Prevent Becoming the Headline of Tomorrow
Learn eight strategies for addressing emerging legal risks at your credit union in 2019.
Invest in technology solutions to protect member information. Data breaches and security threats are becoming more frequent and sophisticated, with nearly half of data breaches being caused by malicious or criminal acts. In 2019, expect the NCUA and state regulators to take a more proactive role in managing credit unions’ information security and technology systems. Although not required, obtaining cyber insurance and using the FFIEC’s Cybersecurity Assessment Tool are best practices. If a credit union declines to implement best practices, the rationale should be documented for examiners.
Police third-party vendors, which are often the weak links in cybersecurity. Following press reports that a large core processing vendor suffered a massive data breach, credit unions using third parties to provide digital solutions will be expected to more actively maintain their vendor management programs. A credit union should implement a strong onboarding and due diligence program for prospective vendors, actively monitor vendors’ legal compliance and negotiate sufficient contractual protections to safeguard member information.
Protect the attorney-client privilege during a data incident investigation. Data incidents come in all shapes and sizes, from the inadvertent disclosure of a single member’s information to a sophisticated attack used to access all of a credit union’s member information. Each data incident, no matter how small, creates opportunities for members, employees, business partners or regulators to become litigation adversaries and assert legal claims against the credit union. Outside counsel should be involved immediately following a data incident to lead the investigation. This will help the credit union assert the attorney-client privilege and shield documents relating to an investigation from disclosure to future litigation adversaries. A credit union should retain, or at a minimum identify, competent incident response counsel before an incident occurs.
Obtain consent before featuring people in social media or marketing materials. Privacy laws extend not only to account information, but also can protect a person’s name or image. For example, under New York’s right of privacy law, written consent is required before using a person’s name or picture for advertising or trade purposes. Even if written consent is not legally required, credit unions should respect the privacy preferences of members, employees and others being featured in social media or marketing materials.
Be cognizant of the #MeToo movement’s impact. The #MeToo movement has brought to light allegations of misconduct by members of countless industries, including the financial services industry. Following on the heels of the #MeToo movement was the passing of significant legislation by several states aimed at providing greater protection against workplace harassment, and the NCUA is continuing to urge credit unions to prioritize diversity and inclusion. A credit union should adopt antiharassment and inclusion policies, regularly conduct employee training sessions, evaluate diversity policies and practices, and provide progress reports to its board of directors.
Avoid reproducing copyrighted works, including publicly available electronic materials. Publishers have been aggressively pursuing copyright claims to monetize their digital assets. Copyright laws apply to electronic works, even if those works are freely available on the internet. In general, copyrighted works may not be reproduced or publicly displayed without the publisher’s permission. This is true even if credit is given to the publisher and even if the work lacks the copyright symbol ©. A credit union can violate copyright laws by re-posting electronic materials online, such as on a social media page. Even internal forwarding of electronic materials to other credit union employees can be problematic. For example, some publishers include clauses in invoices or website terms of use restricting a subscription to a single credit union employee, and then sue when the authorized employee forwards the publication to other employees (but, take heart, we won’t sue you if you forward this article).
Assess and strengthen internal controls. The NCUA is aggressively addressing fraud and embezzlement as insider threats against credit unions become more common. For example, in August 2018, the NCUA board, invoking an infrequently used authority, filed administrative charges against the former CEO of a credit union and sought millions of dollars in restitution and civil penalties. Credit unions should review their internal controls to ensure they are effective against the growing frequency and sophistication of fraud and embezzlement risks. These controls are not for tricking or entrapping employees. Rather, effective internal controls reduce the temptation and opportunities for employees to act dishonestly.
Keep abreast of new developments. This is just the beginning. In 2019, expect new laws to surface that will more aggressively regulate credit unions. Long-standing laws, such as the Copyright Act and the Americans with Disabilities Act, will continue to take on new dimensions as technology changes. The best way to avoid becoming a headline in 2019 is to develop a relationship with a law firm that can provide your credit union with relevant updates on new legal developments.
Charles J. Nerko, Esq. is an attorney for Vedder Price P.C. He can be reached at 212-407-7700 or cnerko@vedderprice.com.
Mark C. Svalina, Esq. is an attorney for Vedder Price P.C. He can be reached at 312-609-7500 or msvalina@vedderprice.com.