Transparency Must Be Proven
The recent disclosure that an NCUA examiner lost the flash drive containing confidential information of members of Palm Springs Federal Credit Union was unfortunate and troubling. It was unfortunate for it to have happened at all but more troubling is the failure of the NCUA to disclose when it occurred, not telling the industry that it happened and what steps the agency has taken to prevent its reoccurrence.
The data breach took place in October and yet it was not until two months later that the agency acknowledged the incident. And that acknowledgement came only after CU Times obtained a copy of the letter sent to all Palm Springs members. Despite this disclosure, NCUA refuses to confirm an NCUA examiner was responsible for the loss.
The letter itself is interesting. Nowhere is it mentioned that the flash drive was lost during an NCUA examination. It refers to records being “audited” and the “audit process”. NCUA does not perform audits. Use of the word audit would lead one to believe that the breach was caused by the credit union’s CPA or internal auditor.
Data breaches cost money. In this case there will be attorney fees, staff time, postage, supplies and contracted ID protection. In addition, there is the inconvenience to each account holder and what they must now do to protect themselves as well as their credit.
However, nowhere is it mentioned how this additional cost will be paid. The NCUA has demanded that retailers step up and pay their fair share when a breach occurs at one of their stores. Who will step up now?
I guess we can assume the NCUA will reimburse the credit union for all costs related to the breach. But will they inform the industry what that cost will be? Because we all know the credit unions are the ones who must pay the bill. And when will we know that cost? When we read about in it the press?
There are countless questions when an incident like this happens. And when it involves a federal regulatory agency that prides itself on transparency, those questions must be answered sooner rather than later.
I urge the NCUA Board to ask the Inspector General to conduct an investigation of this matter. Everyone needs to know what occurred, who was responsible and why as well as what has been done to reduce the possibility of it happening again.
The IG must also determine why the industry was not told of this problem and who made the decision to keep them in the dark. He must ask who drafted the letter and why it was written the way it was. And he must also make sure credit unions are told the size of their bill for this mishap.
To talk about transparency is one thing. To show you mean what you say is another.
NCUA must fully disclose what they know and when they knew it.
Michael E. Fryzel is an attorney and consultant to the financial services industry in Chicagoo. The former NCUA chairman and board member can be reached at email@example.com.