Credit unions are constantly entering into agreements withthird-party vendors ranging in criticality from vendors thatimplement a new core processor to vendors that provide custodialservices. Regardless of the vendor, credit unions have a regulatoryobligation to protect confidential member information. Thisregulatory obligation has come under increased scrutiny by the NCUAconsidering the ever-present threat of cybersecurity data breaches.Therefore, in addition to credit unions' regulatory obligation tomaintain the security and confidentiality of member information, itis also imperative for credit unions to address the data breachthreat by ensuring there are adequate protections incorporated intotheir vendor agreements to avoid potential liability resulting fromunauthorized access or use of their confidential information.

|

Despite the fact that each third-party vendor agreement includesdifferent contractual terms, credit unions should make sure thatthe following five provisions are addressed in some capacity.First, the agreement must state what information the partiesconsider to be “confidential.” If member information will be sharedwith the vendor, member information should be explicitly listed asthe confidential information of the credit union. It must also beclearly stated that any and all confidential information of thecredit union is and will continue to be the exclusive property ofthe credit union.

|

Next, the agreement must state, in detail, how the creditunion's confidential information will be protected. The vendorshould agree to keep confidential information disclosed by thecredit union under the agreement confidential. The vendor shouldalso agree to only use the credit union's confidential informationin accordance with the agreement and to only disclose suchinformation to those who need to perform the vendor's serviceobligations under the agreement. The vendor must always remainresponsible for its confidentiality obligations under the agreementand must be held responsible for any breach of such obligations byany third party to which the vendor discloses the credit union'sconfidential information.

|

Third, if the credit union shares member information with avendor, the vendor should have a security program in place toprotect such information. The vendor should represent in theagreement that its security program will protect the credit union'sconfidential information in a manner that is at least consistentwith the credit union's own regulatory obligations under NCUARegulation Part 748. The agreement can go as far as to explicitlystate that the vendor agrees to incorporate certain technical andphysical controls to prevent access to the credit union'sconfidential information and that the vendor will only store suchinformation in an encrypted format, or the agreement can generallystate that the vendor will comply with its data security program orpolicy. Specificity is the preferred route in any third-partyvendor agreement, but it is essential that such language isincluded in the agreement to hold the vendor accountable and thatthe credit union has an opportunity to adequately assess thevendor's security program. Credit unions should also periodicallymonitor the vendor's security program to ensure the vendor'scompliance with its security obligations under the agreement. Assuch, language stating that the credit union may review and monitorthe vendor's security program, or have access to any audits of thesecurity program, should be included in the agreement.

|

The vendor agreement should also outline the procedures in theevent there is a security breach that has, or may result in,unauthorized access to the credit union's confidential information.For example, if the vendor experiences a security breach thataffects the confidential information of the credit union, thevendor must notify the credit union in writing; take all necessarymeasures to make sure that the security breach has ceased;investigate the nature, scope and duration of the breach and reportits findings, along with what confidential information wasaffected, to the credit union; and notify and cooperate with lawenforcement. Failing to include such provisions may result inuncertainty between the parties that can exacerbate the breach andpotentially expose the credit union to further liability.

|

Finally, the vendor agreement should include what remedies maybe available to the credit union in the event any security breachoccurs at, by or is attributable to the vendor, which involves theconfidential information of the credit union; or the vendorbreaches its confidentiality or data security obligations. Anysecurity breach that involves the credit union's confidentialinformation could impose substantial costs on the credit union.NAFCU's 2015 Economic and CU Monitor February reportcontained a survey in which credit union respondents stated thatthey “spent an average of $226,000 and an estimate of 1,600 hours[in 2014] on debit and credit card fraud issues resulting frommerchant data breaches.” Therefore, it is vital that credit unionsaddress these potential costs in any vendor agreement.

|

In the event that any security breach occurs at, by or isattributable to the vendor that involves the confidentialinformation of the credit union, the credit union should bereimbursed for all out-of-pocket costs and expenses related to thebreach (i.e. notifying affected members and regulatory authorities;reissuing member access devices, account numbers, PINs, etc.; andhiring and retaining consultants to assist the credit union withpublic relations, legal counsel, data security analysis, fraud oridentity theft monitoring services, etc.). In the event the vendorbreaches any of its confidentiality or data security obligations,the credit union should have available to it any and all remediesunder applicable law, including, but not limited to, injunctiverelief to restrain the vendor from further breach and monetarydamages resulting from the breach. Further, the vendor shouldindemnify the credit union from any claims arising from thevendor's use or mishandling of the credit union's confidentialinformation, as well as the vendor's breach of its confidentialityor data security obligations.

|

Credit unions will continue to enter into third-party vendoragreements to address their needs, as well as the needs of theirmembers. Given the regulatory climate and the threat imposed bydata breaches, credit unions should confirm that their confidentialinformation is adequately protected in any third-party vendoragreement before executing the agreement. In this context, a littlebit can go a long way to reduce potential liability imposed as aresult of unauthorized access to the credit union's confidentialinformation.

|

vendor agreeements Michael J. Heller is anattorney at Messick & Lauer, P.C. He can be reachedat 610-891-9000 or [email protected].

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

  • Critical CUTimes.com information including comprehensive product and service provider listings via the Marketplace Directory, CU Careers, resources from industry leaders, webcasts, and breaking news, analysis and more with our informative Newsletters.
  • Exclusive discounts on ALM and CU Times events.
  • Access to other award-winning ALM websites including Law.com and GlobeSt.com.
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.