Harnessing Your CU’s Data Is Increasingly and Legally Crucial

As you put the finishing touches on, or frantically put a policy or procedure in place to comply with the Cyber Incident Notice Requirements, which take effect on Sept. 1, your credit union should also put aside some time to look at the forest and not just the trees when it comes to how your credit union plans on managing its data in the coming years.

A confluence of factors spurned by technological breakthroughs, a legal system scrambling to arbitrate the inevitable conflicts and a paralyzed national political system means that how you handle data has consequences that go far beyond notification requirements. In fact it is quickly becoming as important to understand your institution’s data as it is to understand its finances. It impacts virtually every aspect of your operations.

The NCUA has done a great job of explaining the steps that all federally insured credit unions must take to provide timely notification of cyber incidents. But taking too narrow a view of this mandate is a great example of why it is absolutely essential, irrespective of your credit union’s size, to take a holistic view of your data policies.

Each state and the District of Columbia now has its own data breach notification requirements and you would be making a big mistake if you didn’t review each cyber incident in the context of those statutes. Many state laws require member notification of potential breaches but the NCUA simply mandates that you inform it of cyber events. And simply because you conclude that you are mandated to report an incident to the NCUA doesn’t mean you have to notify your members.

For instance, Idaho’s breach notification requirements emphasize the exposure of “non-encrypted data” while the NCUA’s regulation does not even reference the term. Similarly, an out-of-state CUSO working with a New York state-chartered institution is indirectly subject to many more data protection requirements than it would be working with a credit union in almost any other state. My point is not that one regulation is better than the other, but to emphasize the need to understand the nuances of competing requirements.

And don’t underestimate the risk of disclosing more information than you need to. Increased emphasis on data breach notification is coming as the courts are increasingly adopting a broader view of what plaintiffs must prove in order to avoid having data breach lawsuits dismissed.

One of the most basic issues in any lawsuit is a plaintiff’s ability to prove that the defendant’s conduct, even assuming it was negligent, caused the harm that the plaintiff is suing over. In the context of data breaches, this can be a difficult standard to meet since virtually any company with a website is being attacked by hackers on an almost continuous basis.

In Transunion LLC. v. Ramirez, the Supreme Court emphasized that to have standing to sue in federal court, a plaintiff must suffer “concrete harm.” “No harm, no standing,” explained Justice Brett Kavanaugh in holding that only plaintiffs who could demonstrate they were actually harmed by TransUnion’s data breach protocols could bring a lawsuit. Merely showing that their data was not maintained consistent with industry standards was not enough to sue the company.

When the case was originally decided, I thought it was a tremendous victory for businesses. But courts have struggled to adopt it and unfortunately, breach notifications have been used as evidence by courts that are refusing to dismiss data breach cases on causation grounds. For example, Geico recently tried to get a data breach class action lawsuit dismissed by arguing, among other things, that the alleged harm could not be traced back to Geico. In rejecting this argument, the Court explained, “Counsel’s argument is flatly inconsistent with the notice Geico issued following the incident, which concedes Geico had ‘reason to believe’ the information could be used” to facilitate cyber fraud.

Credit unions have recently been victimized by similar arguments. Depending on the size of your credit union any public notification of a breach will be followed within weeks by a lawsuit with the notice featured prominently in the complaint.

Pulling back the lens a little farther, it is also important to emphasize your board’s obligation to ensure that the appropriate data breach policies and procedures are put in place. This is the basic thrust of regulations recently finalized by the SEC, which mandate that publicly traded companies disclose more information not only about their data breaches but their cybersecurity practices. Credit unions are, of course, not subject to these requirements, but they do underscore the need to ensure again based on its size and sophistication that senior management is competent when it comes to managing electronic data and that your board knows what questions to ask. In fact, for those of you who have board candidate committees, trying to attract members with competencies in this area would be worth it.

Not everything your credit union should be contemplating in the cyber data space has to do with laws and regulations. The recent kerfuffle over AI demonstrates that access to and appropriate use of data is going to be one of the key tests for all businesses. The sooner your credit union starts examining the potential use of AI and similar technology to improve underwriting and enhance micromarketing opportunities for your members, the better positioned it will be to compete in the coming years. But initiatives like these will not be effective unless someone is responsible for knowing what data the credit union uses, potential vendors it could partner with to access and process even more data, and maintaining the integrity of the data being used. Merely increasing the responsibilities of your IT director or your head of compliance misses the mark.

It is that time of year when boards will be meeting offsite to take a big-picture look at where the credit union is headed and the resources it needs to continue its journey. Personally, I can’t think of a better issue to discuss than your credit union’s plan not only to protect itself against the legal risks of cyber breaches but how it is going to position itself to enhance the member experience as it becomes increasingly dependent on understanding and harnessing the power of data.

Henry Meier is the former General Counsel of the New York Credit Union Association, where he authored the popular New York State of Mind blog. He now provides legal advice to credit unions on a broad range of legal, regulatory and legislative issues. He can be reached at (518) 223-5126 or via email at henrymeieresq@outlook.com.