ALEXANDRIA, Va.–In the wake of an examiner losing a flash drive containing CU member data, NCUA’s Office of Inspector General has released its report examining whether the agency has adequate controls in place to protect sensitive, confidential, or personally identifiable electronic credit union information during examinations.
The report (available in CUToday’s Open Vault) said the OIG determined that NCUA has provided examiners with appropriate tools with which to securely receive electronic information from credit unions during the examination process, but also found several areas for improvement.
Specifically, the report recommends:
- NCUA needs to improve its policies, procedures and training to help ensure NCUA staff take appropriate measures to protect sensitive, confidential, and personally identifiable electronic credit union member information during examinations.
- NCUA needs to improve its guidance to require NCUA staff to use specific tools to transfer sensitive, confidential, and personally identifiable electronic credit union member information during examinations.
The report also says NCUA management should “[r]equire federally insured credit unions to provide sensitive, confidential or personally identifiable electronic credit union member information to NCUA/NCUA staff in an encrypted or otherwise secure manner…” The agency has issued a clarification of that recommendation, however, saying it applies only to members’ personally identifiable information, not other communications between credit unions and the agency. NCUA further said it plans to have a secure online portal for credit unions to safely transmit this information to the agency by the end of the year.
The OIG’s review follows an Oct. 20, 2014 incident at the $13-million Palm Springs FCU in California in which an examiner lost a flash drive containing member data. To date, there have been no known data breaches or illegal activity due to that data having been compromised.
In an informal report issued in March, NCUA’s OIG found no evidence that NCUA attempted to “obfuscate” the fact that an NCUA examiner was responsible for the loss of a flash drive from Palm Springs FCU.
The latest OIG report states that NCUA management has indicated that by July 31, 2015, the Office of Examination & Insurance (E&I) will have updated the initial “Day 1” letter to credit unions to clearly define expectations regarding the protection of sensitive information during the exam process. NCUA said that the implementation of the letter depends on any bargaining obligation with the National Treasury Employees Union.
In its 22-page report, the OIG also recommends that NCUA:
- Complete the revision of NCUA Instruction 13500.09 to consolidate, include or reference: (1) specific policy, procedure or alternate practical guidance – depending on the examination scenario – agency staff must adhere to or follow to help ensure the protection of sensitive, confidential, and personally identifiable electronic credit union member information; and (2) the consequences NCUA staff face for failing to follow NCUA requirements, procedures, or guidance for protecting credit union member information.
- Enhance NCUA annual security awareness training or provide additional supplementary periodic training that reinforces credit union data protection requirements established in NCUA Instruction 13500.09 and provides NCUA staff with “practical guidance” for addressing “issues within the context of their job responsibilities” as they handle sensitive, confidential, and personally identifiable electronic credit union member information throughout the examination process.
- Enhance annual privacy training to stress the importance of protecting sensitive credit union member information; address and reinforce to NCUA staff the consequences for violating/failing to follow NCUA policy, requirements and procedures for protecting sensitive credit union member information; and address potential consequences NCUA and credit unions also face if staff fail to protect sensitive credit union member information.
- Continue to pursue and implement the secure file transfer solution NCUA is assessing to transfer sensitive, confidential, or personally identifiable electronic credit union member information. (NCUA management has indicated that its Office of the Chief Information Officer has said it will complete the implementation of the secure file transfer solution by year-end 2015).
- Complete the revision of NCUA Instruction 13500.09 to require and provide guidance on secure tools or alternate procedures NCUA staff must use under various circumstances to transfer sensitive, confidential, or personally identifiable electronic credit union member information during examinations.
- Enhance NCUA annual security awareness training to reinforce to NCUA staff the availability, use, and applicability of secure NCUA tools to transfer sensitive, confidential, or personally identifiable electronic credit union member information.
The OIG reported that many of the recommendations it has made are already on a path to implementation. It also notes that some concern has been expressed that there would be a financial burden created on small credit unions if required to purchase encrypted devices.