Agency Takes Responsibility for BreachRegulator to Pay $50,000 for Related Expenses
Weeks after confirming it was investigating a breach of consumer data during a routine regulatory exam, one of the nation's primary financial regulatory agencies has agreed to pay the affected banking institution $50,000 to help cover related expenses.
On Jan. 15, the National Credit Union Administration announced that its board had approved the payment to California-based Palm Springs Federal Credit Union, which in October notified its members of the loss of an unencrypted flash drive containing member names, addresses and Social Security numbers.
Earlier, NCUA faced criticism for stopping short of taking responsibility for the breach and for saying it was considering a new rule requiring encryption of data shared with examiners (see Regulator Criticized for Breach Response).
But in its statement about the breach-related payment, NCUA, for the first time, acknowledges responsibility for the breach.
"As a result of a failure to follow longstanding agency policies on securing sensitive data, a thumb drive given to an examiner was lost during an examination of Palm Springs Federal Credit Union," the NCUA notes. "The agency is taking appropriate action with staff involved in the incident and is reinforcing training on protecting sensitive information and reviewing regulations, policies and procedures in this area. NCUA is also moving as quickly as possible to consider and adopt additional safeguards to protect electronic data."
Reaction to NCUA's Action
Michael Fryzel, a former NCUA chairman who has criticized the NCUA for how it responded to the breach, says the NCUA's agreement to pay the credit union is positive acknowledgment of the role the regulatory agency should have played in ensuring data was better protected during a routine exam. But he points out that the credit union's breach expenses will likely exceed $50,000.
In its statement about its breach-related payment, NCUA notes that it "will pay the credit union for activities such as credit report monitoring for members, credit union staff time associated with the breach and legal fees. To date, the related costs associated with the data breach are approximately $36,000. Payments will come from NCUA's existing operating funds. In the event costs ultimately exceed $50,000, subsequent board action would be required."
Breach Dates Back to October
On Oct. 30, Palm Springs FCU notified its members that the drive had been lost after a routine audit by the NCUA (see Did Regulator Cause a Data Breach?).
Shortly after news of the breach made headlines in December, Inspector General James Hagen announced he would be auditing the NCUA's examination of Palm Springs FCU to determine whether the NCUA mishandled the data, as well as to review how the agency can improve its breach response and breach notification practices, among other things (see NCUA's IG to Review October Breach).
The NCUA says in its latest statement that, so far, it has found no evidence to suggest any unauthorized access to members' accounts or attempts to gain improper access as a result of the data loss.
NCUA spokesman John Fairbanks was unable to provide any additional details about the IG's audit, review and investigation of the breach and how it was handled by the NCUA beyond those provided in the statement, but he did say the payment to Palm Springs FCU is the first the NCUA has given to a credit union for an examination-related breach. "This is the first time we've done this, as it's the first time in 28,000 examinations that this has happened," he says.
Palm Springs FCU did not respond to Information Security Media Group's request for comment.
But former chairman Fryzel says even though the NCUA is taking responsibility for its own lax security procedures, it's still the credit unions that will have to pay. He notes that breach-recovery payments that come out of the NCUA are taken from the shared insurance fund, into which federally insured credit unions pay.
And while the Credit Union National Association notes in a statement that it, too, "appreciates" the NCUA's breach-recovery payment to Palm Springs FCU, it contends that much more needs to be done in the way of data-breach relief for credit unions.
"It took NCUA a matter of weeks to offer reimbursement for their breach, yet credit unions are still waiting to be reimbursed for the Target breach over 13 months later," says CUNA President and CEO Jim Nussle.
Patty Briotta, spokeswoman for the National Association of Federal Credit Unions, says it's hard to say yet whether the NCUA's actions have been thorough. "NAFCU looks forward to seeing the full results of the agency's investigation," she says. "We take data security very seriously."
Fraud expert Shirley Inscoe, an analyst for consultancy Aite, says the NCUA's reactions so far, such as having its IG to investigate the lost flash drive breach, have been appropriate.
"Having oversight by this independent party is an important step in restoring confidence and moving forward," she says. "All regulatory agencies should proactively review their policies and procedures and provide refresher training to ensure similar incidents don't occur in the future. It would greatly diminish a regulator's credibility if a series of data breaches were to occur similar to what we have experienced with retailers and payment processors."