• Regulatory Advocacy Reports
• Comment Calls
• Comment Letters
• Final Rule Analyses
• NCUA Board Meetings
• Regulatory Advocacy Podcasts
• Additional Resources
• Regulatory Advocacy Home

CUNA Regulatory Comment Call

October 29, 2003

NCUA’s Proposed Rule & Guidance on Response Programs for Unauthorized Access to Member Information

(Applies to federally-insured credit unions)

EXECUTIVE SUMMARY

• NCUA has issued a proposed rule and guidance to address the increasing number of breaches or attempted breaches of member information that has resulted in the rapid escalation of identity theft over the past several years.
• The proposal amends Part 748 of NCUA rules regarding security programs. The proposed rule requires that the credit union’s already existing security program must now address how the credit union will respond to incidents of unauthorized access to or use of member information that could result in substantial harm or serious inconvenience to a member. The Guidance in the proposed Appendix B to Part 748 contains details of what should be included in these response programs.
• Under these response programs, the credit union should assess the situation, notify regulatory and law enforcement agencies, contain and control the situation, and take corrective measures. The Guidance also provides additional information to assist credit unions in taking these actions.
• As outlined in the Guidance, the credit union should provide the member notice when there is an incident of unauthorized access or use of member information. Specifically, the credit union should provide the notice when it becomes aware of unauthorized access to sensitive member information, unless the credit union, after an investigation, reasonably concludes that misuse of the information is unlikely to occur and takes steps to safeguard the interests of affected members, including monitoring the affected members’ accounts for unusual or suspicious activity.
• The Guidance outlines the information that should be included in the notice and provides examples of situations when notice should and should not be given.
• Comments are due to NCUA by December 29, 2003. Please submit your comments to CUNA by December 19, 2003..

Please feel free to fax your responses to CUNA at 202-638-7052; e-mail them to Associate General Counsel Mary Dunn at mdunn@cuna.coop and to Assistant General Counsel Jeff Bloch at jbloch@cuna.coop; or mail them to Mary and Jeff in c/o CUNA’s Regulatory Advocacy Department, 601 Pennsylvania Avenue, NW, South Building, Suite 600, Washington, DC 20004-2601. You may also contact us at 800-356-9655, ext. 6732, if you would like a copy of the proposal, or you may access it on the Internet at the following address: http://www.ncua.gov/RegulationsOpinionsLaws/proposed_regs/Proposed12CFRPart748.pdf

BACKGROUND

The privacy provisions of the Gramm-Leach-Bliley Act of 1999 required NCUA and the other financial institution regulators to establish appropriate standards relating to the administrative, technical, and physical safeguards for consumer records and information. In early 2001, NCUA issued a rule amending Part 748 to require such safeguards as part of all federally-insured credit unions’ security programs and provided guidance to assist credit unions in meeting these requirements, which were included in the rule as “Appendix A to Part 748 – Guidelines for Safeguarding Member Information.”

To address the increasing number of breaches or attempted breaches of member information that has resulted in the rapid escalation of identity theft over the past several years, NCUA and the other financial institution regulators have now issued proposed guidance to address these problems. Specifically, NCUA has now issued a proposed rule that amends Part 748 to require credit unions to include within their security programs a response program when there is unauthorized access to member account information. The proposed rule also includes an appendix that provides guidance on such programs, titled “Appendix B to Part 748 – Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice.”

DESCRIPTION OF THE PROPOSED RULE AND GUIDANCE

The proposed rule is very brief and requires that the credit union’s already existing security program must now address how the credit union will respond to incidents of unauthorized access to or use of member information that could result in substantial harm or serious inconvenience to a member. It is the Guidance in the proposed Appendix B to Part 748 that contains details of what should be included in these response programs, as outlined below:

Components of a Response Program

1. Assess the situation – The credit union should assess the nature and scope of the incident and identify the member information systems and types of member information that have been accessed of misused. “Member information systems” include all of the methods used to access, collect, use, transmit, protect, or dispose of member information, including the systems maintained by service providers.

2. Notify Regulatory and Law Enforcement Agencies – The credit union should notify NCUA or the state regulator when it becomes aware of an incident involving unauthorized access or use of member information that could result in substantial harm or inconvenience to its members. The credit union should also file a Suspicious Activity Report (SAR), as required under the SAR rules. Law enforcement, along with NCUA or the primary state regulator should be notified immediately by telephone if the incident involves a federal criminal violation that requires immediate attention.

3. Contain and Control the Situation – The credit union should take measures to prevent further unauthorized access or use of member information, while preserving records and evidence. In connection with computer intrusions, this could include:
   • Shutting down applications or third party connections.
   • Reconfiguring firewalls in cases of unauthorized electronic intrusions.
   • Ensuring that all vulnerabilities in the computer systems have been addressed.
   • Changing computer access codes.
   • Modifying physical access controls.
   • Placing additional controls on service providers.

4. Corrective Measures – The following are examples of measures that the credit union should take after the credit union understands the scope of the incident and has taken steps to contain and control the situation:
   • Flag accounts– The credit union should immediately identify and monitor accounts whose information may have been accessed or misused. The credit union should provide staff with instructions regarding the recording and reporting of unusual activity and, if necessary, implement controls to prevent the unauthorized withdrawal or transfer of funds from member accounts.
   • Secure accounts– When an account number, credit or debit card number, personal identification number (PIN), password, or other unique identifier has been accessed or misused, the account and all other accounts or services that can be accessed with the same numbers and passwords should be secured until the credit union and member agree on a course of action.

Consistent with existing guidance, a credit union’s contract with a service provider should require the service provider to disclose any information to the credit union regarding any breach in security resulting from an unauthorized intrusion into the credit union’s member information system maintained by the service provider. The service provider should also be required to take appropriate actions to address incidents of unauthorized access or use of the member’s information that will enable the credit union to quickly implement its response program.

Member notice

The credit union should provide the member notice when there is an incident of unauthorized access or use of member information. Notices may be restricted to those members whose information was accessed or misused if the credit union is able to determine from its records which members have been affected. If this cannot be determined, the credit union should notify each member in the groups most likely to have been affected by the incident, such as each member whose information is stored in the group of files in question.

The credit union should notify affected members when it becomes aware of unauthorized access to “sensitive member information,” unless the credit union, after an investigation, reasonably concludes that misuse of the information is unlikely to occur and takes steps to safeguard the interests of affected members, including monitoring the members’ accounts for unusual or suspicious activity. “Sensitive member information” includes a social security number; PIN; password or account number, in conjunction with a personal identifier, such as the members name, address, or telephone number; and any combination of member information that would allow someone to log onto or access another person’s account.

Here are examples of when notice should be given, unless the credit union, after an investigation, reasonably concludes that misuse of the information is unlikely to occur and takes steps to safeguard the interests of affected members:

• An employee of the credit union obtained unauthorized access to sensitive member information.
• A cyber intruder has broken into a credit union’s unencrypted database that contains sensitive member information.
• Computer equipment containing sensitive member information has been lost or stolen.
• The credit union has not properly disposed of member records containing sensitive member information.
• A third-party service provider has experienced any of the above incidents.

Here are examples of when notice would not be expected, in which misuse of the information is unlikely to occur:

• The credit union is able to retrieve sensitive member information that has been stolen and reasonably concludes, after investigation, that the retrieval occurred before the information was copied, misused, or transferred to another person who could misuse it.
• The sensitive member information may have been improperly disposed of, but the credit union can establish that the information was not retrieved or used before it was destroyed.
• A hacker accessed files containing only member names and addresses.
• A laptop computer containing sensitive member information was lost, but the data is encrypted and may only be accessed with a secure access device.

The notice should be timely, clear, conspicuous, and delivered in a manner that ensures that the member is likely to receive it. This may include notice by telephone, mail, or electronic notice for members who conduct transactions electronically.

Here is the information that should be included in the notice:

• Description of the incident in general terms and the information that was the subject of unauthorized access or use.
• A telephone number that the member may call for further information and assistance.
• Reminder that the member be vigilant over the next 12 – 24 months and to promptly report incidents of suspected identity theft.
• The credit union will assist the member to correct and update information in any consumer report relating to the member.
• The member should notify each nationwide credit reporting agency (CRA) to place a fraud alert in the member’s consumer report.
• The member should periodically obtain credit reports from each CRA and have the information relating to fraudulent activities deleted.
• The member has the right to obtain a free credit report if the member has reason to believe that the file at the CRA contains inaccurate information due to fraud, along with contact information regarding the CRA.
• The availability of online guidance from the Federal Trade Commission (FTC) regarding steps that can be taken to protect against identity theft and to encourage the member to report incidents of identity theft to the FTC. This should include the FTC’s website (www.ftc.gov/idtheft), as well as the telephone number (1-877-IDTHEFT) that the member may also use.

Here is additional assistance that the credit union may choose to offer:

• Toll-free telephone number that members may call for assistance.
• Helping members in notifying CRAs of the incident and in placing a fraud alert in the member’s consumer reports.
• Information about subscription services that provide notification to the member whenever there is a request for the member’s credit report. The credit union may offer to provide such a subscription for a limited time, free of charge.

The credit union may also wish to include in the notice a brochure regarding steps that can be taken to protect against identity theft that has been prepared by the financial institution regulators, which can also be downloaded from the Internet (www.occ.treas.gov/idtheft.pdf, www.federalreserve.gov/consumers.htm, www.fdic.gov/consumers/consumer/news/cnsum00/idthft.html)

QUESTIONS TO CONSIDER REGARDING NCUA’s PROPOSED RULE AND GUIDANCE ON RESPONSE PROGRAMS FOR UNAUTHORIZED ACCESS TO MEMBER INFORMATION

• Should any of the components of the response program be clarified? If so, how?
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  
• Should each component of the response program be retained. If not, which components should be deleted and why?
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  
• Are there additional components that should be included in the response program to address incidents of unauthorized access or use of member information?
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  
• NCUA recognizes that there is a spectrum of standards as to when notice of misuse or unauthorized access of information should be delivered to the member. On one end would be notice whenever there is the mere possibility of misuse. The other end would be notice only when the credit union knows that the information is misused. The proposed Guidance chooses a standard that is in the middle of the spectrum, in which notice is provided when it becomes aware of unauthorized access to sensitive member information, unless the credit union, after an investigation, reasonably concludes that misuse of the information is unlikely to occur and takes steps to safeguard the interests of affected members, including monitoring the affected members’ accounts for unusual or suspicious activity. Is this the appropriate standard? If not, why is it not appropriate and what threshold should apply with regard to triggering notice?
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  
• “Sensitive member information” is defined as a social security number, PIN, password, or account number in conjunction with a personal identifier. This would also include any combination of member information that would allow someone to log onto or access another person’s account, such as user name or password. Are there any other types of information that should be included in this definition, such as mother’s maiden name or drivers license number?
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  
• Please describe the potential burden of the notice provisions. For example, what burden do you anticipate when members ask questions after receiving the notice? Should NCUA consider how the burden will vary depending on the size and complexity of the credit union and how should the Guidance change as a result?
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  
• The Guidance describes the corrective action a credit union should take when there is an incident of unauthorized access, which includes “secure accounts.” Is the Guidance with regard to securing accounts sufficiently clear to enable credit unions to know what is expected of them?
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  
• To what extent will contracts between credit unions and service providers need to be modified, if at all, to comply with the proposed rule and Guidance? How much burden, if any, will the Guidance impose on service providers?
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  
• Besides for “sensitive member information,” should notice be provided in other extraordinary circumstances that compel the credit union to conclude that unauthorized access to information will likely result in substantial harm or inconvenience to the member?
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  
• The proposed Guidance includes examples of when notice should and should not be given. Should these examples be modified? Are there other examples that should be included? Please explain why these modifications or additional examples should be included?
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  
• Other comments?
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  

  ---

  
  
  

Eric Richard • General Counsel • (202) 508-6742 • erichard@cuna.com Mary Mitchell Dunn • SVP & Associate General Counsel • (202) 508-6736 • mdunn@cuna.com Jeffrey Bloch • Assistant General Counsel • (202) 508-6732 • jbloch@cuna.com Catherine Orr • Senior Regulatory Counsel • (202) 508-6743 • corr@cuna.com