Breach Blocking Encryption Rule on NCUA Agenda
NCUA Board Chairman Debbie Matz said the NCUA is contemplating proposing a rule that would require credit unions to encrypt the data provided to examiners in response to the examiner who lost a flash drive with members’ personal information.
The incident occurred during an examination of the $13 million Palm Springs Federal Credit Union in Palm Springs, Calif.
Matz also estimated the cost of the breach to be $15,000 to $20,000.
“We are contemplating a rule, which would require encryption, but we’re not at the point where I can say we’re going in that direction yet but it’s clearly something we’re thinking about. Short of requiring it, we’re really struggling trying to figure out how to prevent data breaches. That’s a very fundamental thing to do, to make sure that if the data is lost or stolen that members’ confidential information is protected,” Matz told CU Times Tuesday.
“Believe it or not, we really don’t like putting out more regs than we need to but we’re struggling to determine if there’s another way to do this. Of course we’re always willing to hear suggestions from the credit union community about how to proceed,” she added.
Matz told CU Times the agency would decide the best way to proceed after the conclusion of the NCUA Inspector General’s investigation.
In response to the question of whether the NCUA should have alerted the public as soon as the flash drive was lost, Matz said the agency very carefully followed the U.S. Office of Management and Budget guidance, titled, Recommendations for Identity Theft Related Data Breach Notification.
“There’s nothing to be gained from publicizing this type of low level breach because one, it could encourage criminals to approach these individuals and to try to sell them breach protection or other things or try to get information from them,” Matz said. “I mean, it really does encourage criminal behavior, perhaps, and there’s really not a benefit to be gained by publicizing it widely.”
Matz said the agency followed protocol after the flash drive was lost.
“It was an unfortunate situation. We do not know what happened to that thumb drive. We don’t know if it was accidently discarded or if it is still sitting in somebody’s pocket somewhere,” she said.
According to Matz, the NCUA has agreed to bear any costs of providing data protection to the affected members but there has been no sign of unauthorized use of the data.
CU Times asked Matz for an estimate of the total cost the agency would have to pay as a result of the incident.
“It’s very low actually. There are 1,600 members who might have been affected by this and whatever the cost of the protection is, I’m guessing $30 or $40 a year per person so we’re not talking about a lot of money, we’re talking about probably $15,000-$20,000 at most,” Matz estimated. “It’s a relatively small amount but whatever it is, we’ve agreed to cover it.”