The NCUA’s Office of the Inspector General said it found no evidence the NCUA’s Office of General Counsel attempted to distort that an examiner was responsible for the loss of a flash drive during a credit union examination.
In December 2014, CU Times was the first to report the incident occurred at the $13 million Palm Springs Federal Credit Union in Palm Springs, Calif. The agency paid $50,000 as a result of the breach.
“(The) OIG concluded that the executive director’s decision not to publicly announce the incident on NCUA’s website was appropriate under the circumstances,” the OIG’s Management Advisory Review said.
According to the OIG’s March 5 report, the flash drive did not include passwords or PINs.
“To date, neither NCUA nor PSFCU has received an indication of any unauthorized access to members’ accounts or attempts to gain improper access as a result of the incident,” the report said.
The OIG reported that it learned through its interviews with the Office of General Counsel that the office supported the decision to use the term audit instead of exam in the notification letter.
“OGC’s stated reason for agreeing with PSFCU counsel that the term ‘audit’ should be used in the letter was based on its opinion that stating in the letter that an ‘examiner’ was involved in the loss would be tantamount to NCUA admitting liability,” the report said.
OIG also found no wrongdoing on the part of the NCUA when drafting the notification letter about the incident.
“While OGC’s intention throughout the process of drafting the letter was to shield NCUA from potential liability, it did not advance that goal at the expense of attempting to mislead affected PSFCU members, the California OAG or the California public,” the report said. “Moreover, PSFCU legal counsel’s statements that OGC accepted that an examiner error resulted in the loss, and its representation that NCUA intended to assume financial responsibility for the ensuing repercussions, further obviated any inference that OGC was attempting to misdirect NCUA’s culpability for the incident.”
After reviewing the facts and the notification letter, the agency’s Breach Notification Team determined that it was not necessary to post an additional notification of the incident on the NCUA website.
“Moreover, it concluded that such additional public notice could be detrimental,” the review said.
The OIG recommended the NCUA send out a memo immediately outlining information security best practices for examiners when obtaining data from credit unions. The report said the NCUA has implemented the recommendation.
The OIG also suggested the NCUA roll out specialized information security training for examiners. The NCUA has started to implement this item simultaneous with issuing new employee and contractor laptops.
NAFCU/President CEO Dan Berger said the association recognizes the NCUA’s efforts to assess its systems and restate its policies to prevent a similar incident from recurring in the future.
“We firmly believe that NCUA, as a steward of credit unions’ sensitive information and as a federal regulator, must be held to the highest standard for safeguarding such data. We urge NCUA to continue to review its internal practices to ensure they are sufficient to protect data,” he said.