The following is an article reprinted with permission from the Spring 2006 edition of The WWR Letter:
Making Data Security a Priority
By: Robert Rutkowski, Esquire
The last few years have not been great ones for keeping data secure. Several major corporations reported security breaches where records were lost or stolen. Tapes were lost, paper lists never arrived at their intended destinations and laptops fell into the hands of people with bad intentions. It is as though we need an entirely new way of looking at the storage and transportation of data.
The NCUA gives some instruction on data security in its Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice. Federally insured credit unions must now follow certain requirements when member information is at risk. Essentially, credit unions must make an assessment of the situation, notify regulatory and law enforcement agencies, contain and control the situation, take corrective action, notify members and revise its vendor contracts (to require vendors to inform credit unions of data breaches).
The NCUA regulation is helpful in that it creates a minimum standard to follow. However, a credit union should not stop there. This entire problem is one of data security. Currently, the best way to send data is to encrypt it and send it electronically. We need to stop thinking of data as something that can be entrusted lightly with a courier. Instead, we should think of sending data the same way we think of sending money and treat it with the same level of security. Avoiding the loss or theft of data in the first instance is the most effective way to deal with the problem.
The consequences of a data breach or loss of data can be catastrophic to a credit union. Under the requirements of a security response program, notice to members should be given if “substantial harm or inconvenience could result to members from unauthorized access.” In the instance of a large-scale data compromise, such a notice could cause a run on the credit union.
State governments are noticing this problem as well. Many states have new identity theft laws that allow the freezing of consumer reports or placing of fraud alerts beyond what is offered under FACTA. Ultimately, however, legislation is not going to solve the problem. Data must be treated differently and more securely. It must be encrypted and transmitted by the most secure method possible. Credit unions definitely need a policy in place to comply with the law, but to protect the credit union to the fullest extent, it is important to move away from storing and transporting data in vulnerable ways. Credit unions have lots of experience in handling money securely. Data now needs to be approached in the same way.
Robert Rutkowski is the Managing Partner of WWR’s Credit Union department and Corporate & Financial Services practice group. Located in the Brooklyn Heights operations center, he can be reached at (216) 739-5004 or firstname.lastname@example.org.