ALEXANXDRIA, Va.—Following the loss of a flash drive full of member data by an NCUA examiner, the agency said it is forming a new team to investigate procedures and is mulling changes to data transfers.
“The security of credit union members’ personally identifiable information is a top priority for NCUA,” NCUA said in a statement. “The agency takes its responsibilities in this area very seriously and expects credit unions to do likewise. NCUA is also committed to ensuring that the data shared in exams is protected at all times.”
The flash drive contained data on members at Palm Springs FCU. It did not include passwords or PINs, and NCUA said that to date there has been no indication of any unauthorized access to members’ accounts or attempts to gain improper access.
“This loss resulted from a failure to follow agency policies on securing sensitive data,” NCUA said. “These procedures, which have been in place since 2008, require NCUA examiners at all times to properly secure and control electronic devices containing sensitive or confidential information. The agency has conducted more than 28,000 examinations since these security policies have been in effect without encountering a notable problem.
This was an unfortunate, but isolated, incident, and both NCUA and the credit union acted quickly, taking all appropriate actions to investigate the incident, notify members and combat possible identity theft.”
The agency said it is now:
- Reinforcing training on protecting sensitive information, reviewing policies and procedures in this area, and moving as quickly as possible to consider and adopt additional safeguards to protect electronic data.
- Creating a team to review the circumstances surrounding this incident.
- Directing the already-established review team responsible for NCUA’s Guidelines for Safeguarding Member Information (Part 748 of regulations) to study whether to require federally insured credit unions to encrypt electronic member information.
- Evaluating development of a system for sharing information between the agency and federally insured credit unions through a secure portal, rather than using hardware like a thumb drive.
NCUA said it plans additional security training in 2015.