Dangerous Data Security Myths: Get Them Before They Get You

How safe is your member data? Not nearly as safe as you might imagine-especially if you're blissfully unaware that many common assumptions about important data security matters are dangerously inaccurate.

Below, five data security experts identify potentially costly misconceptions and share vital best-practices. Is your credit union security-savvy or needlessly vulnerable?

1. Risky Business

Myth: My credit union is small, so my fraud risk is in line with the size of my card portfolio. It's unlikely that my credit union will experience a significant fraud event.

Truth: "Risk is inherent to each transaction and the level of risk increases proportionally to the total amount of customer funds that are available electronically," explains JB Rambaud, EVP, and chief risk and security officer for Fiserv EFT. For example, one small institution without neural/detection tools in place recently suffered a $250,000 fraud on a single card within a single 24-hour period.

Best-practice: "Financial institutions should measure their risk probability at both the transaction and overall fund availability levels," recommends Rambaud. "Fiserv EFT can protect financial institutions of any size from transaction risk with its suite of risk management tools, ranging from neural solutions to transaction blocking."

2. Don't Ask, Don't Tell

Myth: My NCUA examiner hasn't asked me about my credit union's data security precautions, and probably never will!

Truth: "This is a widespread myth that creates a lot of trouble for credit unions," says Richard Lopez, senior data security specialist at CUSA Technologies. "During the past several months, our Managed Security Services Team has experienced a steady increase in the number of credit unions contacting us for assistance in response to a visit from an NCUA examiner.

Most often, the examiner has given the credit union a data security compliance deadline that requires immediate action. It's far better to be in compliance before the examiner arrives than to scramble for a solution after the examiner leaves."

Best-practice: "One effective way to prepare in advance is to review the data security compliance requirements that are detailed in NCUA Rules and Regulations Part 748, Appendix A and Appendix B, and to immediately contact your core system provider for a solution if your credit union doesn't meet the guidelines," Lopez explains. "You should expect your core system provider to be prepared to offer a solution. For example, at CUSA Technologies we offer a robust Managed Security Services program to our clients that not only addresses compliance issues but also eliminates the need for the credit union to hire a full-time data security officer."

3. The Tape Trap

Myth: My tape-based protection is good enough. There's no compelling reason to switch to online backup - it's too expensive.

Truth: "Credit unions can ill-afford to continue investing in tape backup technology," states William da Cunha, vice president of alliances at EVault, Inc., a Seagate Technology company. "Gartner Group research found that tape is unreliable-recoveries fail upwards of 30% of the time."

Also according to Gartner, a single breach can cost credit unions an average of $350 per member if information is compromised, not to mention the potential loss of reputation and future business. I recommend that credit unions look for a trusted provider that fully encrypts data in transit and in storage. Online backup can make this automatic. It prevents unauthorized viewing of sensitive information, and assures compliance with regulatory requirements for security, offsite backup, documentation, and retentions.

Claims that tape backup is cheaper are no longer true: When all costs are factored-including expenses for hardware, software, tapes, physical transport, warehousing, maintenance, and staff time-online backup is ultimately less expensive and more secure than tape," he added.

Best-practice: "Credit unions should consider online backup in addition to the tape to minimize risks associated with data loss, media failure and physical transport," da Cunha said.

4. Prescription For Disaster

Myth: My credit union doesn't need a disaster recovery plan because its computer equipment is protected under a hardware maintenance contract. If a disaster occurs, my hardware maintenance provider will deliver disaster recovery services".

Truth: "This is a particularly dangerous-and potentially very costly-myth that far too many credit unions believe," states Gregg Thackeray, services account manager for CUSA Technologies.

"The industry-standard hardware maintenance contract is intended to cover equipment failures caused by everyday wear-and-tear. Many standard hardware maintenance contracts specifically exclude service and repair to equipment damaged during an Act Of God or terrorist-related event. In such cases, a robust disaster recovery plan is absolutely necessary to ensure that vital member data will not be lost or compromised during a disaster, he said.

Best-practice: "My best advice to credit unions is this: review your hardware maintenance contract carefully, suggests Thackeray. "Contact your account representative right away for help interpreting the contract in necessary. Then act immediately to protect your self and your members. It's a much simpler process than most credit unions realize. For example, CUSA Technologies offers both hosted and onsite disaster recovery programs that are affordable and can be implemented quickly. Where data security concerned, it's much better to be safe than sorry."

5. The Manhattan Transfer

Myth: I've heard that data processors are required by law to encrypt member statement data before sending it to a print or mail house, so I'm confident all my member data is safe and secure during the many phases of statement processing and printing.

Truth: "The unfortunate reality is that many data processors do not take adequate security precautions when transferring member statement data," says Shaun Gehman, vice president of member services at CUSA Technologies. "In addition, many credit unions don't know how to evaluate the effectiveness of the security precautions their data processors may utilize."

Best-practice: "For a truly secure data transfer, all member statement data should be encrypted by the data processor before it is sent to the print house," Gehman explains. "I advise all credit unions to verify that their data processors encrypt. If they don't encrypt, credit unions should strongly consider switching to a provider that does.

CUSA Member Services takes data security very seriously. Not only do we encrypt all member statement data before transferring it to our print and mail houses, but we also utilize an extremely advanced type of encryption. Because it contains an encryption key, only the designated receiver can unlock the encryption. This means that even if member statement data was intercepted, it would be impossible to view."

Many thanks to Fiserv EFT, CUSA Technologies, and EVault, Inc., for their significant contributions to this article.

Teresa Zundel is director of marketing communications at CUSA Technologies and can be reached at teresa.zundel<at>fiserv.com.


Credit Union Journal encourages reader feedback. Letters to the Editor can be sent to Managing Editor Lisa Freeman at lfreeman<at>cujournal.com. Letters can also be faxed to 561-832-2939 or submitted online at www.cujournal.com. (c) 2007 The Credit Union Journal and SourceMedia, Inc. All Rights Reserved. http://www.cujournal.com http://www.sourcemedia.com