NAFCU Deems Data Encryption Rule Unnecessary
The NCUA should look internally for ways to better protect credit union members’ data, rather than impose a new rule, according to NAFCU Director of Regulatory Affairs Alicia Nealon.
Nealon’s statement was made in response to NCUA Board Chairman Debbie Matz floating the possibility of a proposed data encryption rule after an agency examiner lost a thumb drive with personal credit union member information.
“Credit unions must already follow stringent data security and privacy requirements, and they have a strong track record of regulatory compliance with these requirements. Credit unions also constantly strive to implement the highest safeguards for their members data,” Nealon said Wednesday.
A recent survey of NAFCU’s member credit unions found that credit unions not only meet the regulatory requirements, but also voluntarily implement many of NCUA’s suggested best practices in order to better safeguard their members data, according to Nealon.
“Rather than promulgating additional regulatory burdens on credit unions, NCUA should take a look internally at what actions the agency can take to better protect the credit unions data in its care,” she said.
Matz estimated the cost of the data breach incident at the $13 million Palm Springs Federal Credit Union in Palm Springs, Calif., to be around $15,000 to $20,000.
“We are contemplating a rule, which would require encryption, but we’re not at the point where I can say we’re going in that direction yet but it’s clearly something we’re thinking about. Short of requiring it, we’re really struggling trying to figure out how to prevent data breaches. That’s a very fundamental thing to do, to make sure that if the data is lost or stolen that members’ confidential information is protected,” Matz told CU Times.
“Believe it or not, we really don’t like putting out more regs than we need to but we’re struggling to determine if there’s another way to do this. Of course we’re always willing to hear suggestions from the credit union community about how to proceed,” she added.
CUNA has not commented on the possibility of a proposed data encryption rule.