ALEXANDRIA, Va. — NCUA's Office of the Inspector General has given the regulator a pass on its handling of the data breach last fall caused by examiner error.
News broke late last year that an NCUA examiner had lost a flash drive containing sensitive member information during an October 2014 examination at $13 million-asset Palm Springs FCU. The incident drew the ire of many throughout the credit union industry, but many also praised the regulator for its handling of the matter and noted that everyone makes the occasional mistake.
The OIG's 10-page report, available here, focuses primarily on whether or not the regulator obfuscated the fact that an examiner was responsible for the breach by using the word "auditor" in lieu of "examiner" in a letter to PSFCU members, and NCUA's response to the breach and its decision to not to publically announce the breach on its website.
The report notes that PSFCU elected to use the terms "audit" and "auditor" rather than the more traditional "exam" before NCUA was consulted, choosing the word "audit" and variations of the word in order to avoid alerting "the possessor of the flash drive that it contained personally identifiable information (PII)." By using a more generic term, the report states, the CU and its counsel believed "that they could reduce the likelihood that the notification letter might alert an unwitting possessor of the flash drive of the valuable information it contained."
The report found that NCUA's decisions in regard to announcing the breach were influenced by the fact that the data was lost due to human error rather than something more sinister such as a hacking.
Many who spoke to Credit Union Journal in the wake of the PSFCU breach emphasized the importance of data encryption, but the OIG report cites a memo that found fault with NCUA for the breach, rather than the credit union, even though the data was unencrypted.
"While the credit union's failure to encrypt the data provided to NCUA staff was imprudent," the report quotes, "the facts as currently known indicate that NCUA staff failed to exercise proper care over the data in their custody."
The OIG report offered the following best practices for examiners as a result of the breach:
- Specialized information security training
- Stressing the importance of situational awareness and consequences of non-compliance with NCUA policies
- NCUA should accelerate the implementation of its privacy program in order to increase end-user awareness of privacy-related issues
NCUA has already undertaken those suggestions at varying levels, and the OIG also conducting an audit to ensure that the regulator "has adequate controls in place to protect electronic [personally identifiable information] and sensitive credit union data."
Implement, but Improve
In a statement e-mailed to Credit Union Journal, NCUA spokesman John Fairbanks said that the agency concurs with the recommendations within the report and is moving to implement them.
"The loss of an unencrypted thumb drive containing member information was an unfortunate, but, fortunately rare, occurrence," said Fairbanks. "NCUA has taken several steps, including increased staff training and a review of agency policies on data security in the wake of this event. The agency is unaware of any loss of member information, and the Board has approved payment of up to $50,000 for costs associated with the data breach."
For its part, NAFCU released a statement encouraging NCUA to continue to review its internal practices for protecting member data.
"NAFCU appreciates NCUA's Office of Inspector General reviewing how the agency handled its examiner's loss of an external flash drive containing sensitive personal and financial credit union member data," NAFCU president and CEO Dan Berger said in a statement. Berger said NCUA "must be held to the highest standard" when it comes to safeguarding member data, and urged the agency to continue reviewing its data security practices.
The data breach occurred at approximately the same time as CUNA sent a letter to NCUA urging it to increase the amount of technology used during exams as a way to streamline that process — something that some said could have helped prevent the data breach.
In a statement to Credit Union Journal following the release of the OIG report, CUNA's Chief Advocacy Officer Ryan Donovan said "It is clear that the credit union did all that is required of it leading up to and in the aftermath of the loss of the flash drive containing 1,600 members' personal identification information, and that the fault for the incident rested with the examiner."
Donovan went on to commend NCUA for releasing the report in a timely manner and echoed NAFCU's call to continue to beef up and review internal data security procedures at the regulator.
"We do not believe this incident or any others of which we are aware of justify further requirements for credit unions," said Donovan.