Appendix B - Appendix B to Part 748—Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice
This appendix provides guidance on NCUA's Security Program, Suspicious Transactions, Catastrophic Acts, Cyber Incidents, and Bank Secrecy Act Compliance regulation,
1
1This part.
A. Security GuidelinesSection 501(b) of the GLBA required the NCUA to establish appropriate standards for credit unions subject to its jurisdiction that include administrative, technical, and physical safeguards to protect the security and confidentiality of member information. Accordingly, the NCUA amended Part 748 of its rules to require credit unions to develop appropriate security programs, and issued appendix A, reflecting its expectation that every federally insured credit union would develop an information security program designed to:
1. Ensure the security and confidentiality of member information;
2. Protect against any anticipated threats or hazards to the security or integrity of such information; and
3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any member.
B. Risk Assessment and Controls1. Appendix A directs every credit union to assess the following risks, among others, when developing its information security program:
a. Reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of member information or member information systems;
b. The likelihood and potential damage of threats, taking into consideration the sensitivity of member information; and
c. The sufficiency of policies, procedures, member information systems, and other arrangements in place to control risks.
2
2 See 12 CFR Part 748, appendix A, Paragraph III.B.
2. Following the assessment of these risks, appendix A directs a credit union to design a program to address the identified risks. The particular security measures a credit union should adopt will depend upon the risks presented by the complexity and scope of its business. At a minimum, the credit union should consider the specific security measures enumerated in appendix A,
3
3 See appendix A, paragraph III.C.
a. Access controls on member information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing member information to unauthorized individuals who may seek to obtain this information through fraudulent means;
b. Background checks for employees with responsibilities for access to member information; and
c. Response programs that specify actions to be taken when the credit union suspects or detects that unauthorized individuals have gained access to member information systems, including appropriate reports to regulatory and law enforcement agencies.
4
4 See appendix A, Paragraph III.C.
C. Service ProvidersAppendix A advises every credit union to require its service providers by contract to implement appropriate measures designed to protect against unauthorized access to or use of member information that could result in substantial harm or inconvenience to any member.
5
5 See appendix A, Paragraph III.B. and III.D. Further, the NCUA notes that, in addition to contractual obligations to a credit union, a service provider may be required to implement its own comprehensive information security program in accordance with the Safeguards Rule promulgated by the Federal Trade Commission (“FTC”), 12 CFR Part 314.
II. Response Programi. Millions of Americans, throughout the country, have been victims of identity theft.
6
6 The FTC estimates that nearly 10 million Americans discovered they were victims of some form of identity theft in 2002. See The Federal Trade Commission, Identity Theft Survey Report, (September 2003), available at http://www.ftc.gov/os/2003/09synovatereport.pdf.
7 Credit unions must also conduct background checks of employees to ensure that the credit union does not violate 12 U.S.C. 1785(d), which prohibits a credit union from hiring an individual convicted of certain criminal offenses or who is subject to a prohibition order under 12 U.S.C. 1786(g).
8 Under 12 CFR Part 748, appendix A, a credit union's member information systems consists of all of the methods used to access, collect, store, use, transmit, protect, or dispose of member information, including the systems maintained by its service providers. See 12 CFR Part 748, appendix A, Paragraph I.C.2.d.
9 See FFIEC Information Technology Examination Handbook, Information Security Booklet, (December, 2002), available at http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.htm1#infosec, for additional guidance on preventing, detecting, and responding to intrusions into financial institution computer systems.
ii. In addition, each credit union should be able to address incidents of unauthorized access to member information in member information systems maintained by its domestic and foreign service providers. Therefore, consistent with the obligations in this Guidance that relate to these arrangements, and with existing guidance on this topic issued by the NCUA,
10
10 See FFIEC Information Technology Examination Handbook, Outsourcing Technology Services Booklet, (June 2004), available at http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.htm1#outscouring for additional guidance on managing outsourced relationships.
A. Components of a Response Program1. At a minimum, a credit union's response program should contain procedures for the following:
a. Assessing the nature and scope of an incident, and identifying what member information systems and types of member information have been accessed or misused;
b. Notifying the appropriate NCUA Regional Director, and, in the case of state-chartered credit unions, its applicable state supervisory authority, as soon as possible when the credit union becomes aware of an incident involving unauthorized access to or use of sensitive member information as defined below.
c. Consistent with the NCUA's Suspicious Activity Report (“SAR”) regulations,
11
11 A credit union's obligation to file a SAR is set forth in § 748.1(d).
d. Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of member information, for example, by monitoring, freezing, or closing affected accounts, while preserving records and other evidence;
12
12 See FFIEC Information Technology Examination Handbook, Information Security Booklet, (December 2002), pp. 68-74.
e. Notifying members when warranted.
2. Where an incident of unauthorized access to member information involves member information systems maintained by a credit union's service providers, it is the responsibility of the credit union to notify the credit union's members and regulator. However, a credit union may authorize or contract with its service provider to notify the credit union's members or regulators on its behalf.
III. Member Noticei. Credit unions have an affirmative duty to protect their members' information against unauthorized access or use. Notifying members of a security incident involving the unauthorized access or use of the member's information in accordance with the standard set forth below is a key part of that duty.
ii. Timely notification of members is important to manage a credit union's reputation risk. Effective notice also may reduce a credit union's legal risk, assist in maintaining good member relations, and enable the credit union's members to take steps to protect themselves against the consequences of identity theft. When member notification is warranted, a credit union may not forgo notifying its customers of an incident because the credit union believes that it may be potentially embarrassed or inconvenienced by doing so.
A. Standard for Providing NoticeWhen a credit union becomes aware of an incident of unauthorized access to sensitive member information, the credit union should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. If the credit union determines that misuse of its information about a member has occurred or is reasonably possible, it should notify the affected member as soon as possible. Member notice may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the credit union with a written request for the delay. However, the credit union should notify its members as soon as notification will no longer interfere with the investigation.
1. Sensitive Member InformationUnder Part 748.0, a credit union must protect against unauthorized access to or use of member information that could result in substantial harm or inconvenience to any member. Substantial harm or inconvenience is most likely to result from improper access to sensitive member information because this type of information is most likely to be misused, as in the commission of identity theft.
For purposes of this Guidance, sensitive member information means a member's name, address, or telephone number, in conjunction with the member's social security number, driver's license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the member's account. Sensitive member information also includes any combination of components of member information that would allow someone to log onto or access the member's account, such as user name and password or password and account number.
2. Affected MembersIf a credit union, based upon its investigation, can determine from its logs or other data precisely which members' information has been improperly accessed, it may limit notification to those members with regard to whom the credit union determines that misuse of their information has occurred or is reasonably possible. However, there may be situations where the credit union determines that a group of files has been accessed improperly, but is unable to identify which specific member's information has been accessed. If the circumstances of the unauthorized access lead the credit union to determine that misuse of the information is reasonably possible, it should notify all members in the group.
B. Content of Member Notice1. Member notice should be given in a clear and conspicuous manner. The notice should describe the incident in general terms and the type of member information that was the subject of unauthorized access or use. It also should generally describe what the credit union has done to protect the members' information from further unauthorized access. In addition, it should include a telephone number that members can call for further information and assistance.
13
13 The credit union should, therefore, ensure that it has reasonable policies and procedures in place, including trained personnel, to respond appropriately to member inquiries and requests for assistance.
a. A recommendation that the member review account statements and immediately report any suspicious activity to the credit union;
b. A description of fraud alerts and an explanation of how the member may place a fraud alert in the member's consumer reports to put the member's creditors on notice that the member may be a victim of fraud;
c. A recommendation that the member periodically obtain credit reports from each nationwide credit reporting agency and have information relating to fraudulent transactions deleted;
d. An explanation of how the member may obtain a credit report free of charge; and
e. Information about the availability of the FTC's online guidance regarding steps a consumer can take to protect against identity theft. The notice should encourage the member to report any incidents of identity theft to the FTC, and should provide the FTC's Web site address and toll-free telephone number that members may use to obtain the identity theft guidance and report suspected incidents of identity theft.
14
14 Currently, the FTC Web site for the ID Theft brochure and the FTC Hotline phone number are http://www.ftc.gov/idtheft and 1-877-IDTHEFT. The credit union may also refer members to any materials developed pursuant to section 15(1)(b) of the FACT Act (educational materials developed by the FTC to teach the public how to prevent identity theft).
2. NCUA encourages credit unions to notify the nationwide consumer reporting agencies prior to sending notices to a large number of members that include contact information for the reporting agencies.
C. Delivery of Member NoticeMember notice should be delivered in any manner designed to ensure that a member can reasonably be expected to receive it. For example, the credit union may choose to contact all members affected by telephone or by mail, or by electronic mail for those members for whom it has a valid e-mail address and who have agreed to receive communications electronically.