NCUA's IG to Review October BreachFormer NCUA Chair Calls for Breach Notification Policy Review
Weeks after news broke about a breach of sensitive member data at a small credit union in California during an examination, the National Credit Union Administration's Inspector General has announced plans to investigate the case (see: Did Regulator Cause a Data Breach?).
In a Dec. 29 statement to Information Security Media Group, the NCUA says Inspector General James Hagen plans to audit the NCUA's examination of Palm Springs Federal Credit Union, during which a flash drive containing sensitive consumer data was lost. Hagen expects to conduct:
Michael Fryzel says most NCUA board members were not notified of the breach until it was reported by the media.
- An audit to determine whether NCUA has adequate controls in place to protect electronic personally identifiable information and sensitive credit union data during examinations;
- A review of the agency's decision not to publicly announce, on the NCUA website, the data breach and how the agency can improve if a breach were to occur in the future; and
- An investigation into the unauthorized disclosure by two alleged NCUA sources of internally held information regarding the breach of the credit union members' information.
Last week, Michael Fryzel, a former chairman of the NCUA who has publicly criticized how the NCUA handled its response to the breach, called for a third party, such as the Inspector General, to investigate the incident (Former NCUA Chair Outraged by Breach).
"I believe it is necessary for someone to say the NCUA made a mistake here and there needs to be an outside source to correct it," Fryzel said.
"It's unfortunate that the breach occurred," Fryzel said. "But when a breach does occur, the regulator involved needs to take the proper steps. ... NCUA regulators have always made the point that credit unions and retailers have to be held responsible. And I think it is important that the NCUA be open to all that occurred during this breach."
Until an investigation into the breach is completed, "we will not know who or what agency may be at fault," he adds. "All of these are things that have to be quickly looked at."
Slow to Disclose Breach
One of the main sticking points for Fryzel and others is that the breach occurred in October, yet it wasn't until December that the breach was made public.
"A letter went out to all of the members of the credit union," Fryzel says. "This information was out, yet NCUA never put out anything formal to say this occurred. ... The fact that they waited so long, leads one to believe there was never going to be any public information put out about this."
How the NCUA and the Inspector General respond will be critical, Fryzel says. For instance, the IG can review who wrote the breach notification letter and why it was worded as it was, Fryzel says. This episode could spur more discussion about how federal banking regulators should handle breach notification, he adds.
"I know a number of people have talked about national standards, and that Congress should set national standards for how to handle this kind of situation," Fryzel says. "I don't know how quickly Congress will act. But it would be good to see the regulatory agencies sit down and come up with standards of their own for notification."
Michael Fryzel says sensitive information about members should have been better protected.