Go to:

March 2019
< Feb Apr >
Leaguer Email Subscription

You are not currently subscribed. Click Subscribe below to receive the Leaguer email.

McWatters Urges NCUA to Take 'Unambiguous' Responsibility for Data Breach
Friday, December 19, 2014 6:40 AM

After confirming a data breach during a federal examination, which was caused by the loss of a flash drive containing sensitive information belonging to Palm Springs FCU in California, National Credit Union Administration's board member, J. Mark McWatters called on his agency to "unambiguously" take responsibility for the breach.

On Wednesday, McWatters contacted Credit Union National Association to make observations that reflected his understanding of the facts as presented by NCUA staff. He said, "NCUA should have unambiguously taken responsibility for the breach. The credit union was not at fault, and the credit union's auditors were not at fault. NCUA was at fault. Any attempt to shift culpability to unnamed auditors was ill advised. NCUA performs an examination and supervision function and not an audit function."

McWatters went on to say that the resolution of the matter and the payment of any amounts in settlement of any claims to the credit union, its members, or other persons should be addressed in an open and fully transparent meeting of the NCUA board. "In my view," McWatters said, "the NCUA (Office of Inspector General) should consider investigating this matter."

NCUA Chief of Staff Steve Bosack explained the agency's notification process, which relies on guidance from the U.S. Office of Management and Budget Recommendations for Identity Theft Related Data Breach Notification, which states:

"Whenever possible, to avoid creating confusion and anxiety, the actual notice should come from the entity which the affected individuals are reasonably likely to perceive as the entity with which they have a relationship (i.e., their credit union)."

It adds, "(P)ublic announcement of the breach could itself cause criminals engaged in fraud under the guise of providing legitimate assistance, to use various techniques, including email or the telephone, to deceive individuals affected by the breach in disclosing their credit card numbers, bank account information, SSNs, passwords, or other sensitive information…"

OMB's supplemental guidance to agencies, Safe Guarding Against and Responding to the Breach of Personally Identifiable Information, cites: "Chilling Effects of Notices. A number of experts have raised concerns about unnecessary notification and the chilling effect this may have on the public. In addition, agencies should consider the costs to individuals and businesses of responding to notices where the risk of harm may be low. Agencies should exercise care to evaluate the benefit of notifying the public of low-impact incidents."

Bosack said a lost thumb drive at a 1,600-member credit union, with no evidence of theft or misuse, would qualify as a "low-impact incident." He added that the Palm Springs incident is the only one they know of among tens of thousands of NCUA exams conducted since the OMB guidance was established in 2006.