Data Privacy and Security

Resources

NAFCU’s Principles for a Federal Data Privacy Standard

NAFCU has issued a white paper describing its six principles for a comprehensive federal data privacy standard. Congress should consider federal privacy legislation that includes the following elements:

1. A comprehensive national data security standard covering all entities that collect and store consumer information.
2. Harmonization of existing federal laws and preemption of any state privacy law related to the privacy or security of personal information.
3. Delegation of enforcement authority to the appropriate sectoral regulator. For credit unions, the National Credit Union Administration (NCUA) should be the sole regulator.
4. A safe harbor for businesses that takes reasonable measures to comply with the privacy standards.
5. Notice and disclosure requirements that are easily accessible to consumers and do not unduly burden regulated entities.
6. Scalable civil penalties for noncompliance imposed by the sectoral regulator that seek to prevent and remedy consumer injury.

The white paper describes these principles in detail. It also describes the current state of U.S. federal privacy law and its impact on credit unions, as well as state and federal legislative efforts. NAFCU has also released a one-sheet describing the principles which can be a useful tool for discussions with members of Congress or state legislatures.

FFIEC Cybersecurity Assessment Tool

The Federal Financial Institutions Examination Council (FFIEC) has issued a Cybersecurity Assessment Tool (the CAT). The CAT can be used by individual credit unions to identify their individual risks and assess their cybersecurity preparedness. While the use of this self-assessment tool is not be mandatory, it can provide meaningful guidance to a credit union preparing for a cybersecurity examination. In cybersecurity examinations, NCUA examiners use the Automated Cybersecurity Examination Tool (ACET) which mirrors the CAT. The NCUA will aggregate data on credit union cybersecurity preparedness and share it with other financial regulators within FFIEC.

NAFCU members can download our FFIEC Cybersecurity Tool Assessment Workbook (member-only) – an editable, self-tallying file that allows credit unions to self-test cyber risk and readiness in a shareable format with a visual result. Updated March 2017 to reflect changes to the CAT.

Data Breach Member Education

View a sample message to help explain the data security issue to your credit union's members.

Payment Security Task Force (PST) Whitepaper

In December 2014, the Payment Security Task Force (PST), of which NAFCU is a member, issued a white paper on protecting cardholder data at the merchant's physical or virtual point of sale. Download PST's "U.S. Payments Security Evolution and Strategic Road Map" paper.

NCUA and FFIEC Guidance

The NCUA has a number of resources regarding cybersecurity available through its website. In a 2013 letter to credit unions, the NCUA lists a number of mitigation practices that credit unions should implement, including:

• Maintaining strong information security awareness programs for employees and members.
• Utilizing transaction monitoring, verification procedures, and appropriate limits commensurate with the risk of applicable funds transfers.
• Implementing strong controls over computers used to process commercial payments, including but not limited to:
  • Multifactor authentication
  • Removal of hardware tokens upon session completion.
  • Prohibited or highly filtered use of Internet browsing.
  • Dedicated, corporate-owned systems without administrator privileges.
• Following network and application security best practices with regard to configuring systems, patch management, and security testing.

The FFIEC IT Examination Handbook Infobase contains detailed information regarding the cybersecurity expectations of the FFIEC agencies, including NCUA. The Infobase contains booklets addressing audits, business continuity management, development and acquisition, e-banking, information security, management, operations, outsourcing technology services, retail payment systems, supervision of technology providers, and wholesale payment systems.

Other Resources

The following websites also offer resources that may help your credit union manage risks related to privacy laws, bolster cybersecurity measures and otherwise stay abreast of changes related to these issues:

Tracking State Privacy Laws

• IAPP (International Association of Privacy Professionals) State Comprehensive-Privacy Law Comparison
• National Conference of State Legislatures - Consumer Data Privacy Legislation
• NAFCU Compliance Blog entries related to privacy

Understanding Privacy Frameworks

• National Institute of Standards and Technology (NIST) Privacy Framework
• NAFCU Compliance Monitor article regarding the framework of the European Union's General Data Protection Regulation (member-only)

Incident Reporting and Response

• DHS - United States Computer Emergency Readiness Team (US- CERT)
• FBI - Internet Crime Complaint Center (IC3)
• Secret Service - Financial Crimes Task Force

Information Sharing

• FS-ISAC (The Financial Services Information Sharing and Analysis Center)
• NCU-ISAO (National Credit Union Information Sharing & Analysis Organization)
• DHS - National Cybersecurity Communication and Integration Center  (NCCIC)
• Infragard (Public-Private Information Sharing to Protect Critical Infrastructure)

Consumer/Small Business Information

• FTC - Privacy, Identity and Online Security Tips
• National Cyber Security Alliance Stay Safe Online
• FCC - 10 Cybersecurity Strategies for Small Business Tip Sheet

Ransomware

• US-CERT Ransomware Overview and Best Practices 
• NCUA - Ransomware Infographic and Information for Credit Unions