Regulator Criticized for Breach ResponseConsideration of New Encryption Rule Called Unnecessary
In the wake of a breach during a regulatory exam, a federal banking regulator is getting a chilly reception to its plans to consider new rules related to encryption of data shared with examiners.
Credit union and security experts say that instead of enacting new regulations, the National Credit Union Administration should review its own policies for data security.
In December, the National Credit Union Administration acknowledged that sensitive data had been breached during an NCUA exam, and that it was reviewing how the data was lost (see Did Regulator Cause a Data Breach?).
Debbie Matz, chairwoman of the National Credit Union Association, says the NCUA is now considering whether it should create a rule to ensure consumer data is encrypted when it's shared with examiners.
Michael Fryzel, a former NCUA chairman, says consideration of a new encryption regulation is premature. Instead, the NCUA should focus on establishing a working group to review the agency's security practices during examinations, he says.
"Credit unions are financial institutions run by competent individuals who, more than likely, already have standards and policies in place relating to cybersecurity," Fryzel says. "NCUA should form a working group composed of industry representatives and NCUA personnel, to determine what steps the NCUA and the industry need to take to guarantee safety and confidentiality of member information."
Similarly, the National Association of Federal Credit Unions says that rather than putting additional regulatory burdens onto the shoulders of credit unions, the NCUA should review what it can do internally to better protect customer data in its care.
"Credit unions must already follow stringent data security and privacy requirements, and they have a strong track record of regulatory compliance," says Alicia Nealon, NAFCU's director of regulatory affairs. "A recent survey of NAFCU's members ... found that credit unions not only meet the regulatory requirements, but also voluntarily implement many of NCUA's suggested best practices in order to better safeguard their members' data."
Shirley Inscoe, a fraud expert and analyst at the consultancy Aite, says it would be inappropriate for a banking regulator to react to a breach it apparently caused by simply passing a new regulation or rule.
"It would be a shame if the carelessness of a credit union examiner resulted in a heavier compliance burden for the credit unions," she says. "But the bottom line here is that consumer data must be better protected than it was in this case. After seeing an examiner be so careless with a flash drive containing such sensitive information, you have to wonder about their own guidelines and training."
Inscoe says the NCUA should focus more attention now on thoroughly reviewing its internal policies and practices related to security.
On Dec. 29, the NCUA confirmed that Inspector General James Hagan had been brought in to audit the NCUA's examination of Palm Springs Federal Credit Union to determine whether the regulator had adequate controls in place to protect electronic information and sensitive data during field exams.
Fryzel says the inspector general "needs to determine what occurred; how it happened; who knew about the incident and when were they informed; who developed the language of the letter that many believe was misleading; why was the NCUA board not immediately informed of the breach and their potential liability; why did the NCUA wait so long to accept responsibility; and what will this breach cost the industry."
Sketchy Breach Details
On Oct. 30, Palm Springs Federal Credit Union sent a letter to its members to notify them about the loss of a flash drive that contained member names, addresses and Social Security numbers. The institution noted that the drive had been lost sometime around Oct. 20 after a routine audit by the NCUA.
The credit union noted in that letter that it was not sure how the flash drive was lost. The NCUA later confirmed that data on the flash drive had not been encrypted, and that it was unsure of who was responsible for the drive's loss.
"At this time we do not know if the external drive has been inadvertently destroyed or if it was acquired by an unauthorized person," the credit union noted in its letter. "All we know is that it is lost."
Matz says the NCUA is "moving as quickly as possible to consider and adopt additional safeguards to protect electronic data."
In a statement provided to Information Security Media Group, Matz notes: "NCUA requires all staff to complete annual security awareness training, which includes training on the protection of personally identifiable information. That was last done in November 2014, and additional training is planned for 2015. Field staff has been reminded of their responsibilities for maintaining information security, and field directors will review certain security policies at their next group meetings."