ALEXANDRIA, Va. — The NCUA Board Thusday approved a payment of up to $50,000 to cover costs associated with the October 2014 data breach at Palm Springs FCU, which was caused when an NCUA examiner lost a thumb drive containing sensitive member information.
NCUA will cover the expense of the credit union monitoring members' credit reports, as well as the cost of credit union staff time associated with the breach and legal fees. Although there has not yet been evidence that anyone has attempted to access members' information, the breach has already cost approximately $36,000. Payments will come from NCUA's existing operating funds, and in the event that costs exceed $50,000, further action from the board would be needed.
NCUA said in a statement that the breach was the "result of a failure to follow longstanding agency policies on securing sensitive data," but emphasized that no passwords or PINs were on the thumb drive.
NCUA's inspector general is investigating the breach, and NCUA said it "is taking appropriate action with staff involved in the incident and is reinforcing training on protecting sensitive information and reviewing regulations, policies and procedures in this area."
NCUA Chairman Debbie Matz earlier this month said that the regulator may introduce new encryption rules to better help credit unions protect members' data--a move that many felt was targeted at credit unions, rather than NCUA, which was the cause of the problem.
The agency's statement today also noted that it "is moving as quickly as possible to consider and adopt additional safeguards to protect electronic data." Shortly after the breach occurred but before news of the breach went public, CUNA sent NCUA a letter suggesting that it increase the use of technology in exams to streamline and secure that process, and many who spoke to CU Journal in the wake of the breach said such measures might have protected against the loss of Palm Springs FCU's members' data.
CUNA's President and CEO Jim Nussle praised NCUA for reimbursing Palm Springs FCU and making efforts to adopt additional safeguards for member data, but reminded in a statement that the incident in Palm Springs is just one small part of the broader picture when it comes to credit union losses due to data breaches.
"It took NCUA a matter of weeks to offer reimbursement for their breach, yet credit unions are still waiting to be reimbursed for the Target breach over 13 months later," he said.
Carrie Hunt, SVP of government affairs and general counsel at NAFCU sent a letter yesterday to leaders in both houses of Congress urging them to create a bipartisan-bicameral working group focused on coming up with legislative proposals to prevent further data breaches.
"Credit unions are on the front lines assisting their members in the wake of ongoing data breaches and have a unique understanding of how detrimental such data breaches can be toconsumers and small financial service providers," Hunt wrote. The letter was also sent to members of the House and Senate, as well as those in senior leadership positions.