Post Breach, Regulator Reviews PoliciesExperts Say Data Security Practices for Audits Too Lax
A federal banking regulator says it plans to review its data security policies and procedures in the wake of an audit mishap that resulted in the loss of a flash drive containing sensitive customer information (see Did Regulator Cause a Data Breach?).
On Dec. 17, the National Credit Union Administration announced that it will:
- Create a team to review the circumstances surrounding the incident involving the Palm Springs Federal Credit Union in California;
- Direct the NCUA's review team, which is responsible for ensuring compliance with its Guidelines for Safeguarding Member Information, to determine whether federally insured credit unions should be required to encrypt electronic member data; and
- Evaluate the development of a secure portal for file- and data-sharing between federally insured credit unions and the NCUA that would replace the practice of using thumb drives.
"The security of credit union members' personally identifiable information is a top priority for NCUA. The agency takes its responsibilities in this area very seriously and expects credit unions to do likewise," NCUA Executive Director Mark Treichel says in the Dec. 17 announcement. "A thumb drive given to an examiner was lost during an examination. ... This loss resulted from a failure to follow agency policies on securing sensitive data."
A Call for More Oversight
Shirley Inscoe a financial fraud expert and analyst at the consultancy Aite, says that as a result of the incident, the Federal Financial Institutions Examination Council should expand its oversight to include reviews of security policies and practices at its member agencies, including the NCUA, FDIC, Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System and the Consumer Financial Protection Bureau.
"The burden to upgrade security should not always fall upon the entities being examined; as this case suggests; in some instances, the agencies should be pointing the finger at themselves," she says.
Inscoe also says the NCUA should be held accountable if it determines that one of its auditors was to blame for the flash drive's loss.
"How can a federal agency write up any institution for a security-related issue, when they seem to not have an adequate understanding of the need for data protection themselves?" Inscoe asks. "This is an example of hypocrisy at the highest level."
The NCUA announcement comes just days after news broke about the loss of a flash drive used by Palm Springs FCU to share information with NCUA during an audit in October. The flash drive contained the names, addresses and Social Security numbers of several of the credit union's members.
While banking security experts say a revamp of regulatory policies and procedures related to data security is obviously needed, they also say every banking institution should be encrypting any customer data that is stored or transmitted, regardless of the circumstances.
"All financial institutions should be encrypting electronic member/customer information in transit - information that is moved outside of the institution - and when stored on other media, such as backup tapes, USB drives, etc.," says attorney Amy McHugh, a former IT examination analyst for the Federal Deposit Insurance Corp.
But a better practice would be to strictly prohibit the use of portable media for the storage of customer data, she adds.
"NCUA is using this incident as an opportunity to learn," Treichel says. "We are reinforcing training on protecting sensitive information; we are reviewing our policies and procedures in this area; and we are moving as quickly as possible to consider and adopt additional safeguards to protect electronic data."
Treichel also notes that the NCUA plans additional security training for its staff in 2015.
Lessons for Regulators
While questions still remain about how Palm Springs FCU's flash drive was lost, and whether the NCUA or the credit union is responsible, the incident has raised questions about regulator and agency-level security.
Al Pascual, director of fraud and security at Javelin Strategy & Research, says the NCUA incident has brought significant data security deficiencies to light.
"It has to be somewhat embarrassing for the agency, but an event like this was bound to happen given the circumstances," he says. "Hopefully other regulators will follow suit to ensure the safe storage and transmission of accountholder data."
In a Dec. 17 letter to NCUA Chairwoman Debbie Matz, Dan Berger, CEO of the National Association of Federal Credit Unions, called for an internal review of NCUA policies and procedures for safeguarding institutions' sensitive information, as well as policies in place for data breach notification.
"NCUA is a steward of credit unions' sensitive information and, as a federal regulator, must be held to the highest standard for safeguarding such data," Berger wrote. "NAFCU urges NCUA to not only carefully investigate this breach, but to also be fully transparent to the credit unions that you regulate and serve."
Carrie Hunt, NAFCU's general counsel and senior vice president of government affairs, says NAFCU also is urging the NCUA to go beyond a focus on the technology that might have prevented this breach of customer data.
"In this case, the loss of the flash drives appears to have been a human error," she says. "While technology is important, it's not always technology that fails. It's a complex issue. It's not enough just to have a rule. You have to have steps in place to be sure that the rules are followed."