Credit unions are awakening to the fact that they must encrypt member data-but it's not clear when or how the data should be secured.
NCUA Rules and Regulations Part 748 mandate encryption for data in storage and transit. However, credit unions are being forced to guess which encryption standards to follow and how to define data "in transit."
Kitsap CU in Bremerton, Wash., recently got the wake-up call when a third-party auditor recommended all member data be encrypted if it leaves the CU's physical or network perimeter, said Colin Morrison, chief information officer at the $600-million credit union.
Kitsap combed through all systems that could contain member information and started encrypting core data immediately, Morrison said. "The auditor felt this would protect us from public disclosure should a tape get lost in transit."
It seems, then, that data kept inside the perimeter is safe.
The Oklahoma City, Okla.-based Tinker FCU does not encrypt core data backups that are traveling across an internal network to its disaster recovery system, according to Steve Mooney, assistant vice president, Information Services Operations and Telecommunications at the $1.4-billion CU. "The data is not encrypted because none of it ever leaves the credit union networks," he said.
NCUA Gives Blessing
An NCUA representative agreed that Tinker's approach is in compliance with the NCUA's intentions. "As long as the data is in the credit union's control, the credit union doesn't have to encrypt it, assuming there is sufficient security around the credit union's network," said Gerry Wyland, Regional Information Security Officer for NCUA Region II in Alexandria, Va.
Data that is electronically transmitted or physically transported out of the CU perimeter should be encrypted with a minimum of 128-bits of key strength, according to Patrick Truett, RISO for NCUA Region III in Knoxville, Tenn.
Stronger encryption, such as the Triple Data Encryption Standard (DES) or 256 bits of key strength, is preferable, Truett added.
Pacific Oaks FCU encrypts data traveling to the outside world, said Mike Rasmusson, network adminstrator at the $259-million CU in Camarillo, Calif. For example, the CU transmits encrypted data to a collection agency and a credit card vendor, he said.
Pacific Oaks started encrypting data five years ago with its email system, followed by floppy discs, compact discs, and last year, core data backup tapes.
"I tend to be fanatical when it comes to security," Rasmusson said. "I hate losing, and losing to an identity thief would be the worst thing of all. Our minimum standard is 128-bit but we'll soon be changing to a minimum of Triple DES."
Pacific Oaks encrypts using different solutions, depending on the situation, explained Rasmusson. Options include sending data through a Virtual Private Network tunnel that encrypts data packets. Alternatively, certain data is encrypted prior to transport using encryption software built into backup, compression, or e-mail solutions.
Many of the industry's core system vendors have yet to integrate encryption into their databases.One industry expert thinks that's dangerous. "It's painfully easy to steal data from core systems, even within the network" asserted Justin Mitzimberg, senior risk assessment and forensic engineer at Info@Risk, a security risk consulting team out of Eugene, Ore. Credit unions need to rattle core vendor cages, Mitzimberg added.
People First FCU did just that.
'Peace of Mind'
"I contacted our core processor, and they quickly came back with a solution and implementation package," said Susan Phillips, chief information officer at the $222-million CU in Allentown, Penn.
Both People First Federal Credit Union and $26-million Hannaford Associates Federal Credit Union in Portland, Maine, enjoy "peace-of-mind" knowing tapes are automatically Triple-DES encrypted as part of the core system's backup routine, according to Phillips and Amy Dugal, technology administrator at Hannaford.
Hannaford sends backup tapes offsite to a disaster recovery location and a storage facility. "The benefit is knowing that if our data gets into the wrong hands in transit, the encryption will prevent disclosure and protect confidential member information," said Dugal.
Compromised data is no fun, Rasmusson agreed. "Ask the people who had backup tapes or data lost by a data storage company or package delivery service or from an identity thief," he said. "Ask them how much work it caused across the credit union. Ask them how many members left because they have no confidence in them anymore. And finally, ask them what it feels like looking for a new job."
CUJ Resources
For info on this story:
* Hannaford Associates FCU at www.hannafordcreditunion.com
* Kitsap CU at www.kitsapcu.org
* People First CU at www.peoplefirstcu.org
* Tinker FCU at www.tinkerfcu.org.
