When hackers steal credit card and social security numbers, members should know-sometimes.
Credit unions must notify their members of data breaches, according to the NCUA and proposed federal legislation, which follows in the footsteps of California's landmark law of 2003, the Information Practice Act, or Senate Bill 1386.
But members may not need to be notified if the stolen data is encrypted, a stipulation unique to SB 1386.
In contrast, five distinct federal initiatives on the table this year would allow businesses to forego notifying consumers about a breach-whether or not the data is encrypted.
Leave The Decision To The Business
Instead, the initiatives would allow data custodians-businesses that handle sensitive, nonpublished personal data-to decide not to notify consumers simply if the business determines that the data can't be used fraudulently.
"Proposed federal legislation and the NCUA allow a very broad interpretation of the law, giving an institution an opt-out when it feels that the data is not compromised," said Michael Ivezic, director of Internal Audit Services and Loss Prevention at $3-billion Wescom Credit Union in Pasadena, Calif.
The NCUA describes its reporting guidance as "risk-based," according to NCUA spokesperson Nicholas Owens. Security Program Appendix B mandates that credit unions investigate any security breach and notify members "only where harm is likely," he said.
"Of course, a credit union could determine, legitimately, after investigation that encryption provides sufficient safeguards, and that notice is therefore not necessary," Owens added. "Similarly, a credit union could decide to provide notice anyway, in an effort to be cautious and conservative. The main point of our guidance is that it leaves much room for discretion to the credit union."
The guidance leaves room for "corporate subjectivity," asserted Ivezic.
CUs Back Legislation
As a result, both Wescom and Teachers Credit Union in South Bend, Indiana stand behind legislation enacted by California and other likeminded states that includes stipulations for encrypted data.
That's because encryption can prevent data from being stolen in the first place, according to Thelma Snedaker, information security officer at $1.5-billion Teachers CU.
"While reporting guidelines are important in the event of a breach, preventing that breach should be the primary goal," explained Snedaker. "Prevention methods could be included in legislation that will provide data custodians with actionable guidelines.
"Encryption is very actionable," she added.
"SB 1386 has fairly clear and common-sense reporting guidelines, and is very responsibly written in terms of giving data custodians some direction to take to protect that data by including a provision for encryption," Snedaker continued.
SB 1386 As An Enabler
"In my opinion, California SB 1386 has been an enabler in terms of credit unions setting aside the budget and resources to promote encryption," said Snedaker. "Now the NCUA, the Senate, and the House have the opportunity to use national law to do the same.
"A national law would also standardize requirements for multi-state membership CU's, thus easing compliance," she added.
However, blanket exclusion for encrypted data is "not appropriate," according to NCUA Appendix B, "because there are many levels of encryption, some of which do not effectively protect member information."
Snedaker responded: "I would like to see the federal initiatives include encryption, as does SB 1386, and define the acceptable level of encryption or method," perhaps adopting industry standards such as those set by the National Institute of Standards and Technology.
Although the California law allows exclusions for encryption, it doesn't yet specify acceptable levels of encryption.
"Of course, there are caveats to encryption, such as if circumstances cause the encryption control to be bypassed," Snedaker added. For example, someone might lose login information and an encryption key for a device like a laptop that is hard-drive encrypted and has sensitive personal data stored on it.
In addition, smaller credit unions with fewer resources may struggle to meet encryption standards, Ivezic suggested.
With the rash of security breaches in the past two years, consumer notification initiatives have grabbed the attention of CU Information Security officers.
The Financial Services Committee acknowledged 50 database security breaches last year, potentially impacting 51 million Americans.
Even though most breaches originate through credit unions' third party service providers, such as credit card companies, credit unions are subject by association to reputation risk.
CUJ Resources
For info on this story:
* Teachers CU at www.cuttingedgefcu.org.
* Wescom CU at www.wescom.org
* California Information Practice Act at www.sb-1386.com.
* NCUA Security Program and Appendix B at www.ncua.gov/RegulationsOpinionsLaws/RecentFinalRegs/F-748.pdf.
* CUNA's Data Security legislation summary at http://www.cuna.org/gov-affairs/legislative/issues/2005/data-security.html
