LSCU COOP / Communication & Press Room / News Feed / Top Stories / Compliance requirements in responding to the Target breach

Compliance requirements in responding to the Target breach

In the wake of the Target data breach many credit unions are asking CUNA's compliance attorneys: What do federal regulations require we do? It is important for credit unions to remember that despite the high profile nature (right before Christmas and at a very large, nation-wide retailer) they will need to handle it like any other data breach.

If you need a quick refresher:
Section 748 of NCUA’s regulations requires federally insured credit unions to have a security program that contains a provision for responding to instances of unauthorized access to “sensitive” member information (privately insured CUs need similar programs). Appendix B to Part 748 (“Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice”) provides credit unions with direction on how to comply.

When a credit union becomes aware of an incident of unauthorized access to sensitive member information maintained by either the credit union or its contracted third party service provider, the credit union must conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. Sensitive information includes a member’s name, address, or telephone number, in conjunction with the member’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the member’s account.

Links to NCUA’s Section 748 regulation and Appendix B can be found in CUNA’s eGuide to Federal Laws and Regulation under our “Security Programs” topic or by clicking here.