Go to:

July 2018
< Jun Aug >
Leaguer Email Subscription

You are not currently subscribed. Click Subscribe below to receive the Leaguer email.

Community Health Systems Data Breach Reminder of Importance in Keeping CU and Members Safe
Wednesday, August 20, 2014 7:00 AM

The Community Health Systems Data Breach, exposing personal data of 4.5 million consumers, is a reminder for all organizations to make sure consumer personal data is secure. Idrees Rafiq, Jr., assistant vice president of information technology for Credit Union Resources, says there are several steps that credit unions can take to protect themselves and their members, beginning with a security risk analysis.

“A comprehensive security risk assessment allows an organization to assess, identify, and in some cases, modify its security posture,” notes Rafiq. “

According to Rafiq, the security risk assessment should contain four major components as it relates to physical, operational, and technical security of a credit union

  • Determine assets
  • Determine threats
  • Determine vulnerability
  • Determine current risk rating

Developing a comprehensive security policy is another proactive measure credit unions can take to protect the organization and its members. Per National Credit Union Administration (NCUA) Regulation 748 (Appendix A), Rafiq says the credit should develop their security policy & program based from the aforementioned security risk assessment, and review annually.

Employee training is also an important defense against data breaches.  Along with your credit union’s security policy and program, Rafiq suggests training staff on:

  • Social Engineering – Social engineering is when a perpetrator physically acts, either in person or on the phone, as someone else in order to manipulate credit union employees of either giving them access or divulging confidential information.  An example would be a person pretending to be interested in a loan, accessing the loan officer’s office, and then stealing other member’s information off of unsecured loan documentation.
  • Suspicious E-Mails – Training on how to handle suspicious e-mails can be another vital step in protecting the credit union from a data breach.  The first step is to train your employees not to open or respond to e-mails when the sender cannot be identified. Even if the sender can be identified, they should be cognizant of whether that person would send that particular message. The second step is to report it immediately. Other tips would be to never click on a link to an external website. If they are interested in the link, they should open a web browser and type in URL manually.

Data breaches can also be prevented by educating members against fraud and identity theft. Credit unions can track the effectiveness of their member education program, by:

  • Tracking the number of members who report fraudulent attempts to obtain their authentication credentials such as their user ID or password.
  • Recording the number of member visits on the ‘information security link’ if available on the website.
  • Recording the number of statement stuffers or other direct mail communications to the members.
  • Recording the dollar amount of losses relating to identity theft before and after the program starts.

Rafiq says it’s also critical, and a requirement of NCUA Regulation 748 (Appendix B) that credit unions develop a response program. The response program should include:

  1. Procedures for assessing the nature and scope of an incident.
  2. Notifying the appropriate NCUA regional director, and, in the case of state-chartered credit unions, its applicable state supervisory authority.
  3. Filing a Suspicious Activity Report (SAR).
  4. Steps to contain and control the incident to prevent further unauthorized access to or use of member information.
  5. Notifying members when warranted.
  6. Notification of affected members when maintained your credit union’s service providers.

Additionally, testing - such as internal and external vulnerability assessment testing, can play a vital role in preventing data security breaches. 

“Although you can never eliminate all security vulnerabilities and threats, it is imperative that your credit union takes a proactive approach to minimizing and managing them,” says Rafiq. “Showing your employees and members a serious attitude towards security can be the most significant part of your security posture.”