New rules on cybersecurity, MBLs considered by NCUA for 2015

by: Billy Burnet

During an October 2014 NCUA examination of Palm Springs Federal Credit Union (FCU), a confidential flash drive went missing. According to Palm Springs FCU President & CEO Debbi Pitigliano, the drive was provided to the NCUA and contained members’ personal information, including names, addresses and social security numbers. Since last check, the drive’s location remains unknown but no unauthorized access to members’ accounts has been reported.

The estimated cost of the breach may seem low – fraud protection for 1,600 members at an estimated total cost of $15,000 to $20,000. But no matter the cost or amount of people affected, it is yet another instance of financial privacy being jeopardized. Target’s late 2013 breach is among the largest in recent memory, affecting over 70 million individuals. Others making the list include Michaels, Neiman Marcus, Jimmy John’s, Home Depot and JPMorgan Chase. In fact, as of Q3 2014, 43% of companies suffered from a data breach in the past year according to a report from the Ponemon Institute – an increase of 10% over the previous year.

While the circumstances surrounding each situation vary, there are ways to reduce the likelihood of future occurrences. In the case of Palm Springs FCU, the NCUA is considering a rule to require the encryption of data provided to examiners, according to Debbie Matz, NCUA Board Chairman.

Matz noted that short of requiring encryption, the NCUA is “struggling trying to figure out how to prevent data breaches” to ensure that member data remains protected if lost or stolen. She also mentioned that the NCUA’s intention is not to over regulate, but rather to figure out how to enhance levels of protection. According to CU Times, how to proceed in this matter will be determined following the NCUA Inspector General’s full investigation. The investigation will review if the NCUA has appropriate measures in place to protect sensitive information.


continue reading »