Posts tagged ‘data security’

What Your Credit Union Needs to Know About Data Breaches

Reports of a major data breach seem to be becoming as much a fixture of the holiday season as chestnuts roasting on an open fire. While there has been no reported breach yet of a major legacy retailer – but there are still nine shopping days ‘til Christmas – surely news that the Russian government has engaged in one of the largest and most successful cyber hacks ever is enough justification to remind us of what our obligations are to our member’s data. Besides, the FDIC is going to consider a notice of proposed rulemaking on computer security incident notifications on its agenda today. Could similar consideration by the NCUA be close behind?

Is this an area of law that really needs to be updated? You bet it does. Most importantly, financial regulators including the NCUA haven’t made major changes to the area of data security reporting since 2005, which as today’s American Banker points out, was right around the time this thing called the iPhone began to be sold by Apple. The result of federal inaction has been a hodgepodge of state-level regulations and statutes which all seek to accomplish the same basic goals, but with important distinctions. 

This is an area that is crying out for federal action to bring uniformity. In the meantime, remember some of the key regulations and statutes to which you are subject. On the federal level, we have the 12 CFR Part 748 and Appendix B, which outlines the requirements of all credit unions to have a framework for assessing the scope of data breaches which compromise data privacy. As explained in this well-written opinion letter, “the overriding theme of NCUA’s guidance to credit unions in this area is risk assessment. When an incident occurs, the first step of any response program should be to assess the nature and scope of the incident and the likelihood of harm to the member whose information is affected. 12 C.F.R. Part 748, Appendix B, §II(A)(1)(a). Where an incident, even one involving sensitive member information, involves little or no likelihood of harm to the member, a credit union need not notify the NCUA.” If all we had were these GLB-inspired mandates, the sole obligation of financial institutions in this area would be to have a policy and procedure in place with regard to protocols for protecting member information. 

But in the absence of federal action in this area, almost all states have developed their own data breach requirements, and no state outside of California has been more aggressive than New York. Regardless of whether you are a federal or state chartered credit union, you are required to comply with Section 899-AA of New York’s General Business law, which lays out detailed requirements for informing members when their personal information has been compromised, as well as when to inform the Attorney General of a suspected data breach. Specifically, it states that in the event that a breach impacts 500 or more New York residents, the attorney general must be informed in writing by the liable entity within 10 days. This is in addition to New York’s Department of Financial Services cybersecurity regulations, which has its own set of requirements. On paper, the latter regulation just applies to state-licensed or chartered institutions. However, in the absence of federal guidelines, you must always be mindful of what a court would judge as “reasonable conduct” for your industry if your credit union was to be sued for negligently protecting member data. 

By the way – I haven’t even mentioned California’s data security requirements, which some New York credit unions have decided they should comply with. It’s a good thing that we have a functional and thoughtful Congress anxious to address these concerns.

December 15, 2020 at 9:52 am Leave a comment

CU Lawsuit Highlights an Issue We Can All Agree On

Despite the election, one area that Americans can usually find common ground on is the need for more protections for data security. Yesterday, a federal court in Ohio allowed a class-action lawsuit brought against the Sonic restaurant chain by, among others, American Airlines FCU, Arkansas FCU and Redstone FCU to go forward. When you’re talking to those newly minted Congressional members following the election, Sonic Corp. Customer Data Breach Litigation is the best example I’ve seen on why Congress needs to implement uniform data security standards.  

The case involves a data breach that occurred over a six-month period because Sonic used antiquated technology. Most importantly, its point of sale terminals were not required to have encryption technology, giving hackers easy access to card information for several months. That encryption has, of course, become common practice for many institutions and is a required component of the data protection plans for all New York State Chartered and licensed institutions. 

The case is also instructive for another reason. One of the key issues in data breach litigation continues to be determining who is actually injured by a data breach. In seeking class-action status, the financial institutions argued that the class of plaintiffs eligible to sue Sonic should include “All banks, credit unions, financial institutions, and other entities in the United States that received an alert of a potentially compromised account from any card brand in the Sonic Data Breach.”  The court slightly modified this class, allowing the suit to go forward for “all banks, credit unions, and financial institutions in the United States that received notice and took action to reissue credit cards or reimbursed a compromised account from any card brand involved with the Sonic Data Breach.” In contrast, merchants continue to argue that only persons who can demonstrate that their data was actually stolen by hackers should be able to sue. 

In short, this case is the latest example of how merchants want to benefit from card technology, but make financial institutions responsible for all the risks and costs associated with its use. 

New York Extends Remote Notarization Authorization

Earlier this week, the Governor’s office issued another extension of its remote notary authorization. This is welcome news for those of us requiring notarization for documents – especially as COVID-19 cases begin to surge again across the country.

November 5, 2020 at 9:22 am Leave a comment

Three Things You Need to Know about What’s Going on in D.C.

Yours truly overslept a little this morning, but having just visited the nation’s capital with a hearty group of New Yorkers, I wanted to get out some thoughts to you on what’s going on at the federal level while it is fresh in my mind.

First, the most practical news you need to know is that, if all goes according to plan, the House of Representatives will pass the SAFE Act later today. This is the bill that would essentially allow financial institutions to provide banking services to marijuana-related businesses in states where it is legal to do so. Of course, it remains to be seen whether the Senate will take up this legislation. For what it’s worth, however, I am cautiously optimistic. Even people opposed to the legalization of marijuana understand that it simply is not safe to make legal businesses carry around millions of dollars in cash because financial institutions cannot legally accept their money. Of course, if the SAFE Act does pass, it will put that much more pressure on the state to develop a framework for the legal sale and distribution of marijuana for recreational purposes.

Point number two, what is going on with data security? Despite the fact that virtually every single industry in this country is losing billions of dollars to cyber theft every year, that almost every financial institution has members who are victimized by hackers, and that the last few years have demonstrated that having a robust cyber infrastructure is a crucial national security issue, no one seems willing or able to come forward with a bill that addresses the issue on the national level. What is going on here? I honestly don’t get it. In the absence of federal action, we will see more action on the state level. This is far from ideal. This is a classic federal problem that needs a federal solution, but if Congress won’t act, someone will have to.

Finally, there is a generational and ideological shift taking place within the Democratic Party. On both the state and federal level, you are seeing established members being primaried, often by younger candidates whose views would have made them unelectable just five years ago. I’m concerned that credit unions aren’t adequately preparing for this decisive shift. Credit unions have for decades fought against the banks to keep their tax exemption, but I’ve said it before, and I’ll say it again. The greatest long-term threat to the credit union industry comes not from pro-bank legislators, but from younger progressives disillusioned by the entire financial system that are skeptical of whether credit unions do enough to help the average consumer.


September 25, 2019 at 9:24 am Leave a comment

This Year’s Federal and State Priorities

Today marks the ceremonial start of New York State’s legislative session with the brand new Senate Majority taking over at 1:00 p.m. The Governor’s State of the State, which used to kick off the legislative session, is scheduled for later this month.

Meanwhile, the NCUA released its annual letter to credit unions detailing what its examiner priorities will be when they visit credit unions in the coming year. For you football fans out there, I like to think of this as the equivalent of the points of emphasis that the NFL tells referees to follow with the result that the first two weeks of any football season features too many penalties. Anyway, here is a look at some of the key federal and state priorities.

Meet The New Boss of New York

A historic transfer of power will take place today when Andrea Stewart-Cousins becomes the Democratic Senate Majority Leader. Just how historic is this? Since the end of WWII, except for brief spells, the Senate Majority in New York has been a Rockefeller republican majority. In contrast, since the aftermath of Watergate, Democrats have taken firm control of the Assembly and never looked back.

Against this backdrop, the Association is hopeful that this new mix brings new opportunities to advance these issues:

Municipal/public deposits; Remember, New York is one of the minority of states that doesn’t allow local government agencies to place money with credit unions. The result of this banker monopoly is that New York tax payers don’t get to see their money placed where it would generate the best returns. Last I checked choice is a good thing.

Data Security; Ideally, the federal government would take the lead on this issue but in the absence of federal action there are steps the state could take to make merchants responsible for the cost of data breaches caused by their own negligence as well as making sure that all businesses are subject to the type of baseline cybersecurity requirements to which banks and credit unions have long been subject.

Foreclosure Reform; New York State has been among the leaders in ensuring that homeowners have adequate protections when they fall behind on their mortgage payments and it should remain so. But there is a middle ground between adequate due process and excessive delays which do nothing but bring down the value of property in neighborhoods by keeping people in houses they can’t afford to maintain properly. Recently, Fannie and Freddie announced that services of mortgage loans in New York City would have 2,190 days to foreclose on delinquent property before they face penalties and 1,740 outside of the Big Apple. In contrast, there are states where lenders have as little as 420 days.

State Charter Enhancement; One other thing we will be advocating for is continuing our momentum in making the state charter a more attractive option for credit unions. We’ve already made great strides in this area but with the state’s wildcard power due to expire and operational issues arising there is still more to be done.

Supervisory Priorities

The NCUA’s supervisory priorities for 2019 contain many of the usual suspects. Of course, the Bank Secrecy Act is on the list but this year’s emphasis will be on your credit union’s policies and procedures for identifying “beneficial owners.” Other priorities include concentration of credit; HMDA data collection (See yesterday’s blog); the Military Lending Act; Regulation B compliance and “information security maturity assessments with the Automated Cybersecurity Examination Toolbox (ACET).” My God that sounds worse than a trip to the dentist. This year examiners will also be asking credit unions what they are doing to prepare for our new best friend CECL (Current Expected Credit Losses). Be sure to look at the whole list and keep this posted by your desk throughout the year.

January 9, 2019 at 9:38 am Leave a comment

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 741 other followers