Go to:

July 2018
< Jun Aug >
Leaguer Email Subscription

You are not currently subscribed. Click Subscribe below to receive the Leaguer email.

OIG Gives NCUA a Pass in Data Breach Caused By Examiner Error
Tuesday, March 10, 2015 6:30 AM

NCUA's Office of the Inspector General has given the regulator a pass on its handling of the data breach last fall caused by examiner error.

News broke late last year that an NCUA examiner had lost a flash drive containing sensitive member information during an October 2014 examination at $13 million-asset Palm Springs FCU. The incident drew the ire of many throughout the credit union industry, but many also praised the regulator for its handling of the matter and noted that everyone makes the occasional mistake.

The OIG's 10-page report, available here, focuses primarily on whether or not the regulator obfuscated the fact that an examiner was responsible for the breach by using the word "auditor" in lieu of "examiner" in a letter to PSFCU members, and NCUA's response to the breach and its decision to not to publically announce the breach on its website.

The report notes that PSFCU elected to use the terms "audit" and "auditor" rather than the more traditional "exam" before NCUA was consulted, choosing the word "audit" and variations of the word in order to avoid alerting "the possessor of the flash drive that … it contained personally identifiable information (PII)." By using a more generic term, the report states, the CU and its counsel believed "that they could reduce the likelihood that the notification letter might alert an unwitting possessor of the flash drive of the valuable information it contained."

The report found that NCUA's decisions in regard to announcing the breach were influenced by the fact that the data was lost due to human error rather than something more sinister such as a hacking.

"While the credit union's failure to encrypt the data provided to NCUA staff was imprudent," the report quotes, "the facts as currently known indicate that NCUA staff failed to exercise proper care over the data in their custody."

OIG's Recommendations

The OIG report offered the following best practices for examiners as a result of the breach:

  • Specialized information security training;
  • Stressing the importance of situational awareness and consequences of non-compliance with NCUA policies; and
  • NCUA should accelerate the implementation of its privacy program in order to increase end-user awareness of privacy-related issues.

NCUA has already undertaken those suggestions at varying levels, and the OIG also conducting an audit to ensure that the regulator "has adequate controls in place to protect electronic [personally identifiable information] and sensitive credit union data."

The data breach occurred at approximately the same time CUNA sent a letter to NCUA urging it to increase the amount of technology used during exams as a way to streamline that process—something that some said could have helped prevent the data breach.

In a statement to Credit Union Journal following the release of the OIG report, CUNA's Chief Advocacy Officer Ryan Donovan said "It is clear that the credit union did all that is required of it leading up to and in the aftermath of the loss of the flash drive containing 1,600 members' personal identification information, and that the fault for the incident rested with the examiner."

"We do not believe this incident or any others of which we are aware of justify further requirements for credit unions," said Donovan.