Credit unions are constantly entering into agreements with third-party vendors ranging in criticality from vendors that implement a new core processor to vendors that provide custodial services. Regardless of the vendor, credit unions have a regulatory obligation to protect confidential member information. This regulatory obligation has come under increased scrutiny by the NCUA considering the ever-present threat of cybersecurity data breaches. Therefore, in addition to credit unions' regulatory obligation to maintain the security and confidentiality of member information, it is also imperative for credit unions to address the data breach threat by ensuring there are adequate protections incorporated into their vendor agreements to avoid potential liability resulting from unauthorized access or use of their confidential information.
Despite the fact that each third-party vendor agreement includes different contractual terms, credit unions should make sure that the following five provisions are addressed in some capacity. First, the agreement must state what information the parties consider to be “confidential.” If member information will be shared with the vendor, member information should be explicitly listed as the confidential information of the credit union. It must also be clearly stated that any and all confidential information of the credit union is and will continue to be the exclusive property of the credit union.
Next, the agreement must state, in detail, how the credit union's confidential information will be protected. The vendor should agree to keep confidential information disclosed by the credit union under the agreement confidential. The vendor should also agree to only use the credit union's confidential information in accordance with the agreement and to only disclose such information to those who need to perform the vendor's service obligations under the agreement. The vendor must always remain responsible for its confidentiality obligations under the agreement and must be held responsible for any breach of such obligations by any third party to which the vendor discloses the credit union's confidential information.
Third, if the credit union shares member information with a vendor, the vendor should have a security program in place to protect such information. The vendor should represent in the agreement that its security program will protect the credit union's confidential information in a manner that is at least consistent with the credit union's own regulatory obligations under NCUA Regulation Part 748. The agreement can go as far as to explicitly state that the vendor agrees to incorporate certain technical and physical controls to prevent access to the credit union's confidential information and that the vendor will only store such information in an encrypted format, or the agreement can generally state that the vendor will comply with its data security program or policy. Specificity is the preferred route in any third-party vendor agreement, but it is essential that such language is included in the agreement to hold the vendor accountable and that the credit union has an opportunity to adequately assess the vendor's security program. Credit unions should also periodically monitor the vendor's security program to ensure the vendor's compliance with its security obligations under the agreement. As such, language stating that the credit union may review and monitor the vendor's security program, or have access to any audits of the security program, should be included in the agreement.
The vendor agreement should also outline the procedures in the event there is a security breach that has, or may result in, unauthorized access to the credit union's confidential information. For example, if the vendor experiences a security breach that affects the confidential information of the credit union, the vendor must notify the credit union in writing; take all necessary measures to make sure that the security breach has ceased; investigate the nature, scope and duration of the breach and report its findings, along with what confidential information was affected, to the credit union; and notify and cooperate with law enforcement. Failing to include such provisions may result in uncertainty between the parties that can exacerbate the breach and potentially expose the credit union to further liability.
Finally, the vendor agreement should include what remedies may be available to the credit union in the event any security breach occurs at, by or is attributable to the vendor, which involves the confidential information of the credit union; or the vendor breaches its confidentiality or data security obligations. Any security breach that involves the credit union's confidential information could impose substantial costs on the credit union. NAFCU's 2015 Economic and CU Monitor February report contained a survey in which credit union respondents stated that they “spent an average of $226,000 and an estimate of 1,600 hours [in 2014] on debit and credit card fraud issues resulting from merchant data breaches.” Therefore, it is vital that credit unions address these potential costs in any vendor agreement.
In the event that any security breach occurs at, by or is attributable to the vendor that involves the confidential information of the credit union, the credit union should be reimbursed for all out-of-pocket costs and expenses related to the breach (i.e. notifying affected members and regulatory authorities; reissuing member access devices, account numbers, PINs, etc.; and hiring and retaining consultants to assist the credit union with public relations, legal counsel, data security analysis, fraud or identity theft monitoring services, etc.). In the event the vendor breaches any of its confidentiality or data security obligations, the credit union should have available to it any and all remedies under applicable law, including, but not limited to, injunctive relief to restrain the vendor from further breach and monetary damages resulting from the breach. Further, the vendor should indemnify the credit union from any claims arising from the vendor's use or mishandling of the credit union's confidential information, as well as the vendor's breach of its confidentiality or data security obligations.
Credit unions will continue to enter into third-party vendor agreements to address their needs, as well as the needs of their members. Given the regulatory climate and the threat imposed by data breaches, credit unions should confirm that their confidential information is adequately protected in any third-party vendor agreement before executing the agreement. In this context, a little bit can go a long way to reduce potential liability imposed as a result of unauthorized access to the credit union's confidential information.
Michael J. Heller is an attorney at Messick & Lauer, P.C. He can be reached at 610-891-9000 or [email protected].
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
- Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
