NAFCU Deems Data Encryption Rule Unnecessary

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cutimes.com/2015/01/07/nafcu-deems-data-encryption-rule-unnecessary

The NCUA should look internally for ways to better protect credit union
members’ data, rather than impose a new rule, according to NAFCU Director
of Regulatory Affairs Alicia Nealon.

Nealon’s statement was made in response to NCUA Board Chairman Debbie Matz
floating the possibility of a proposed data encryption rule after an agency
examiner lost a thumb drive with personal credit union member information.

“Credit unions must already follow stringent data security and privacy
requirements, and they have a strong track record of regulatory compliance
with these requirements. Credit unions also constantly strive to implement
the highest safeguards for their members data,” Nealon said Wednesday.

A recent survey of NAFCU’s member credit unions found that credit unions
not only meet the regulatory requirements, but also voluntarily implement
many of NCUA’s suggested best practices in order to better safeguard their
members data, according to Nealon.

“Rather than promulgating additional regulatory burdens on credit unions,
NCUA should take a look internally at what actions the agency can take to
better protect the credit unions data in its care,” she said.

Matz estimated the cost of the data breach incident at the $13 million Palm
Springs Federal Credit Union in Palm Springs, Calif., to be around $15,000
to $20,000.

“We are contemplating a rule, which would require encryption, but we’re not
at the point where I can say we’re going in that direction yet but it’s
clearly something we’re thinking about. Short of requiring it, we’re really
struggling trying to figure out how to prevent data breaches. That’s a very
fundamental thing to do, to make sure that if the data is lost or stolen
that members’ confidential information is protected,” Matz told CU Times.

“Believe it or not, we really don’t like putting out more regs than we need
to but we’re struggling to determine if there’s another way to do this. Of
course we’re always willing to hear suggestions from the credit union
community about how to proceed,” she added.

CUNA has not commented on the possibility of a proposed data encryption
rule.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!