Notification of NCUA Unnecessary for Every Potential Security Breach

ALEXANDRIA, Va. – In a recent legal opinion letter, NCUA stated that federally insured credit unions do not have to notify NCUA of every potential security breach affecting sensitive member information. Redstone Federal Credit Union Compliance Manager Suzanne Turner wrote the agency seeking guidance on notification of NCUA following a data security breach and asked about several hypothetical examples from human error to computer hacking. “The overriding theme of NCUA’s guidance to credit unions in this area is risk assessment,” NCUA Associate General Counsel Sheila Albin wrote in Legal Opinion Letter 06-0332. “When an incident occurs, the first step of any response program should be to assess the nature and scope of the incident and the likelihood of harm to the member whose information is affected. Where an incident, even one involving sensitive member information, involves little or no likelihood of harm to the member, a credit union need not notify the NCUA.” Albin added that NCUA’s rules do not prescribe a method of notification, but credit unions should use a form that is “reasonably likely to be effective.” She also recommended using a method that could be documented such as letter, e-mail, or fax. If the urgency of the situation requires a phone call, try to document it in some way. Notification should be provided as soon as possible following the incident and separate notices are required for separate incidents. “In this respect, credit unions should consider providing a follow-up notice to keep NCUA apprised of significant new circumstances relating to a specific incident previously reported,” Albin wrote. Good judgment should be used in determining the content of the notification, she explained.