7535-01-U
NATIONAL CREDIT UNION
ADMINISTRATION
12 CFR Part 748
Security
Program and Appendix B – Guidance on Response Programs for Unauthorized Access
to Member Information and Member Notice
AGENCY: National Credit
Union Administration (NCUA).
ACTION: Final rule.
SUMMARY: NCUA is amending
its rule governing security program elements to
require federally insured
credit unions to include response programs to address instances of unauthorized
access to member information. NCUA is also including guidance, in the form of
Appendix B, to provide federally insured credit unions with direction on ways
to meet the new regulatory requirements.
DATE: This rule is
effective on June 1, 2005.
FOR FURTHER INFORMATION
CONTACT: Matthew J. Biliouris, Senior Information Systems Officer, Office of
Examination & Insurance, Division of Supervision, at telephone (703)
518-6394; or Ross Kendall, Staff Attorney, Office of General Counsel, at
telephone (703) 518-6562.
Appendix B to Part 748 –
Guidance on Response Programs for Unauthorized
Access to Member
Information and Member Notice
I. Background
This Guidance in the form
of Appendix B to NCUA’s Security Program, Report of
Crime and Catastrophic Act
and Bank Secrecy Act Compliance regulation, (29) interprets
section 501(b) of the Gramm-Leach-Bliley Act (“GLBA”) and describes response
programs, including member notification procedures, that a federally insured
credit union should develop and implement to address unauthorized access to or
use of member information that could result in substantial harm or inconvenience
to a member. The scope of, and
definitions of terms used in, this Guidance are identical to those of Appendix
A to Part 748 (Appendix A). For example,
the term “member information” is the same term used in Appendix A, and means
any record containing nonpublic personal information about a member, whether in
paper, electronic, or other form, maintained by or on behalf of the credit
union.
A. Security Guidelines
Section 501(b) of the GLBA
required the NCUA to establish appropriate standards for credit unions subject
to its jurisdiction that include administrative, technical, and physical
safeguards to protect the security and confidentiality of member information.
Accordingly, the NCUA
amended Part 748 of its rules to require credit unions to develop appropriate
security programs, and issued Appendix A, reflecting its expectation that every
federally insured credit union would develop an information security program
designed to:
1.
Ensure the security and confidentiality of member information;
2.
Protect against any anticipated threats or hazards to the security or
integrity of such
information; and
3.
Protect against unauthorized access to or use of such information that
could result in substantial
harm or inconvenience to any member.
B. Risk Assessment and
Controls
1. Appendix A directs every
credit union to assess the following risks, among others, when developing its
information security program:
a.
Reasonably foreseeable internal and external threats that could result in
unauthorized disclosure,
misuse, alteration, or destruction of member information or member information
systems;
b.
The likelihood and potential damage of threats, taking into consideration
the sensitivity of member
information; and
c.
The sufficiency of policies, procedures, member information systems, and
other arrangements in place
to control risks. (30)
2. Following the assessment
of these risks, Appendix A directs a credit union to design a program to
address the identified risks. The particular security measures a credit union
should adopt will depend upon the risks presented by the complexity and scope
of its business. At a minimum, the credit union should consider the specific
security measures enumerated in Appendix A, (31) and adopt those
that are appropriate for the credit union, including:
a.
Access controls on member information systems, including controls to authenticate
and permit access only to authorized individuals and controls to
prevent employees from providing member information to unauthorized individuals
who may seek to obtain this information through fraudulent means;
b.
Background checks for employees with responsibilities for access
to member information; and
c.
Response programs that specify actions to be taken when the credit union
suspects or detects that
unauthorized individuals have gained access to member
information systems,
including appropriate reports to regulatory and law enforcement agencies.
29 See 12
CFR Part 748
30 See 12
CFR Part 748, Appendix A, Paragraph III.B.
31 See
Appendix A, Paragraph III.C.
32 See
Appendix A, Paragraph III.C.
Source:
http://www.ncua.gov/RegulationsOpinionsLaws/RecentFinalRegs/F-748.pdf