Untangling Service Provider Breaches
Written by Andrew Morris, Regulatory Affairs Counsel
October is National Cybersecurity Awareness Month, so today I'm writing about service provider data breaches and member notification rules. I'll also share some insights from a cybersecurity-related event I attended last week at the U.S. Chamber of Commerce.
To start with the basics, Part 748 of NCUA's regulations implements the Gramm-Leach Bliley Act of 1999 (GLBA) and describes a credit union's obligation to adopt various technical and administrative safeguards to protect member information. Appendix B to Part 748 advises credit unions that they should develop a "risk-based response program" to address "incidents of unauthorized access to member information in member information systems". Appendix B also describes the standard for providing notice to members when there is an incident of unauthorized access to "sensitive member information" (emphasis added).
Let's unpack some of this language. As an initial matter, Part 748 describes not only what a credit union should do, but also what it must do to safeguard member information. In general, NCUA's IT examination process is risk-based, so it's incumbent upon the credit union to design security controls that are appropriately tailored. However, NCUA advises that a credit union should, at a minimum, consider the specific security measures enumerated in Appendix A to Part 748, which include a response program. In addition, 12 CFR 748.0(b)(3) requires that the credit union's security program be designed to "respond to incidents of unauthorized access to or use of member information that could result in substantial harm or serious inconvenience to a member."
In the context of a breach notification, there is a distinction between incidents of unauthorized access and incidents that could result in substantial harm or serious inconvenience to a member. Likewise, there is also a difference between unauthorized access to member information (defined in Appendix A to Part 748) and unauthorized access to sensitive member information (defined in Appendix B to Part 748). NAFCU's compliance blog has compared the different obligations that could arise as a result of these distinctions in a previous post. If you're interested in the mechanics of notifying NCUA, I would recommend reading it.
Today we will be talking about how a credit union should evaluate the breach of a service provider. Appendix A to Part 748 describes the response program as a protocol specifying "actions to be taken when the credit union suspects or detects that unauthorized individuals have gained access to member information systems, including appropriate reports to regulatory and law enforcement agencies." A member information system can include a system maintained by a service provider.
To reiterate this point, Appendix B to Part 748 also provides that a credit union should be able to address "incidents of unauthorized access to member information in member information systems maintained by its service providers". In practical terms, this means that a credit union's contract with its service provider should require the service provider to address incidents of unauthorized access to member information. Ultimately, it will be the credit union's responsibility to notify members; however, a credit union may authorize or contract with its service provider to notify the credit union's members or regulators on its behalf.
In the context of service provider breaches, you should remember that the term "member information" applies. Member information means any records containing nonpublic personal information, as defined in 12 CFR 1016.3(p), about a member, whether in paper, electronic or other form, that is maintained by or on behalf of the credit union. Accordingly, it's important that service provider contracts reflect the broader meaning of member information. Credit unions are also advised to monitor service providers based on risk-assessments and to determine whether they are properly safeguarding member information. Appendix A to Part 748 indicates that such monitoring may involve review of audits and test results.
One question credit unions have asked in the aftermath of the Equifax data breach, which we've covered in a previous blog, is whether Equifax might be considered a service provider. Appendix A to Part 748 defines a service provider as "any person or entity that maintains, processes, or otherwise is permitted access to member information through its provision of services directly to the credit union." Many credit unions furnish credit reports to Equifax, but it remains unclear whether this type of exchange would result in a direct service relationship. To obtain the best answer to this question, you will probably want to review the service agreement that Equifax requires for data furnishers.
While it is almost certain that Equifax will be punished in some fashion for its data breach, consumers are eager to know how credit reporting agencies (CRAs) will be held accountable in the future. Many have lamented the fact that the Federal Trade Commission (FTC) lacks the authority to thoroughly examine and supervise data security programs at CRAs, which are generally required to follow the FTC's Safeguards Rule. The Safeguards Rule implements the high level security concepts contained in the GLBA, but is not nearly as comprehensive as the Federal Financial Institutions Examination Council (FFIEC's) IT Booklets and not nearly as prescriptive as the guidance published by individual financial regulators like NCUA. However, the CFPB does have the authority to supervise CRAs with annual receipts in excess of $7 million. That includes Equifax.
Although the CFPB does not enforce regulations implementing the GLBA, it is possible the bureau could also use its unfair deceptive acts and practices (UDAAP) authority to punish Equifax. Last year, the CFPB targeted the lax data security practices at Dwolla payment processor by characterizing its overbroad security assurances as deceptive. As part of the CFPB's enforcement action, the first of its kind to target data security practices, Dwolla was required to pay a $100,000 penalty. Whether the CFPB can craft an enforcement action against Equifax that fits within the UDAAP framework remains to be seen.
Equifax probably won't be the last high profile breach we see this year. So what can credit unions do to better prepare themselves in the event of future cyber disruption? Aside from the usual recommendations review security policies, train employees to avoid phishing emails, etc.. I would recommend information sharing. I recently attended the U.S. Chamber of Commerce's Annual Cybersecurity Summit and a major focus in almost every presentation was the critical importance of information sharing and analysis organizations (ISAOs). The good news is that the financial sector is already on the cutting edge, with many financial institutions belonging to one or more ISAOs that offer various tools to monitor vulnerabilities and ingest threat data.
As a parting thought, I'd like to say that NAFCU's work on improving information sharing capabilities brings to mind an interesting observation from the Cybersecurity Summit. At the end of the event, former Air Force General Michael Hayden suggested that individuals are more responsible for their safety today than at any point in history since the opening of the Western Frontier. I interpret that to mean that credit unions will need to work together to face the current threat landscape, which includes highly organized criminal syndicates and malicious state actors. To tackle these unprecedented challenges, credit unions should seek to partner with each other to develop best practices and outmaneuver their adversaries.