NCUA Examiner Fails to Follow Security Policy
NCUA Executive Director Mark Treichel said the loss of a flash drive containing the personal information of members at a California credit union was the result of an examiner’s failure to follow existing agency policies.
According to Treichel, the NCUA has directed a review team responsible for the NCUA’s Guidelines for Safeguarding Member Information (Part 748 of regulations) to study if the agency should require federally insured credit unions to encrypt electronic member information.
A thumb drive given to an examiner was lost during an examination at the $13 million Palm Springs Federal Credit Union.
“The security of credit union members’ personally identifiable information is a top priority for NCUA. The agency takes its responsibilities in this area very seriously and expects credit unions to do likewise. NCUA is also committed to ensuring that the data shared in exams is protected at all times,” Treichel said Wednesday.
“The thumb drive did not include passwords or PINs. NCUA has received no indication of any unauthorized access to members’ accounts or attempts to gain improper access. This loss resulted from a failure to follow agency policies on securing sensitive data,” he added.
Treichel said NCUA examiners have been required to properly secure and control electronic devices containing sensitive or confidential data at all times since 2008.
“The agency has conducted more than 28,000 examinations since these security policies have been in effect without encountering a notable problem. This was an unfortunate, but isolated, incident, and both NCUA and the credit union acted quickly,” he said.
According to Treichel, the agency and the credit union are taking “all appropriate actions to investigate the incident, notify members and combat possible identity theft.”
As a result of the incident, the NCUA is reinforcing training on protecting sensitive information and reviewing its policies in the data security area. Treichel said the NCUA plans additional security training for examiners next year.
The NCUA is in the process of creating a team to review the circumstances surrounding this incident at Palm Springs. Treichel said the agency is also assessing the creation of an information sharing system between the agency and credit unions through a secure portal in place of using hardware like a flash drive.
“NCUA requires all staff to complete annual security awareness training, which includes training on the protection of personally identifiable information. That was last done in November 2014,” he said. “Further, field staff has been reminded of their responsibilities for maintaining information security, and field directors will review certain security policies at their next group meetings.”