: Based on members' requests, NAFCU is working on a fillable and self-tallying Excel workbook version of the FFIEC Cybersecurity Self-Assessment Tool. More details to come.
Another good resource to consider is CBANC. Last year, NAFCU announced a strategic alliance with the CBANC Network as a benefit to our members. This free tool allows your credit union to find policies and procedures that can save time, research peer reviews of industry vendors, and ask questions to credit union insiders who've already solved a challenge you're facing. Here's the NAFCU page giving instructions on accessing it.
In unrelated news, the CFPB's eRegulations has been expanded to include three additional Bureau regulations- Regulation X (Real Estate Settlement Procedures Act); Regulation C (Home Mortgage Disclosure Act); and Regulation DD (Truth in Savings Act). CFPB's eRegulations is a web-based tool that makes regulations easier to find, read, and understand.