Archive Links

Consumer Archive
CU System Archive
Market Archive
Products Archive
Washington Archive

News Now

Washington
CUNA CompBlog Provides Target Breach Response Tips
WASHINGTON (12/30/13)--Helping credit unions respond to the massive Target data breach with compliance requirements is the aim of the latest posting on the Credit Union National Association's CompBlog, the daily blog for compliance information and developments.

In a new CompBlog post, CUNA Senior Vice President for Compliance Kathy Thompson reminds that Section 748 of National Credit Union Administration regulations require federally insured credit unions to have a security program that contains a provision for responding to instances of unauthorized access to "sensitive" member information.

When sensitive information is accessed by unauthorized outsiders, credit unions must investigate to quickly determine the likelihood that the information has been or will be misused. Sensitive information includes a member's name, address, or telephone number, in conjunction with the member's Social Security number, driver's license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the member's account, she notes.

"The Target breach is clearly an incident triggering compliance procedures," Thompson says.

NCUA guidance states that credit unions should have procedures in place to:
  • Assess the nature and scope of the incident, and identify what member information systems and types of member information have been accessed or misused;
  • Notify the appropriate regulator and inform it of the impact of the breach on the credit union's operations;
  • Notify appropriate law enforcement authorities;
  • File a timely Suspicious Activity Report in situations involving federal criminal violations requiring immediate attention. Credit unions should also report incidents of possible fraud to their insurers and Visa and MasterCard;
  • Contain and control the incident and prevent further unauthorized access to or use of member information;
  • Monitor, freeze or close affected accounts and preserve records and other evidence; and
  • Notify members, when warranted.
Many credit unions are asking whether there is required language that must be included in notifications sent to members. The answer is "no," Thompson says: There are no specific federal regulatory procedures on how and when the notification must be sent.

It is best to notify everyone who might possibly be affected as soon as possible and in a reasonably effective way.

"Yes, we know that individual members are far more likely to know if they actually bought something at Target using their debit or credit card since Black Friday, and should already be monitoring their accounts--but regulators will expect credit unions to be proactive and alert their members," she adds.

For the full blog post, use the resource link.
Other Resources

Blog Post
RSS





print
News Now LiveWire
Registration lottery for #CreditUnion #CherryBlossom Ten Mile Run opens Monday, Dec. 1 http://t.co/AGkKPof5Fy. Race is April 12
10 hours ago
The turkey hasn't even been served and #creditunions are already making plans for #GivingTuesday
11 hours ago
.@bankofamerica's $16.65 billion 'toxic mortgage' settlement finalized http://t.co/BIq1QyImXG
13 hours ago
RT @CUNA: #NussleReport: ICYMI: Revised RBC proposal in January w/a 90-day comment period #Fix RBC http://t.co/T4JcvWBDse
14 hours ago
.@TheNCUA release on Nov. prohibition orders out already. Here: http://t.co/YkA1QIYbYa
14 hours ago