HARRISBURG, Pa. — Rick Kelly, vice president of strategic communications at Triad Strategies here, tells his clients sunshine is usually the best fix for a crisis situation.
"The rule of thumb I use is that unless there's a compelling reason not to disclose [information], then there is a compelling reason to provide it," Kelly told Credit Union Journal. "In the old days, there was a tendency to think, `this might blow over.' That doesn't happen anymore."
It is advice that could have benefitted NCUA as it mapped its reaction to the data breach that ensued after one of its examiners lost a thumb drive containing credit union members' personal information.
The agency says it plans to conduct a comprehensive review of its policies governing the handling of sensitive, personally identifiable information.
According to Kelly, NCUA would do well to add its public relations strategy to the list of items under review. "Government agencies tend to react defensively to problem situations," he noted. "They tend to take a conservative approach and to perceive that there is risk in communicating."
Such a description certainly seems to fit NCUA.
The breach occurred on or about Oct. 20, when an examiner working at the $13 million-asset Palm Springs FCU lost an unencrypted thumb drive containing member information. NCUA chose not to make news of the incident public at the time and was left scrambling to respond after news of it broke in the media earlier this month.
Worse yet, it permitted Palm Springs to mail a letter to members informing them the thumb drive went missing during an "audit process."
The letter never hinted at NCUA's involvement. The letter was apparently reviewed by agency officials prior to being mailed on Oct. 30.
The decision to sign off on a misleading correspondence later earned a sharp rebuke from NCUA board member Mark McWatters.
Finally, NCUA also neglected to disclose news of the breach to Inspector General James Hagen. Hagen learned of the incident by reading about it in press accounts, according to a spokesman.
Last week Hagen announced his office would look into several different aspects of the breach, including — not surprisingly — a review of the decision not to publicly announce the data breach on the NCUA website.
NCUA declined to comment, citing the inspector general's ongoing inquiry.
Hagen's office will also conduct an audit to determine whether the NCUA has adequate controls in place to safeguard sensitive data, as well as an investigation to determine who inside the agency tipped the press to the loss of the thumb drive.
At least one industry observer thinks the incident may have been blown out of proportion.
Holly Herman, who served as chief executive of two credit unions, as well as senior advisor to former NCUA chairman Joann Johnson, said that it was entirely appropriate for NCUA to limit disclosure of the data breach to the individuals who were affected.
"It really was a private matter between the credit union and its members," Herman said. "The risk to the membership was limited. Why make this bigger than it needs to be?"
Kelly, however, said he believes NCUA's response to the situation "raises some issues."
"I'm curious as to why the regulator was so tight lipped," he said. "As a government entity, their standard for transparency is a little higher."
Kelly said also that the effort to identify the individuals who informed the media about the data breach might prove counterproductive.
"Those kinds of things are usually viewed negatively from a public relations standpoint," he said.
Hagen's spokesman said the leak probe was launched in response to a specific allegation of wrongdoing, but she declined to say who leveled it.