What Your Credit Union Needs to Know About Data Breaches

December 15, 2020 at 9:52 am Leave a comment

Reports of a major data breach seem to be becoming as much a fixture of the holiday season as chestnuts roasting on an open fire. While there has been no reported breach yet of a major legacy retailer – but there are still nine shopping days ‘til Christmas – surely news that the Russian government has engaged in one of the largest and most successful cyber hacks ever is enough justification to remind us of what our obligations are to our member’s data. Besides, the FDIC is going to consider a notice of proposed rulemaking on computer security incident notifications on its agenda today. Could similar consideration by the NCUA be close behind?

Is this an area of law that really needs to be updated? You bet it does. Most importantly, financial regulators including the NCUA haven’t made major changes to the area of data security reporting since 2005, which as today’s American Banker points out, was right around the time this thing called the iPhone began to be sold by Apple. The result of federal inaction has been a hodgepodge of state-level regulations and statutes which all seek to accomplish the same basic goals, but with important distinctions. 

This is an area that is crying out for federal action to bring uniformity. In the meantime, remember some of the key regulations and statutes to which you are subject. On the federal level, we have the 12 CFR Part 748 and Appendix B, which outlines the requirements of all credit unions to have a framework for assessing the scope of data breaches which compromise data privacy. As explained in this well-written opinion letter, “the overriding theme of NCUA’s guidance to credit unions in this area is risk assessment. When an incident occurs, the first step of any response program should be to assess the nature and scope of the incident and the likelihood of harm to the member whose information is affected. 12 C.F.R. Part 748, Appendix B, §II(A)(1)(a). Where an incident, even one involving sensitive member information, involves little or no likelihood of harm to the member, a credit union need not notify the NCUA.” If all we had were these GLB-inspired mandates, the sole obligation of financial institutions in this area would be to have a policy and procedure in place with regard to protocols for protecting member information. 

But in the absence of federal action in this area, almost all states have developed their own data breach requirements, and no state outside of California has been more aggressive than New York. Regardless of whether you are a federal or state chartered credit union, you are required to comply with Section 899-AA of New York’s General Business law, which lays out detailed requirements for informing members when their personal information has been compromised, as well as when to inform the Attorney General of a suspected data breach. Specifically, it states that in the event that a breach impacts 500 or more New York residents, the attorney general must be informed in writing by the liable entity within 10 days. This is in addition to New York’s Department of Financial Services cybersecurity regulations, which has its own set of requirements. On paper, the latter regulation just applies to state-licensed or chartered institutions. However, in the absence of federal guidelines, you must always be mindful of what a court would judge as “reasonable conduct” for your industry if your credit union was to be sued for negligently protecting member data. 

By the way – I haven’t even mentioned California’s data security requirements, which some New York credit unions have decided they should comply with. It’s a good thing that we have a functional and thoughtful Congress anxious to address these concerns.

Entry filed under: Compliance, Federal Legislation, New York State, Regulatory, technology. Tags: , , , .

FinCen and CFPB Issue Important Guidance New York Makes Big Changes to Power of Attorney Law

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 726 other followers

Archives