When it comes to CUSO regulation, can’t we all just get along?
by: Henry Meier
A day after the CU Times reported that NACUSO issued a call-to-arms urging credit unions to help fund regulatory and potential legal actions designed to protect CUSOs against regulatory encroachments by the NCUA, it is being reported that Home Depot’s data theft was much more serious than initially reported. Not only were a mere 56 million credit card accounts compromised, but 53 million email addresses were also stolen. It now appears that access to the system came from a password stolen from one of the company’s vendors. Just how many issues does this raise? Let me count them.
- Look to you left, look to your right. Then look down the hallway. Think about the most technologically incompetent person you have working for your credit union. Realize that your data security is only as safe as that employee can make it. Data security starts with your employees. Only give access to databases to those who truly need it. The hackers are so sophisticated now that once they have access to a password, they can virtually sneak around your system and find more and more vulnerabilities.
- I’ve said it once and I’ll say it again, and I expect NCUA will be saying it to you shortly: your vendor contracts are absolutely crucial. Given the explosion of technology, it is only natural that credit unions are going to turn to vendors. If they don’t they won’t be able to provide the type of services that members expect. But turning to the vendor doesn’t absolve the credit union of ultimate responsibility for the services the vendor is providing or the continuing need to protect member information. Consequently, just like Warren Buffet never invests in a business he doesn’t understand, your credit union should never contract for technology it doesn’t comprehend. Your vendor relationships must include ongoing monitoring by knowledgeable employees on your staff. You should make sure that your vendors document on an ongoing basis that they are compliant with the latest data security standards.