WASHINGTON — A suggestion by NCUA Chairman Debbie Matz that credit unions could face new data encryption rules after an agency examiner lost a thumb drive containing member information is already sparking an outcry by industry representatives.
"Rather than promulgating additional regulatory burdens on credit unions," the NCUA "should take a look internally at what actions the agency can take to better protect data in its care," said Alicia Nealon, director of regulatory affairs for the National Association of Federal Credit Unions, in a press release Wednesday.
The NCUA has taken heat over the apparent breach at the $13 million-asset Palm Springs FCU. After it was first reported in the media, the agency acknowledged an examiner had lost the thumb drive with information about the credit union's members on or around Oct. 20. As a result, the regulator's inspector general recently announced an audit of the agency's controls dealing with sensitive data.
But the agency is also considering steps for credit unions to strengthen data protections. After the loss of the "unencrypted thumb drive," an NCUA spokesman said, NCUA "Chairman [Debbie] Matz is considering whether or not an encryption rule would better protect that information."
"In the meantime, the agency is reinforcing training on protecting sensitive information, reviewing our policies and procedures in this area, and moving as quickly as possible to consider and adopt additional safeguards to protect electronic data," said John Fairbanks, an agency spokesman.
But Nealon said the industry already faces "stringent data security and privacy requirements."
The industry has "a strong track record of regulatory compliance with these requirements. Credit unions also constantly strive to implement the highest safeguards for their [members'] data," she said. "A recent survey of NAFCU's member credit unions found that credit unions not only meet the regulatory requirements, but also voluntarily implement many of NCUA's suggested best practices in order to better safeguard data."
In its audit, the agency's IG plans to look at, among other things, why news of the lost thumb drive first came out through press reports and not from the NCUA publicly, as well as who inside the agency may have tipped off the news media about the breach.
The NCUA's Fairbanks noted that agency employees are required to undergo security awareness training annually. The training, which was last conducted in November, includes information about the protection of personally identifiable data.
"Field staff has been reminded of their responsibilities for maintaining information security, and field directors will review certain security policies at their next group meetings," he said.