Regulator Criticized for Breach Response

Consideration of New Encryption Rule Called Unnecessary
Regulator Criticized for Breach Response

In the wake of a breach during a regulatory exam, a federal banking regulator is getting a chilly reception to its plans to consider new rules related to encryption of data shared with examiners.

See Also: Hide & Sneak: Defeat Threat Actors Lurking within Your SSL Traffic

Credit union and security experts say that instead of enacting new regulations, the National Credit Union Administration should review its own policies for data security.

In December, the National Credit Union Administration acknowledged that sensitive data had been breached during an NCUA exam, and that it was reviewing how the data was lost (see Did Regulator Cause a Data Breach?).

Debbie Matz, chairwoman of the National Credit Union Association, says the NCUA is now considering whether it should create a rule to ensure consumer data is encrypted when it's shared with examiners.

Michael Fryzel, a former NCUA chairman, says consideration of a new encryption regulation is premature. Instead, the NCUA should focus on establishing a working group to review the agency's security practices during examinations, he says.

"Credit unions are financial institutions run by competent individuals who, more than likely, already have standards and policies in place relating to cybersecurity," Fryzel says. "NCUA should form a working group composed of industry representatives and NCUA personnel, to determine what steps the NCUA and the industry need to take to guarantee safety and confidentiality of member information."

Similarly, the National Association of Federal Credit Unions says that rather than putting additional regulatory burdens onto the shoulders of credit unions, the NCUA should review what it can do internally to better protect customer data in its care.

"Credit unions must already follow stringent data security and privacy requirements, and they have a strong track record of regulatory compliance," says Alicia Nealon, NAFCU's director of regulatory affairs. "A recent survey of NAFCU's members ... found that credit unions not only meet the regulatory requirements, but also voluntarily implement many of NCUA's suggested best practices in order to better safeguard their members' data."

Wrong Reaction?

Shirley Inscoe, a fraud expert and analyst at the consultancy Aite, says it would be inappropriate for a banking regulator to react to a breach it apparently caused by simply passing a new regulation or rule.

"It would be a shame if the carelessness of a credit union examiner resulted in a heavier compliance burden for the credit unions," she says. "But the bottom line here is that consumer data must be better protected than it was in this case. After seeing an examiner be so careless with a flash drive containing such sensitive information, you have to wonder about their own guidelines and training."

Inscoe says the NCUA should focus more attention now on thoroughly reviewing its internal policies and practices related to security.

On Dec. 29, the NCUA confirmed that Inspector General James Hagan had been brought in to audit the NCUA's examination of Palm Springs Federal Credit Union to determine whether the regulator had adequate controls in place to protect electronic information and sensitive data during field exams.

Fryzel says the inspector general "needs to determine what occurred; how it happened; who knew about the incident and when were they informed; who developed the language of the letter that many believe was misleading; why was the NCUA board not immediately informed of the breach and their potential liability; why did the NCUA wait so long to accept responsibility; and what will this breach cost the industry."

Sketchy Breach Details

On Oct. 30, Palm Springs Federal Credit Union sent a letter to its members to notify them about the loss of a flash drive that contained member names, addresses and Social Security numbers. The institution noted that the drive had been lost sometime around Oct. 20 after a routine audit by the NCUA.

The credit union noted in that letter that it was not sure how the flash drive was lost. The NCUA later confirmed that data on the flash drive had not been encrypted, and that it was unsure of who was responsible for the drive's loss.

"At this time we do not know if the external drive has been inadvertently destroyed or if it was acquired by an unauthorized person," the credit union noted in its letter. "All we know is that it is lost."

Matz says the NCUA is "moving as quickly as possible to consider and adopt additional safeguards to protect electronic data."

In a statement provided to Information Security Media Group, Matz notes: "NCUA requires all staff to complete annual security awareness training, which includes training on the protection of personally identifiable information. That was last done in November 2014, and additional training is planned for 2015. Field staff has been reminded of their responsibilities for maintaining information security, and field directors will review certain security policies at their next group meetings."


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network