WASHINGTON (12/30/13)--Helping credit unions respond to the massive Target data breach with compliance requirements is the aim of the latest posting on the Credit Union National Association's CompBlog
, the daily blog for compliance information and developments.
In a new CompBlog
post, CUNA Senior Vice President for Compliance Kathy Thompson reminds that Section 748 of National Credit Union Administration regulations require federally insured credit unions to have a security program that contains a provision for responding to instances of unauthorized access to "sensitive" member information.
When sensitive information is accessed by unauthorized outsiders, credit unions must investigate to quickly determine the likelihood that the information has been or will be misused. Sensitive information includes a member's name, address, or telephone number, in conjunction with the member's Social Security number, driver's license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the member's account, she notes.
"The Target breach is clearly an incident triggering compliance procedures," Thompson says.
NCUA guidance states that credit unions should have procedures in place to:
Assess the nature and scope of the incident, and identify what member information systems and types of member information have been accessed or misused;
Notify the appropriate regulator and inform it of the impact of the breach on the credit union's operations;
Notify appropriate law enforcement authorities;
File a timely Suspicious Activity Report in situations involving federal criminal violations requiring immediate attention. Credit unions should also report incidents of possible fraud to their insurers and Visa and MasterCard;
Contain and control the incident and prevent further unauthorized access to or use of member information;
Monitor, freeze or close affected accounts and preserve records and other evidence; and
Notify members, when warranted.
Many credit unions are asking whether there is required language that must be included in notifications sent to members. The answer is "no," Thompson says: There are no specific federal regulatory procedures on how and when the notification must be sent.
It is best to notify everyone who might possibly be affected as soon as possible and in a reasonably effective way.
"Yes, we know that individual members are far more likely to know if they actually bought something at Target using their debit or credit card since Black Friday, and should already be monitoring their accounts--but regulators will expect credit unions to be proactive and alert their members," she adds.
For the full blog post, use the resource link.