SACRAMENTO, Calif. – Credit unions serving members in California must now promptly notify them if computer hackers gain access to the member's personal information. Under a new state law that went into effect July 1, credit unions, along with other businesses, state agencies and individuals with customers in California, must alert their members and customers if hackers obtain their names, Social Security numbers, driver's license number or credit card numbers. The aim of the legislation was to help prevent identity theft, one of the fastest growing crimes in California. "According to the Attorney General, victims of identity theft must act quickly to minimize the damage; therefore expeditious notification of possible misuse of a person's personal information is imperative," the measure stated. Some published reports question how many businesses, both inside and outside of the state, were even aware of the legislation. Credit unions that belong to the California/Nevada Credit Union League were notified of the measure in January in a bulletin issued by the league's research and information department. A reminder about the bill was included in a June 26 e-mail newsletter sent to league members. From the nation's largest credit union, Navy Federal headquartered in Vienna, Va. and which has a branch in California, to the small St. Johns Methodist Federal Credit Union in Los Angeles, officials said they were aware of the new law. "We're very aware of this legislation and we will comply with it," said Loren Moeller, a spokesperson for Navy Federal. "If our systems are hacked, yes, we will notify members." But, she added, no breach of the computer system has ever occurred in the history of Navy Federal, which serves more than 2 million members and has assets of some $17 billion. "We continue to report to the board that our computer systems have never been compromised or hacked into," Moeller said. "If and should it ever happen, which of course it hasn't in our history, we will comply and notify our members." Moeller said Navy Federal already had tough security measures in place and did not plan any changes in the wake of the California law. Donna Mitchell, manager of St. Johns Methodist FCU, said her members' information was safe and secure and no other safety measures were being taken. She said she learned of the California legislation from the National Credit Union Administration. "Our computer system is OK," Mitchell said. "We make sure of that. We protect it all the way." Teresa Halleck, president and chief executive officer of The Golden 1 Credit Union – the largest credit union in California – also said no changes were planned since its computer system was adequately protected. "We are extremely proactive in making sure our system is hacker proof," she said. We go the extra mile." Halleck said that even before the law went into effect, Golden 1 would notify members if there was any possibility their information had been compromised. That was the case earlier this year when a hacker gained access to more than 5 million Visa and Mastercard credit card accounts in the U.S. The hacker gained entry into the security system used by a company that processes credit card transactions for merchants. Visa and Mastercard then notified financial institutions about the break-in. "A lot of financial institutions when it happened chose not to do anything," Halleck said. "We did. We notified our members, shut down the accounts and reissued new cards. We take privacy and security very seriously and we're very proud of that." Both Visa and Mastercard said none of the hacked information, which included credit card numbers, had been used fraudulently. SB1386 was passed last year by the Legislature after hackers managed to gain access to a state computer system and obtain the payroll information and Social Security numbers of 265,000 state employees. The intrusion wasn't discovered for a month and state workers weren't notified of the theft until two weeks after that. The new law mandates that businesses and government agencies, whether located inside or outside of California, to notify customers "in the most expedient time frame possible consistent with the legitimate needs of law enforcement" if their unencrypted information has been compromised. The law applies to any agency, person or business that owns, licenses or maintains computerized data that includes personal information. Companies can notify customers of computer breaches by letter, e-mail, by "conspicuous posting" on a company Web site or through notification of major statewide media. There are no monetary penalties spelled out in the bill for companies that fail to comply. The measure does allow for consumers to bring a civil action to recover damages. The bill, passed last year, was authored by then state Sen. Steve Peace, who served 20 years in the legislature before term limits forced him out. Peace has since been appointed as state director of finance by Gov. Gray Davis. At least one California credit union said it was unfazed by the new law. "We are not computerized," said Martin Kellogg of the tiny Isla Vista Community Federal Credit Union, which has about 15 active members and $68,000 in assets. "We still use ink on paper ledger cards, hand-written." -
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
- Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.