“I've asked staff to draft new rules and guidelines to protect consumers' personal information, specifically requiring credit unions to encrypt and password protect all data they provide to the NCUA or state examiners and prohibiting credit unions from providing data in an exam process which includes either passwords, a PIN number or full social security number. The examiner does not need a full social security number,” Metsger said.

He added, “While there are guidelines for credit unions now, I believe it should be required that this information not be conveyed in any way during the exam process.”

Metsger emphasized that the Palm Springs incident is the first of its kind after more than 28,000 exams in the last six years.

“There is a human element obviously in anything and when you do tens of thousands of exams, you can anticipate that sometimes someone is going to make a human error,” he said. “We try to be perfect, obviously. Our rules and procedures are very clear. When they are not followed, you can have an issue so we take it very seriously.”

CU Times asked Metsger if the NCUA should adopt a rule in the near future that would prohibit examiners from carrying a portage drive containing member data.

“I do think we have to look at that,” Metsger responded. “It's always regulatory burden versus what is important to protect information. We have a lot of small credit unions and they operate with less technology than larger ones and we've been preaching that everyone has to take all of this serious – NCUA as well as individual credit unions – that no matter what your size is, the protection of data is very important.”

Metsger envisioned such a policy change being adopted internally, rather than through a full board vote.

“It needs to be our procedures through our Office of Examination and Insurance,” he said.

The NCUA currently issues encrypted USB drives to all examiners. When data is transferred to an examiner, it is supposed to be done on an encrypted USB drive. Metsger said the agency might create a secure website so sensitive data can be transferred safely online.

“From our standpoint, we have encrypted devices like flash drives that we can give to a credit union to put their information on and return to NCUA but currently, some credit unions use their own devices and provide them to NCUA which are not encrypted so it's not a question of we did not have a policy,” Metsger said. The question is, were the policies followed? We should not be accepted non-encrypted information from a credit union.”

Metsger was also asked if the Palm Springs incident could hurt the NCUA's message to the credit union industry on data security.

“Actually, I think it strengthens the message. Obviously, we have indicated this is a perfect example that even though you can go 28,000 exams without an issue, that an issue can still happen, even through a regulator or during an exam process,” he said. “I think that should strengthen the message for those that think their processes are strong and that nothing will happen.”

Metsger urged credit unions to remember the Palm Springs incident was not a cybersecurity issue since no one stole the data through a hack.

“This isn't cybersecurity. No one hacked this and came and stole it. It got lost by the process so it could be in a landfill somewhere. It could be in somebody's desk,” he said.

Metsger noted, “It wasn't stolen. It clearly was misplaced and hasn't been found. Obviously that's not acceptable in any case. You don't want to take that risk but we need to make sure our policies are followed and that credit unions understand that providing data that is not protected is a potential problem.”