Archive Links

Consumer Archive
CU System Archive
Market Archive
Products Archive
Washington Archive

News Now

Washington
CUNA CompBlog Provides Target Breach Response Tips
WASHINGTON (12/30/13)--Helping credit unions respond to the massive Target data breach with compliance requirements is the aim of the latest posting on the Credit Union National Association's CompBlog, the daily blog for compliance information and developments.

In a new CompBlog post, CUNA Senior Vice President for Compliance Kathy Thompson reminds that Section 748 of National Credit Union Administration regulations require federally insured credit unions to have a security program that contains a provision for responding to instances of unauthorized access to "sensitive" member information.

When sensitive information is accessed by unauthorized outsiders, credit unions must investigate to quickly determine the likelihood that the information has been or will be misused. Sensitive information includes a member's name, address, or telephone number, in conjunction with the member's Social Security number, driver's license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the member's account, she notes.

"The Target breach is clearly an incident triggering compliance procedures," Thompson says.

NCUA guidance states that credit unions should have procedures in place to:
  • Assess the nature and scope of the incident, and identify what member information systems and types of member information have been accessed or misused;
  • Notify the appropriate regulator and inform it of the impact of the breach on the credit union's operations;
  • Notify appropriate law enforcement authorities;
  • File a timely Suspicious Activity Report in situations involving federal criminal violations requiring immediate attention. Credit unions should also report incidents of possible fraud to their insurers and Visa and MasterCard;
  • Contain and control the incident and prevent further unauthorized access to or use of member information;
  • Monitor, freeze or close affected accounts and preserve records and other evidence; and
  • Notify members, when warranted.
Many credit unions are asking whether there is required language that must be included in notifications sent to members. The answer is "no," Thompson says: There are no specific federal regulatory procedures on how and when the notification must be sent.

It is best to notify everyone who might possibly be affected as soon as possible and in a reasonably effective way.

"Yes, we know that individual members are far more likely to know if they actually bought something at Target using their debit or credit card since Black Friday, and should already be monitoring their accounts--but regulators will expect credit unions to be proactive and alert their members," she adds.

For the full blog post, use the resource link.
Other Resources

Blog Post
RSS print
News Now LiveWire
July 's Fed Bank's "FedFocus" has some interesting articles: incl cost/benefits of $1 currency 2 coin conversion ttp://tinyurl.com/nybmnhh
1 Day ago
Do you wish you were a News Now subscriber? Go here: http://t.co/7evfBSjeMx
1 Day ago
Financial education for student body key part of Altura #creditunion, UC-Riverside partnership #NewsNow http://t.co/Xp6OJd66o6
1 Day ago
.@VTcreditunions gains 200 new FB followers in just 2 wks to reach 1,000 http://t.co/I89xJcv4Jg
1 Day ago
.@CUNA is testifying on reg relief Tues,July 15 at 2 p.m. be4 Hs Fin Serv Subc. Here is the agenda and witness list: http://t.co/yBRhlmdqHt
1 Day ago