Security Program and Appendix B-Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice, 22764-22780 [05-7836]

Agencies

• National Credit Union Administration

[Federal Register Volume 70, Number 83 (Monday, May 2, 2005)]
[Rules and Regulations]
[Pages 22764-22780]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 05-7836]



[[Page 22763]]

-----------------------------------------------------------------------

Part II





National Credit Union Administration





-----------------------------------------------------------------------



12 CFR Part 748



Security Program and Appendix B--Guidance on Response Programs for 
Unauthorized Access to Member Information and Member Notice; Final Rule

Federal Register / Vol. 70, No. 83 / Monday, May 2, 2005 / Rules and 
Regulations

[[Page 22764]]


-----------------------------------------------------------------------

NATIONAL CREDIT UNION ADMINISTRATION

12 CFR Part 748


Security Program and Appendix B--Guidance on Response Programs 
for Unauthorized Access to Member Information and Member Notice

AGENCY: National Credit Union Administration (NCUA).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: NCUA is amending its rule governing security program elements 
to require federally insured credit unions to include response programs 
to address instances of unauthorized access to member information. NCUA 
is also including guidance, in the form of Appendix B, to provide 
federally insured credit unions with direction on ways to meet the new 
regulatory requirements.

DATES: This rule is effective on June 1, 2005.

FOR FURTHER INFORMATION CONTACT: Matthew J. Biliouris, Senior 
Information Systems Officer, Office of Examination & Insurance, 
Division of Supervision, at telephone (703) 518-6394; or Ross Kendall, 
Staff Attorney, Office of General Counsel, at telephone (703) 518-6562.

SUPPLEMENTARY INFORMATION: The contents of this preamble are listed in 
the following outline:

I. Introduction
II. Overview of the Comments Received
III. Overview of the Final Guidance
IV. Section-by-Section Analysis of the Comments Received
    A. The ``Background'' Section
    B. The ``Response Program'' Section
    C. The ``Member Notice'' Section
V. Effective Date
VI. Impact of Guidance
VII. Regulatory Analysis
    A. Paperwork Reduction Act
    B. Regulatory Flexibility Act
    C. Executive Order 12866
    D. Unfunded Mandates Act of 1995

I. Introduction

    In 2001, NCUA amended 12 CFR Part 748 to fulfill a requirement in 
Section 501 of the Gramm-Leach-Bliley Act (Pub. L. 106-102) (GLBA), in 
which Congress directed both NCUA and the other Federal Financial 
Institution Examination Council (FFIEC ) agencies, including the Board 
of Governors of the Federal Reserve System, the Federal Deposit 
Insurance Corporation, the Office of the Comptroller of the Currency, 
and the Office of Thrift Supervision (collectively, the ``Banking 
Agencies'') to establish standards for financial institutions relating 
to administrative, technical, and physical safeguards to: (1) Insure 
the security and confidentiality of customer records and information; 
(2) protect against any anticipated threats or hazards to the security 
or integrity of such records; and (3) protect against unauthorized 
access to or use of such records or information that could result in 
substantial harm or inconvenience to any customer.
    Although NCUA worked with the Banking Agencies to develop the 
standards described above, the Banking Agencies issued their standards 
as guidelines under the authority of Section 39 of the Federal Deposit 
Insurance Act.
    Since Section 39 of the Federal Deposit Insurance Act does not 
apply to NCUA, the NCUA Board determined that it could best meet the 
congressional directive to prescribe standards through an amendment to 
its existing regulation governing security programs for federally 
insured credit unions and by providing guidance to credit unions, 
substantially identical to the guidelines issued by the Banking 
Agencies, in an appendix to the regulation. 12 CFR Part 748, Appendix 
A; 66 FR 8152 (January 30, 2001). The preamble to the final rule 
discusses the different regulatory framework under which the Banking 
Agencies issued their guidelines. The final regulation requires each 
federally insured credit union to establish and maintain a security 
program implementing the safeguards required by GLBA.
    Appendix A, entitled Guidelines for Safeguarding Member Information 
(Appendix A), is intended to outline industry best practices and assist 
credit unions to develop meaningful and effective security programs to 
ensure compliance with the requirements contained in the regulation. 
Among other things, Appendix A advises credit unions to: (1) Identify 
reasonably foreseeable internal and external threats that could result 
in unauthorized disclosure, misuse, alteration, or destruction of 
member information or member information systems; (2) assess the 
likelihood and potential damage of these threats, taking into 
consideration the sensitivity of member information; and (3) assess the 
sufficiency of policies, procedures, member information systems, and 
other arrangements in place to control risks.\1\
---------------------------------------------------------------------------

    \1\ 12 CFR Part 748, Appendix A, Paragraph III.B.2.
---------------------------------------------------------------------------

    On October 23, 2003, the NCUA Board approved a proposal to revise 
12 CFR Part 748 to include a requirement to respond to incidents of 
unauthorized access to member information. The Board invited comment on 
all aspects of the proposed Guidance. The public comment period closed 
on December 29, 2003.
    This final rule further amends Part 748 to require that every 
federally insured credit union have a security program that contains a 
provision for responding to incidents of unauthorized access to member 
information. Appendix B, entitled Guidance on Response Programs for 
Unauthorized Access to Member Information and Member Notice, is also 
provided to assist credit unions in developing and maintaining their 
response programs. Appendix B describes NCUA's expectation that every 
federally insured credit union develop a response program, including 
member notification procedures, to address unauthorized access to or 
use of member information that could result in substantial harm or 
inconvenience to a member.
    NCUA has modified the proposed Guidance to provide credit unions 
with greater flexibility to design a risk-based response program 
tailored to the size, complexity and nature of its operations, while 
continuing to highlight member notice as a key feature of a credit 
union's response program. In addition, NCUA reorganized the proposed 
Guidance for greater clarity. A more detailed discussion of the changes 
follows.

II. Overview of Comments Received

    NCUA received 15 comment letters on the proposed Guidance: Six from 
natural person credit unions, one from a corporate credit union, two 
from national credit union trade associations, five from state credit 
union leagues, and one from a service provider. In addition, the 
Banking Agencies collectively received 65 comment letters. While the 
NCUA Board carefully considered all comments on its proposed rule, to 
remain as consistent as practicable with the Banking Agencies, the 
Board has also made some changes in the final rule as a result of 
interagency discussions.
    As a general matter, commenters agreed that credit unions should 
have response programs. Indeed, many credit unions and other financial 
institutions described having such programs in place. Many comments 
received commended the NCUA and the Banking Agencies for providing 
guidance on response programs. However, the majority of industry 
commenters criticized the prescriptive nature of the proposed Guidance. 
These commenters stated that the rigid approach in the proposed 
Guidance would stifle innovation and retard the effective evolution of 
response programs.

[[Page 22765]]

    Industry commenters raised concerns that the specific requirements 
in the proposed Guidance would not permit a credit union to assess 
different situations from its own business perspective, specific to its 
size, operational and system structure, and risk tolerances.
    Some industry commenters asserted that there is no need for 
regulation in this area and recommended that the NCUA and the Banking 
Agencies withdraw the proposed Guidance. Some of these commenters 
suggested, instead, that the Agencies re-issue the proposed Guidance as 
a best practices document. Other industry commenters suggested 
modifying the proposed Guidance to give credit unions greater 
discretion to determine how to respond to incidents of unauthorized 
access to or use of member information.
    Two commenters also requested that the Agencies include a 
transition period allowing adequate time for financial institutions to 
implement the final Guidance. Some commenters asked for a transition 
period only for the aspects of the final Guidance that address service 
provider arrangements.

III. Overview of Final Guidance

    The final rule requires that every federally insured credit union 
must develop and implement a response program designed to address 
incidents of unauthorized access to member information maintained by 
the credit union or its service provider. The final Guidance provides 
each credit union with greater flexibility to design a risk-based 
response program tailored to the size, complexity and nature of its 
operations.
    The final Guidance, which has been reorganized for greater clarity, 
continues to highlight member notice as a key feature of a credit 
union's response program. However, in response to the comments 
received, the final Guidance modifies the standard describing when 
notice should be given and provides for a delay at the request of law 
enforcement. It also modifies which members should be given notice, 
what a notice should contain, and how it should be delivered.
    A more detailed discussion of the final Guidance and the manner in 
which it incorporates comments NCUA and the Banking Agencies received 
follows.

IV. Section-by-Section Analysis of the Comments Received

A. The ``Background'' Section

Legal Authority
    The legal foundation for the Guidance is set forth in Part 748, 
which derives from section 501(b) of GLBA and requires that every 
credit union have a security program. Appendix A to Part 748 describes 
the elements of a security program and includes measures to protect 
member information maintained by the credit union or its service 
providers. The Guidance states that NCUA expects member notification to 
be a component of such a response program.
    One commenter questioned NCUA's and the Banking Agencies' legal 
authority to issue the Guidance. This commenter asserted that section 
501(b) of GLBA only authorizes the Agencies to establish standards 
requiring financial institutions to safeguard the confidentiality and 
integrity of customer information and to protect that information from 
unauthorized access, but does not authorize standards that would 
require a response to incidents where the security of customer 
information actually has been breached.
    The NCUA Board notes, however, that section 501(b)(3) specifically 
states that the standards to be established by the Agencies must 
include various safeguards to protect against not only ``unauthorized 
access to,'' but also, the ``use of'' customer information that could 
result in ``substantial harm or inconvenience to any customer.'' The 
NCUA Board determined that this language provides a legal basis for 
standards that include response programs to address incidents of 
unauthorized access to member information. Response programs represent 
the principal means for a credit union to protect against unauthorized 
``use'' of member information that could lead to ``substantial harm or 
inconvenience'' to the member. For example, member notification is an 
important tool that enables a member to take steps to prevent identity 
theft, such as by arranging to have a fraud alert placed in his or her 
credit file.
Scope of Guidance
    The proposed Guidance contained several cross references to 
definitions used in Appendix A. However, the NCUA Board did not 
specifically address the scope of the proposed Guidance. A number of 
commenters had questions and suggestions regarding the scope of the 
proposed Guidance and the meaning of terms used.
Entities and Information Covered
    Some commenters had questions about the entities and information 
covered by the proposed Guidance. One commenter suggested that NCUA and 
the Banking Agencies clarify that foreign offices, branches, and 
affiliates of United States banks are not subject to the final 
Guidance. Another commenter wanted the NCUA Board to clarify corporate 
credit unions' responsibilities relating to the Guidance. This 
commenter wanted to know if corporate credit unions would be expected 
to follow the same practices of that of a service provider and notify 
affected natural person credit unions.
    Some commenters recommended that the Agencies clarify that the 
final Guidance only applies to unauthorized access to sensitive 
information within the control of the financial institution. One 
commenter thought that the final Guidance should be broad and cover 
fraud committed against credit union members through the Internet, such 
as through the misuse of online corporate identities to defraud online 
banking users through fake web sites (commonly known as ``phishing''). 
Several commenters requested confirmation in the final Guidance that it 
applies to consumer accounts and not to business and other commercial 
accounts.
    For greater clarity, NCUA has revised the Background section of the 
final Guidance to state that the scope and definitions of terms used in 
the Guidance are identical to those in section 501(b) of the GLBA and 
Appendix A, which largely cross-reference definitions used in NCUA's 
Privacy Rule.\2\ Therefore, consistent with section 501(b) and Appendix 
A, this final Guidance applies to the entities enumerated in section 
505(a) of the GLBA. This final Guidance does not apply to a credit 
union's foreign offices, branches, or CUSOs. However, a credit union is 
responsible for the security of its member information, whether the 
information is maintained within or outside of the United States, and 
whether or not it relies on a CUSO to provide certain member services.
---------------------------------------------------------------------------

    \2\ 12 CFR Part 716.
---------------------------------------------------------------------------

    As with the guidance contained in Appendix A, natural person credit 
unions that use corporate credit unions as their ``service providers'' 
will likely look to the final Guidance in overseeing their service 
provider arrangements with those corporate credit unions. Accordingly, 
there is no exemption for corporate credit unions that provide services 
to natural person credit unions as part of normal processing business.
    The final Guidance also applies to ``member information,'' meaning 
any record containing ``nonpublic personal information'' (as that term 
is defined in section 716.3(n) of NCUA's Privacy rule) about a credit 
union's member, whether in paper, electronic, or other form, that

[[Page 22766]]

is maintained by or on behalf of the institution.\3\ Consequently, the 
final Guidance applies only to information that is within the control 
of the credit union and its service providers, and would not apply to 
information directly disclosed by a member to a third party, for 
example, through a fraudulent web site.
---------------------------------------------------------------------------

    \3\ See 12 CFR Part 745, Appendix A, Paragraph I.C.2.c.
---------------------------------------------------------------------------

    Moreover, the final Guidance does not apply to information 
involving business or commercial accounts. Instead, the final Guidance 
applies to nonpublic personal information about a ``member'' within the 
meaning of Appendix A, namely, a consumer who obtains a financial 
product or service from a credit union to be used primarily for 
personal, family, or household purposes, and who has a continuing 
relationship with the credit union.\4\
---------------------------------------------------------------------------

    \4\ See 12 CFR Part 748, Appendix A, Paragraph I.C.2.b.; 12 CFR 
Part 716.3(i).
---------------------------------------------------------------------------

Effect of Other Laws
    Several commenters requested NCUA and the Banking Agencies explain 
how the final Guidance interacts with additional and possibly 
conflicting state law requirements. Most of these commenters urged that 
the final Guidance expressly preempt state law. By contrast, one 
commenter asked the Agencies to clarify that a financial institution 
must also comply with additional state law requirements. In addition, 
some commenters asked that the final Guidance provide a safe harbor 
defense against class action law suits. They suggested that the safe 
harbor should cover any credit union that takes reasonable steps that 
regulators require to protect member information, but, nonetheless, 
experiences an event beyond its control that leads to the disclosure of 
member information.
    These issues do not fall within the scope of this final Guidance. 
The extent to which section 501(b) of GLBA, Appendix A, and any related 
NCUA interpretations, such as this final Guidance, preempts state law 
is governed by Federal law, including the procedures set forth in 
section 507 of GLBA, 15 U.S.C. 6807. \5\ Moreover, there is nothing in 
Title V of the GLBA that authorizes NCUA to provide credit unions with 
a safe harbor defense. Therefore, the final Guidance does not address 
these issues.
---------------------------------------------------------------------------

    \5\ Section 507 provides that state laws that are 
``inconsistent'' with the provisions of Title V, Subtitle A of the 
GLBA are preempted ``only to the extent of the inconsistency.'' 
State laws are ``not consistent'' if they offer greater protection 
than Subtitle A, as determined by the Federal Trade Commission, 
after consultation with the agency or authority with jurisdiction 
under Section 505(a) of either the person that initiated the 
complaint or that is the subject of the complaint. See 15 U.S.C. 
6807.
---------------------------------------------------------------------------

Organizational Changes in the ``Background'' Section
    For the reasons described earlier, the Background section is 
adopted essentially as proposed, except that the latter part of the 
paragraph on ``Service Providers'' and the entire paragraph on 
``Response Programs'' are incorporated into the introductory discussion 
of Section II. The NCUA Board believes that the Background section is 
now clearer, as it focuses solely on the statutory and regulatory 
framework upon which the final Guidance is based. Comments and changes 
with respect to the paragraphs that were relocated are discussed in the 
next section.

B. The ``Response Program'' Section

    There are a number of differences between the discussion of 
Response Programs in the proposed and final Guidance. The introduction 
to section II of the proposed Guidance stated that a response program 
should be a key part of a credit union's information security program 
required under Part 748. It also described the importance of having a 
response program and of timely notification of members when warranted. 
Section II of the proposed Guidance contained four detailed paragraphs 
describing each of the four components that a response program should 
contain.
    The introductory language in the final Guidance now emphasizes that 
a credit union's response program should be risk-based and describes 
the components of a response program in a less prescriptive manner. 
Section II in the final Guidance specifically states that a credit 
union should implement security measures, from among the itemized list 
in Appendix A, designed to prevent unauthorized access to or use of 
member information, such as by placing access controls on member 
information systems and conducting background checks \6\ for employees 
who are authorized to access member information. It then states that 
NCUA expects every credit union to develop and implement a risk-based 
response program (another security measure enumerated in Appendix A) 
designed to address incidents of unauthorized access to member 
information that occur despite measures to prevent security breaches. 
The final Guidance also states that a response program should be a key 
part of a credit union's information security program.
---------------------------------------------------------------------------

    \6\ A footnote has been added to this section to make clear that 
credit unions should also conduct background checks of employees to 
ensure that the credit union does not violate 12 U.S.C. 1785(d), 
which prohibits an institution from hiring an individual convicted 
of certain criminal offenses or who is subject to a prohibition 
order under 12 U.S.C. 1786(g).
---------------------------------------------------------------------------

    This introductory paragraph is intended to make clear that, based 
upon the prevalence of identity theft in the United States,\7\ every 
credit union should have a response program to be prepared to prevent 
and address attempts to gain unauthorized access to its member 
information. The Board's expectation that each credit union will 
develop a response program is consistent with the provision in Appendix 
A calling for each credit union to design an information security 
program to control ``identified risks'' stemming from ``reasonably 
foreseeable internal and external threats.'' \8\
---------------------------------------------------------------------------

    \7\ See, for example, the Federal Trade Commission's Identity 
Theft Survey Report of September 2003,'' available at https://
www.ftc.gov/os/2003/09synovatereport.pdf estimating that 10 million 
Americans were victims of identify theft in 2002.
    \8\ 12 CFR Part 748, Appendix A, Paragraph III.B. and III.C.
---------------------------------------------------------------------------

Service Provider Contracts
    The Background section of the proposed Guidance elaborated on the 
specific provisions that a credit union's contracts with its service 
providers should contain. The proposed Guidance stated that a credit 
union's contract with its service provider should require the service 
provider to disclose fully to the credit union information related to 
any breach in security resulting in an unauthorized intrusion into the 
credit union's member information systems maintained by the service 
provider. It stated that this disclosure would permit a credit union to 
expeditiously implement its response program.
    Several commenters on the proposed Guidance agreed that a credit 
union's contracts with its service providers should require the service 
provider to disclose fully to the credit union information related to 
any breach in security resulting in an unauthorized intrusion into the 
credit union's member information systems maintained by the service 
provider. However, many commenters suggested modifications to this 
provision.
    The discussion of this aspect of a credit union's contracts with 
its service providers is in section II of the final Guidance. It has 
been revised as follows in response to the comments received.
Timing of Service Provider Notification
    NCUA and the Banking Agencies received a number of comments 
regarding the timing of a service

[[Page 22767]]

provider's notice to a credit union. One commenter suggested requiring 
service providers to report incidents of unauthorized access to credit 
unions within 24 hours after discovery of the incident.
    In response to comments on the timing of a service provider's 
notice to a credit union, the final Guidance states that a credit 
union's contract with its service provider should require the service 
provider to take appropriate action to address incidents of 
unauthorized access to the credit union's member information, including 
notifying the credit union as soon as possible of any such incident, to 
enable the credit union to expeditiously implement its response 
program. The NCUA Board determined that requiring notice within 24 
hours of an incident may not be practicable or appropriate in every 
situation, particularly where, for example, it takes a service provider 
time to investigate a breach in security. Therefore, the final Guidance 
does not specify a number of hours or days by which the service 
provider must give notice to the credit union.
Existing Contracts With Service Providers
    Some commenters expressed concerns that they would have to rewrite 
their contracts with service providers to require the disclosure 
described in this provision. These commenters asked NCUA to grandfather 
existing contracts and to apply this provision only prospectively to 
new contracts. Many commenters also suggested that the final Guidance 
contain a transition period to permit credit unions to modify their 
existing contracts.
    The NCUA Board has decided not to grandfather existing contracts or 
to add a transition period to the final Guidance because, as stated in 
the proposed Guidance, this disclosure provision is consistent with the 
obligations in Appendix A that relate to service provider arrangements 
and with existing guidance on this topic previously issued by NCUA.\9\ 
In order to ensure the safeguarding of member information, credit 
unions that use service providers likely have already arranged to 
receive notification from the service providers when member information 
is accessed in an unauthorized manner. In light of the comments 
received, however, NCUA recognizes that there are credit unions that 
have not formally included such a disclosure requirement in their 
contracts. Where this is the case, the credit union should exercise its 
best efforts to add a disclosure requirement to its contracts and any 
new contracts should include such a provision.
---------------------------------------------------------------------------

    \9\ See FFIEC Information Technology Examination Handbook, 
Outsourcing Technology Services Booklet, June 2004; NCUA Letter to 
Credit Unions No. 00-CU-11, December 2000.
---------------------------------------------------------------------------

    Thus, the final Guidance adopts the discussion on service provider 
arrangements largely as proposed. To eliminate any ambiguity regarding 
the application of this section to foreign-based service providers, 
however, the final Guidance now makes clear that a covered credit union 
\10\ should be capable of addressing incidents of unauthorized access 
to member information in member information systems maintained by its 
domestic and foreign service providers.\11\
---------------------------------------------------------------------------

    \10\ See footnote 5, supra.
    \11\ See e.g., FFIEC Information Technology Examination 
Handbook, Outsourcing Technology Services Booklet, June 2004.
---------------------------------------------------------------------------

Components of a Response Program
    As described earlier, commenters criticized the prescriptive nature 
of proposed Section II that described the four components a response 
program should contain. The proposed Guidance instructed credit unions 
to design programs to respond to incidents of unauthorized access to 
member information by (1) assessing the situation; (2) notifying 
regulatory and law enforcement agencies; (3) containing and controlling 
the situation; and (4) taking corrective measures. The proposed 
Guidance contained detailed information about each of these four 
components.
    The introductory discussion in this section of the final Guidance 
now makes clear that, as a general matter, a credit union's response 
program should be risk-based. It applies this principle by modifying 
the discussion of a number of these components. The NCUA Board 
determined that the detailed instructions in these components of the 
proposed Guidance, especially in the ``Corrective Measures'' section, 
would not always be relevant or appropriate. Therefore, the final 
Guidance describes, through brief, bulleted points, the elements of a 
response program, giving credit unions greater discretion to address 
incidents of unauthorized access to or use of member information that 
could result in substantial harm or inconvenience to a member.
    At a minimum, a credit union's response program should contain 
procedures for (1) assessing the nature and scope of an incident, and 
identifying what member information systems and types of member 
information have been accessed or misused; (2) notifying the 
appropriate NCUA Regional Director and, in the case of state-chartered 
credit unions, its applicable state supervisory agency as soon as 
possible when the credit union becomes aware of an incident involving 
unauthorized access to or use of sensitive member information, as 
defined in the final Guidance, (3) immediately notifying law 
enforcement authorities in situations involving Federal criminal 
violations requiring immediate attention; (4) taking appropriate steps 
to contain and control the incident to prevent further unauthorized 
access to or use of member information, such as by monitoring, 
freezing, or closing affected accounts, while preserving records and 
other evidence; and (5) notifying members when warranted.

Assess the Situation

    The proposed Guidance stated that a credit union should assess the 
nature and scope of the incident and identify what member information 
systems and types of member information have been accessed or misused.
    Some commenters stated that NCUA and the Banking Agencies should 
retain this provision in the final Guidance. One commenter suggested 
that a credit union should focus its entire response program primarily 
on addressing unauthorized access to sensitive member information.
    The NCUA Board has concluded that a credit union's response program 
should begin with a risk assessment that allows a credit union to 
establish the nature of any information improperly accessed. This will 
allow the credit union to determine whether and how to respond to an 
incident. Accordingly, the NCUA Board has not changed this provision.

Notify Regulatory and Law Enforcement Agencies

    The proposed Guidance provided that a credit union should promptly 
notify NCUA when it becomes aware of an incident involving unauthorized 
access to or use of member information that could result in substantial 
harm or inconvenience to members. To clarify its expectations, the NCUA 
Board has amended the bullet point addressing notification of the 
regulator to include notification of the appropriate NCUA Regional 
Director, as well as any applicable state supervisory agency in the 
case of state-chartered credit unions.
    In addition, the proposed Guidance stated that a credit union 
should file a Suspicious Activity Report (SAR), if required, in 
accordance with 12 CFR

[[Page 22768]]

Part 748 and various NCUA issuances.\12\ The proposed Guidance stated 
that, consistent with the NCUA's SAR regulation, in situations 
involving Federal criminal violations requiring immediate attention, 
the credit union immediately should notify, by telephone, the 
appropriate law enforcement authorities and its primary regulator, in 
addition to filing a timely SAR. For the sake of clarity, the final 
Guidance discusses notice to regulators and notice to law enforcement 
in two separate, bulleted items.
---------------------------------------------------------------------------

    \12\ See 12 CFR Part 748.1(c); NCUA Letter to Credit Unions No. 
04-CU-03, Suspicious Activity Reports, March 2004; NCUA Regulatory 
Alert No. 04-RA-01, The Suspicious Activity Report (SAR) Activity 
Review--Trends, Tips, & Issues, Issue 6, November 2003, February 
2004.
---------------------------------------------------------------------------

Standard for Notice to Regulators
    The provision regarding notice to regulators in the proposed 
Guidance prompted numerous comments. Many commenters suggested that 
NCUA adopt a narrow standard for notifying regulators. These commenters 
were concerned that notice to regulators, provided under the 
circumstances described in the proposed Guidance, would be unduly 
burdensome for credit unions, service providers, and regulators, alike.
    Some of these commenters suggested that NCUA adopt the same 
standard for notifying regulators and members. These commenters 
recommended that notification occur when a credit union becomes aware 
of an incident involving unauthorized access to or use of ``sensitive 
member information,'' a defined term in the proposed Guidance that 
specified a subset of member information deemed by NCUA as most likely 
to be misused.
    Other commenters recommended that the Agencies narrow this 
provision so that a credit union will inform a regulator only in 
connection with an incident that poses a significant risk of 
substantial harm to a significant number of its members, or only in a 
situation where substantial harm to members has occurred or is likely 
to occur, instead of when it could occur.
    Other commenters who advocated the adoption of a narrower standard 
asked NCUA to take the position that filing an SAR constitutes 
sufficient notice and that notification of other regulatory and law 
enforcement agencies is at the sole discretion of the credit union. One 
commenter stated that it is difficult to imagine any scenario that 
would trigger the response program without requiring a SAR filing. Some 
commenters asserted that if NCUA believes a lower threshold is 
advisable for security breaches, it should amend Part 748.
    By contrast, some commenters recommended that the standard for 
notification of regulators remain broad. One commenter advocated that 
any event that triggers an internal investigation by the credit union 
should require notice to the appropriate regulator. Another commenter 
similarly suggested that notification of all security events to federal 
regulators is critical, not only those involving unauthorized access to 
or use of member information that could result in substantial harm or 
inconvenience to its members.
    The NCUA Board has concluded that the standard for notification to 
regulators should provide an early warning to allow NCUA or applicable 
state supervisory agency to assess the effectiveness of a credit 
union's response plan, and, where appropriate, to direct that notice be 
given to members if the credit union has not already done so. Thus, the 
standard in the final Guidance states that a credit union should notify 
its primary regulator as soon as possible if the credit union becomes 
aware of an incident involving unauthorized access to or use of 
``sensitive member information.''
    ``Sensitive member information'' is defined in section III of the 
final Guidance and means a member's name, address, or telephone number, 
in conjunction with the member's social security number, driver's 
license number, account number, credit or debit card number, or a 
personal identification number or password that would permit access to 
the member's account. ``Sensitive member information'' also includes 
any combination of components of member information that would allow 
someone to log onto or access the member's account, such as user name 
and password or password and account number.
    This standard is narrower than that in the proposed Guidance 
because a credit union will need to notify NCUA when, and only if, it 
becomes aware of an incident involving ``sensitive member 
information.'' Therefore, under the final Guidance, there will be fewer 
occasions when a credit union should need to notify NCUA. However, 
under this standard, a credit union will need to notify NCUA at the 
time that the credit union initiates its investigation to determine the 
likelihood that the information has been or will be misused, so that 
NCUA will be able to take appropriate action, if necessary.
Notice to Regulators by Service Providers
    Commenters on the proposed Guidance questioned whether a credit 
union or its service provider should give notice to a regulator when a 
security incident involves an unauthorized intrusion into the credit 
union's member information systems maintained by the service provider. 
One commenter noted that if a security event occurs at a large service 
provider, regulators could receive thousands of notices from 
institutions relating to the same event. The commenter suggested that 
if a service provider is examined by one of the Agencies the most 
efficient means of providing regulatory notice of such a security event 
would be to allow the servicer to notify its primary Agency contact. 
The primary Agency contact then could disseminate the information to 
the other regulatory agencies as appropriate.
    The NCUA Board believes it is the responsibility of the credit 
union and not the service provider to notify NCUA. Therefore, the final 
Guidance states that a credit union should notify NCUA as soon as 
possible when the credit union becomes aware of an incident involving 
unauthorized access to or use of sensitive member information. 
Nonetheless, a security incident at a service provider could have an 
impact on multiple financial institutions that are supervised by 
different Federal regulators. Therefore, in the interest of efficiency 
and burden reduction, the last paragraph in section II of the final 
Guidance makes clear that a credit union may authorize or contract with 
its service provider to notify the NCUA on the credit union's behalf 
when a security incident involves an unauthorized intrusion into the 
credit union's member information systems maintained by the service 
provider.
Notice to Law Enforcement
    Some commenters took issue with the provision in the proposed 
Guidance regarding notification of law enforcement by telephone. One 
interagency commenter asked the Banking Agencies to clarify how 
notification of law enforcement by telephone would work since in many 
cases it is unclear what telephone number should be used. This 
commenter maintained that size and sophistication of law enforcement 
authorities may differ from state to state and this requirement may 
create confusion and unwarranted action by the law enforcement 
authority.
    The final Guidance adopts this provision as proposed. The NCUA

[[Page 22769]]

Board notes that the provision stating that a credit union should 
notify law enforcement by telephone in situations involving federal 
criminal violations requiring immediate attention is consistent with 
Part 748.

Contain and Control the Situation

    The proposed Guidance stated that the credit union should take 
measures to contain and control a security incident to prevent further 
unauthorized access to or use of member information while preserving 
records and other evidence.\13\ It also stated that, depending upon the 
particular facts and circumstances of the incident, measures in 
connection with computer intrusions could include: (1) Shutting down 
applications or third party connections; (2) reconfiguring firewalls in 
cases of unauthorized electronic intrusion; (3) ensuring that all known 
vulnerabilities in the credit union's computer systems have been 
addressed; (4) changing computer access codes; (5) modifying physical 
access controls; and (6) placing additional controls on service 
provider arrangements.
---------------------------------------------------------------------------

    \13\ See FFIEC Information Security Booklet, December. 2002, pp. 
68-74, avaialble at https://www.ffiec.gov/ffiecinfobase.html_pages/
it_01.html#infosec.
---------------------------------------------------------------------------

    Few comments were received on this section. One interagency 
commenter suggested that the Banking Agencies adopt this section 
unchanged in the final Guidance. Another commenter had questions about 
the meaning of the phrase ``known vulnerabilities.'' Commenters did, 
however, note the overlap between proposed section II.C and the 
corrective measures in proposed section II.D, described as ``flagging 
accounts'' and ``securing accounts.''
    NCUA and the Banking Agencies agree that some sections in the 
proposed Guidance overlapped. Therefore, the NCUA Board modified this 
section by incorporating concepts from the proposed Corrective Measures 
component, and removing the more specific examples in this section, 
including the terms that confused commenters. This section in the final 
Guidance gives a credit union greater discretion to determine the 
measures it will take to contain and control a security incident. It 
states that credit unions should take appropriate steps to contain and 
control the incident to prevent further unauthorized access to or use 
of member information, such as, by monitoring, freezing, or closing 
affected accounts, while preserving records and other evidence.
Preserving Evidence
    One interagency commenter stated that the final Guidance should 
require financial institutions, as part of the response process, to 
have an effective computer forensics capability in order to investigate 
and mitigate computer security incidents as discussed in principle 
fourteen of the Basel Committee's ``Risk Management for Electronic 
Banking'' \14\ and the International Organization for Standardization's 
ISO 17799.\15\
---------------------------------------------------------------------------

    \14\ https://www.bis.org/publ/bcbs35.htm.
    \15\ https://www.iso.org/iso/en/prods-services/popstds/
informationsecurity.html.
---------------------------------------------------------------------------

    The NCUA Board notes that the final Guidance addresses not only 
computer security incidents, but also all other incidents of 
unauthorized access to member information. Thus, the Board thinks it is 
not appropriate to include more detail about steps a credit union 
should take to investigate and mitigate computer security incidents. 
However, the NCUA Board believes that credit unions should be mindful 
of industry standards when investigating an incident. Therefore, the 
final Guidance contains a reference to forensics by generally noting 
that a credit union should take appropriate steps to contain and 
control an incident, while preserving records and other evidence.

Corrective Measures

    The proposed Guidance stated that once a credit union understands 
the scope of the incident and has taken steps to contain and control 
the situation, it should take measures to address and mitigate the harm 
to individual members. It then described three corrective measures that 
a credit union should include as a part of its response program in 
order to effectively address and mitigate harm to individual members: 
(1) Flagging accounts; (2) securing accounts; and (3) notifying 
members. The NCUA Board removed the first two corrective measures for 
the reasons that follow.

Flagging and Securing Accounts

    The first corrective measure in the proposed Guidance directed 
credit unions to ``flag accounts.'' It stated that a credit union 
should immediately begin identifying and monitoring the accounts of 
those members whose information may have been accessed or misused. It 
also stated that a credit union should provide staff with instructions 
regarding the recording and reporting of any unusual activity, and if 
indicated given the facts of a particular incident, implement controls 
to prevent the unauthorized withdrawal or transfer of funds from member 
accounts.
    The second corrective measure directed credit unions to ``secure 
accounts.'' The proposed Guidance stated that when a share draft, 
savings, or other member account number, debit or credit card account 
number, personal identification number (PIN), password, or other unique 
identifier has been accessed or misused, the credit union should secure 
the account and all other accounts and services that can be accessed 
using the same account number or name and password combination. The 
proposed Guidance stated that accounts should be secured until such 
time as the credit union and the member agree on a course of action.
    Commenters were critical of these proposed measures. Several 
commenters asserted that the final Guidance should not prescribe 
responses to security incidents with this level of detail. Other 
commenters recommended that if NCUA chooses to retain references to 
``flagging'' or ``securing'' accounts, it should include the words 
``where appropriate'' in order to give credit unions the flexibility to 
choose the most effective solutions to problems.
    Commenters also stated that the decision to flag accounts, the 
nature of the flag, and the duration of the flag, should be left to an 
individual credit union's risk-based procedures developed under 
Appendix A. These commenters asked NCUA to recognize that regular, 
ongoing fraud prevention and detection methods employed by a credit 
union may be sufficient.
    Commenters representing small credit unions stated that they do not 
have the technology or other resources to monitor individual accounts. 
They stated that the financial impact of having to monitor accounts for 
unusual activity would be enormous, as each credit union would have to 
purchase expensive technology, hire more personnel, or both. These 
commenters asked NCUA to provide credit unions with the flexibility to 
close an account if the credit union detects unusual activity.
    With respect to ``securing accounts,'' several commenters stated 
that if ``secure'' means close or freeze, either is extreme and would 
have significant adverse consequences for members. Other commenters 
stated that the requirement that the credit union and the member 
``agree on a course of action'' is unrealistic, unworkable and should 
be eliminated. Some commenters explained that if a member is traveling 
and the credit union cannot contact the member to obtain the member's 
consent, freezing or closing a

[[Page 22770]]

member's account could strand the member with no means of taking care 
of expenses. They stated that, in the typical case, the credit union 
would monitor such an account for suspicious transactions.
    As described earlier, the NCUA Board is adopting an approach in the 
final Guidance that is more flexible and risk-based than that in the 
proposed Guidance. The final Guidance incorporates the general concepts 
described in the first two corrective measures into the brief bullets 
describing components of a response program enumerated in section II.C. 
Therefore, the first and second corrective measures no longer appear in 
the Guidance.

Member Notice and Assistance

    The third corrective measure in the proposed Guidance is titled 
``Member Notice and Assistance.'' This proposed measure stated that a 
credit union should notify and offer assistance to members whose 
information was the subject of an incident of unauthorized access or 
use under the circumstances described in section III of the proposed 
Guidance. The proposed Guidance also described which members should be 
notified. In addition, this corrective measure contained provisions 
discussing delivery and contents of the member notice.
    The final Guidance now states that a credit union's response 
program should contain procedures for notifying members when warranted. 
For clarity's sake, the discussion of which members should be notified, 
and the delivery and contents of member notice, is now in new section 
III, titled ``Member Notice.'' Comments and changes with respect to the 
paragraphs that were relocated are discussed under the section titled 
``Member Notice'' that follows.
Responsibility for Notice to Members
    Some commenters were confused by the discussion in the proposed 
Guidance stating that a credit union's contract with its service 
provider should require the service provider to disclose fully to the 
credit union information related to any breach in security resulting in 
an unauthorized intrusion into the credit union's member information 
systems maintained by the service provider. Commenters stated that this 
provision appears to create an obligation for both credit unions and 
their service providers to provide notice of security incidents to the 
credit union's members. These commenters recommended that the service 
provider notify its credit union customer so that the credit union can 
provide appropriate notice to its members. Thus, members would avoid 
receiving multiple notices relating to a single security incident.
    Other commenters asserted that a credit union should not have to 
notify its members if an incident has occurred because of the 
negligence of its service provider. These commenters recommended that 
in this situation, the service provider should be responsible for 
providing notice to the credit union's members.
    As discussed above in connection with notice to regulators, the 
NCUA Board believes that it is the responsibility of the credit union, 
and not of the service provider, to notify the credit union's members 
in connection with an unauthorized intrusion into a credit union's 
member information systems maintained by the service provider. The 
responsibility to notify members remains with the credit union whether 
the incident is inadvertent or due to the service provider's 
negligence. The NCUA Board notes that the costs of providing notice to 
the credit union's members as a result of negligence on the part of the 
service provider may be addressed in the credit union's contract with 
its service provider.
    The last paragraph in section II of the final Guidance, therefore, 
states that it is the responsibility of the credit union to notify the 
credit union's members. It also states that the credit union may 
authorize or contract with its service provider to notify members on 
the credit union's behalf when a security incident involves an 
unauthorized intrusion into the credit union's member information 
systems maintained by the service provider.

C. The ``Member Notice'' Section

    Section III of the proposed Guidance described the standard for 
providing notice to members and defined the term ``sensitive member 
information'' used in that standard. This section also gave examples of 
circumstances when a credit union should give notice and when NCUA does 
not expect a credit union to give notice. It also discussed contents of 
the notice and proper delivery.
    Section III of the final Guidance contains a more comprehensive 
discussion of member notice. It describes the standard for providing 
notice to members and defines both the terms ``sensitive member 
information'' and ``affected members.'' It also discusses the contents 
of the notice and proper delivery.
Standard for Providing Notice
    A key feature of the proposed Guidance was the description of when 
a credit union should provide member notice. The proposed Guidance 
stated that a credit union should notify affected members whenever it 
becomes aware of unauthorized access to ``sensitive member 
information'' unless the credit union, after an appropriate 
investigation, reasonably concludes that misuse of the information is 
unlikely to occur and takes appropriate steps to safeguard the 
interests of affected members, including by monitoring affected 
members' accounts for unusual or suspicious activity.
    The NCUA Board proposed this standard as a way to strike a balance 
between notification to members every time the mere possibility of 
misuse of member information arises from unauthorized access and a 
situation where the credit union knows with certainty that information 
is being misused. However, the Board specifically requested comment on 
whether this is the appropriate standard and invited commenters to 
offer alternative thresholds for member notification.
    Some commenters stated that the proposed standard was reasonable 
and sufficiently flexible. However, many commenters recommended that 
the Board provide credit unions with greater discretion to determine 
when a credit union should notify its members. Some of these commenters 
asserted that a credit union should not have to give notice unless the 
credit union believes it ``to be reasonably likely,'' or if 
circumstances indicated ``a significant risk'' that the information 
will be misused.
    Commenters maintained that because the proposed standard states 
that a credit union should give notice when fraud or identity theft is 
merely possible, notification under these circumstances would 
needlessly alarm members where little likelihood of harm exists. 
Commenters claimed that, eventually, frequent notices in non-
threatening situations will be perceived by members as routine and 
commonplace, and therefore reduce their effectiveness.
    The NCUA Board believes that articulating as part of the Guidance a 
standard that sets forth when notice to members is warranted is both 
helpful and appropriate. However, the Board agrees with commenters and 
is concerned that the proposed threshold inappropriately required 
credit unions to prove a negative proposition, namely, that misuse of 
the information accessed

[[Page 22771]]

is unlikely to occur. In addition, the Board does not want members of 
credit unions to receive notices that would not be useful to them. 
Therefore, the NCUA Board has revised the standard for members 
notification.
    The final Guidance provides that when a credit union becomes aware 
of an incident of unauthorized access to sensitive member information, 
the credit union should conduct a reasonable investigation to determine 
promptly the likelihood that the information has been or will be 
misused. If the credit union determines that misuse of the information 
has occurred or is reasonably possible, it should notify affected 
members as soon as possible.
    An investigation is an integral part of the standard in the final 
Guidance. A credit union should not forego conducting an investigation 
to avoid reaching a conclusion that member information has been or will 
be misused and cannot unreasonably limit the scope of the 
investigation. However, the NCUA Board acknowledges that a full-scale 
investigation may not be necessary in all cases, such as where the 
facts readily indicate that information will or will not be misused.
Monitoring for Suspicious Activity
    The proposed Guidance stated that a credit union need not notify 
members if it reasonably concludes that misuse of the information is 
unlikely to occur and takes appropriate steps to safeguard the 
interests of affected members, including by monitoring affected 
members' accounts for unusual or suspicious activity. A number of 
comments addressed the standard in the proposed Guidance on monitoring 
affected members' accounts for unusual or suspicious activity.
    Some commenters stated that the final Guidance should grant credit 
unions the discretion to monitor the affected member accounts for a 
period of time and to the extent warranted by the particular 
circumstances. Some commenters suggested that monitoring occur during 
the investigation. One commenter noted that a credit union's 
investigation may reveal that monitoring is unnecessary. One commenter 
noted that monitoring the member's accounts at the credit union may not 
protect the member, because unauthorized access to member information 
may result in identity theft beyond the accounts held at the specific 
credit union.
    The NCUA Board agrees that under certain circumstances, monitoring 
may be unnecessary, for example when, on the basis of a reasonable 
investigation, a credit union determines that information was not 
misused. The Board also agrees that the monitoring element may not 
protect the member. Indeed, an identity thief with unauthorized access 
to certain sensitive member information likely will open accounts at 
other financial institutions in the member's name.
    Accordingly, the Board concludes that monitoring under the 
circumstances described in the standard for notice would be burdensome 
for credit unions without a commensurate benefit to members. For these 
reasons, the Board has removed the reference to monitoring in the final 
Guidance.
Timing of Notice
    The proposed Guidance did not include specific language on the 
timing of notice to members, and NCUA and the Banking Agencies received 
many comments on this issue. Some commenters requested clarification of 
the time frame for member notice. One commenter recommended that NCUA 
adopt the approach in the proposed Guidance because it does not set 
forth any circumstances that may delay notification of the affected 
members. Another commenter maintained that, in light of a member's need 
to act expeditiously against identity theft, an outside limit of 48 
hours after the credit union learns of the breach is a reasonable and 
timely requirement for notice to members. Many commenters, however, 
recommended that NCUA make clear that a credit union may take the time 
it reasonably needs to conduct an investigation to assess the risk 
resulting from a security incident.
    The NCUA Board has responded to these various comments on the 
timing of notice by providing that a credit union notify an affected 
member ``as soon as possible'' after concluding that misuse of the 
member's information has occurred, or is reasonably possible. As the 
scope and timing of a credit union's investigation is dictated by the 
facts and circumstances of a particular case, the Board has not 
designated a specific number of hours or days by which credit unions 
should provide notice to members. The Board believes that doing so may 
inhibit a credit union's ability to investigate adequately a particular 
incident or may result in notice that is not timely.
Delay for Law Enforcement Investigation
    The proposed Guidance did not address delay of notice to members 
while a law enforcement investigation is conducted. Many commenters 
recommended permitting a credit union to delay notification to members 
to avoid compromising a law enforcement investigation. These commenters 
noted that the California Database Protection Act of 2003 (CDPA) 
requires notification of California residents whose unencrypted 
personal information was, or is reasonably believed to have been, 
acquired by an unauthorized person.\16\ However, the CDPA permits a 
delay in notification if a law enforcement agency determines that the 
notification will impede a criminal investigation.\17\ Another 
commenter suggested that a credit union should not have to obtain a 
formal determination from a law enforcement agency before it is able to 
delay notice.
---------------------------------------------------------------------------

    \16\ The CDPA, also known as CA S.B. 1386, amended the 
Information Practices Act of 1977, California Civil Code, section 
1798.82.
    \17\ See California Civil Code, section 1798.29(c).
---------------------------------------------------------------------------

    The NCUA Board agrees that it is appropriate to delay member notice 
if such notice will jeopardize a law enforcement investigation. 
However, to ensure that such a delay is necessary and justifiable, the 
final Guidance states that member notice may be delayed if an 
appropriate law enforcement agency determines that notification will 
interfere with a criminal investigation and provides the credit union 
with a written request for the delay.\18\
---------------------------------------------------------------------------

    \18\ This includes circumstances when a credit union confirms 
that an oral request for delay from law enforcement will be followed 
by a written request.
---------------------------------------------------------------------------

    The NCUA Board is concerned that a delay of notification for a law 
enforcement investigation could interfere with the ability of members 
to protect themselves from identity theft and other misuse of their 
sensitive information. Thus, the final Guidance also provides that a 
credit union should notify its members as soon as notification will no 
longer interfere with the investigation and should maintain contact 
with the law enforcement agency that has requested a delay, in order to 
learn, in a timely manner, when member notice will no longer interfere 
with the investigation.

Sensitive Member Information

Scope of Standard
    The Banking Agencies received many comments on the limitation of 
notice in the proposed Guidance to incidents involving unauthorized 
access to sensitive customer information. The NCUA Board invited 
comment on whether to modify the proposed standard for notice to apply 
to other circumstances that compel a credit union to conclude that 
unauthorized access to information, other than sensitive member 
information, likely

[[Page 22772]]

will result in substantial harm or inconvenience to the affected 
members.
    Most commenters recommended that the standard remain as proposed 
rather than covering other types of information. One interagency 
commenter suggested that the Agencies continue to allow a financial 
institution the discretion to notify affected customers in any other 
extraordinary circumstances that compel it to conclude that 
unauthorized access to information other than sensitive customer 
information likely will result in substantial harm or inconvenience to 
those affected. However, the commenter did not provide any examples of 
such extraordinary circumstances.
    The NCUA Board continues to believe that the rationale for limiting 
the standard to sensitive member information expressed in the proposed 
Guidance is correct. The proposed Guidance explained that, in 
accordance with Appendix A, a credit union must protect against 
unauthorized access to or use of member information that could result 
in substantial harm or inconvenience to a member. Substantial harm or 
inconvenience is most likely to result from improper access to 
sensitive member information because this type of information is easily 
misused, as in the commission of identity theft.
    The NCUA Board has not identified any other circumstances that 
should prompt member notice and continues to believe that it is not 
likely that a member will suffer substantial harm or inconvenience from 
unauthorized access to other types of information. Therefore, the 
standard in the final Guidance continues to be limited to unauthorized 
access to sensitive member information. Of course, a credit union still 
may send notices to members in any additional circumstances that it 
determines are appropriate.
Definition of Sensitive Member Information
    NCUA received many comments on the proposed definition of 
``sensitive member information'' in the proposed Guidance. The first 
part of the proposed definition stated that ``sensitive member 
information'' is a member's social security number, personal 
identification number (PIN), password or account number, in conjunction 
with a personal identifier such as the member's name, address, or 
telephone number. The second part of the proposed definition stated 
that ``sensitive member information'' includes any combination of 
components of member information that allow someone to log onto or 
access another person's account, such as user name and password.
    Some commenters agreed with this definition of ``sensitive member 
information.'' They said that it was sound, workable, and sufficiently 
detailed. However, many commenters proposed additions, exclusions, or 
alternative definitions.
Additional Elements
    Some commenters suggested that NCUA add various data elements to 
the definition of sensitive member information, including: A driver's 
license number or number of other government-issued identification, 
mother's maiden name, and date of birth. One commenter suggested 
inclusion of other information that credit unions maintain in their 
member information systems such as a member's account balance, account 
activity, purchase history, and investment information. The commenter 
noted that misuse of this information in combination with a personal 
identifier can just as