The GLBA, the FCRA, the NCUA, and the State: Understanding the Laws Protecting your Members’ Information NASCUS 2016 Cybersecurity Symposium.

Slides:



Advertisements
Similar presentations
Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
Advertisements

UNDERSTANDING RED FLAG REGULATIONS AND ENSURING COMPLIANCE University of Washington Red Flag Rules Protecting Against Identity Fraud.
Red Flags Compliance BANKERS ADVISORY 1 Red Flags Compliance Fair & Accurate Credit Transactions Act (FACTA) Identity Theft Prevention.
Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Red Flag Rules: What they are? & What you need to do
Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.
Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A Centennial.
©2012 CliftonLarsonAllen LLP Red Flags- Why This Matters to You An overview of the FACT Act Identity Theft Red Flag Rule and its current impact.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February.
1 The FACT Act – An Overview The FACT Act An Overview of the Final Rulemaking on Identity Theft Red Flags and Address Discrepancies Naomi Lefkovitz Attorney,
Areti Moularas, Senior Manager
E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.
Data Classification & Privacy Inventory Workshop
Security Controls – What Works
Division of Depositor and Consumer Protection Banker Teleconference Series Third-Party Compliance Risk Management Tuesday, June 5, 2012.
First Quarter 2014 NCUA Liquidity and Contingency Funding Interest Rate Derivative Authority CFPB Ability to Repay / Qualified Mortgages Loan Originator.
Copyright 2007, Integrated Compliance Solutions, LLC FACT Act Red Flags Bank Compliance Association of Connecticut September 3, 2008 Copyright 2007, Integrated.
Tiffany George Attorney, Division of Privacy & Identity Protection Federal Trade Commission COMPLYING WITH THE RED FLAGS RULE & ADDRESS DISCREPANCY RULE.
FAIR CREDIT REPORTING ACT.  Serves the following principal purposes:  To regulate the consumer-reporting industry.  To prohibit unfair actions from.
2015 ANNUAL TRAINING By: Denise Goff
What The Board Needs to Know COMPLIANCE HOT TOPICS.
HIPAA PRIVACY AND SECURITY AWARENESS.
Credit unions use social media in a variety of ways, including marketing, providing incentives, facilitating applications for new accounts, inviting feedback.
FTC RED FLAG RULE As many as nine million Americans have their identities stolen each year. Identity thieves may drain their accounts, damage their credit,
September 14, David A. Reed Attorney at Law Reed & Jolly, PLLC (703)
AUTHENTICATION IN AN INTERNET ENVIRONMENT Dominick E. Nigro NCUA Information Systems Officer.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
Sharing Information With Affiliates and Third Parties F. Jay Meyer Vice President & Senior Counsel TD Bank, N.A. Portland, Maine.
IDENTITY THEFT. RHONDA L. ANDERSON, RHIA, PRESIDENT ANDERSON HEALTH INFORMATION SYSTEMS, INC.
Available from BankersOnline.com/tools 1 FACT ACT RED FLAG GUIDELINES.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
New Identity Theft Rules Rodney J. Petersen, J.D. Government Relations Officer Security Task Force Coordinator EDUCAUSE.
Manage Your Risk Utilizing Collaborative Partnerships to analyze, simplify, compare & strategize.
Technology Supervision Branch Interagency Identity Theft Red Flags Regulation Bank Compliance Association of CT Bristol, CT September 3, 2008.
BSA PROGRAM REQUIREMENTS.  Written, approved by the board of directors, and noted in the board minutes.  Based on the risk assessment  Fully implemented.
FIRMA April 2010 DATA BREACHES & PRIVACY Christine M. Farquhar Managing Director, Compliance J.P. Morgan U.S. Private Banking.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Prevention of Identity Theft. Why now, Why us? Federal Trade Commission (FTC) regulations for Identity Theft which may not apply, but it is good business.
Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
NCUA Update Alaska Credit Union League 42 nd Annual Meeting Elizabeth A. Whitehead, Region V Director National Credit Union Administration.
JOHN M. HUFF NAIC PRESIDENT DIRECTOR, MISSOURI DEPARTMENT OF INSURANCE JUNE 16, 2016 NAIC CYBERSECURITY INITIATIVES.
NY DFS Cyber Regulation and the Impact on PA Mutual Insurers
Presented by: David Reid, DBA International
Judy Graham, Program Officer
NCUA Consumer Compliance
2013 LBA Bank Counsel Conference
Consumer Authentication in e-Banking & Part 748 – Appendix B Response Program Catherine Yao Information Systems Officer NCUA.
Connecticut Directors College and Executive Forum December 8, 2016
NCUA Supervisory Priorities for Compliance
What The Board Needs to Know
Financial Service Centers of America
The CFPB’s Legal Minefield for CREDIT UNIONS
Vendor Management & Business Value
Chapter 3: IRS and FTC Data Security Rules
Red Flags Rule An Introduction County College of Morris
#IASACFO.
DATA BREACHES & PRIVACY Christine M
Current Privacy Issues That May Affect Your Credit Union
Cybersecurity compliance for attorneys
Identity Theft Prevention Program Training
Corporate Governance It is a system by which companies are managed and directed in the best interests of the owners and shareholders. It refers to the.
NCHER 2018 Fall Legal Meeting October 5, 2018
Neopay Practical Guides #2 PSD2 (Should I be worried?)
DFS letter has you asking
Getting the Green Light on the Red Flags Rule
Regulatory Compliance Update
Presentation transcript:

The GLBA, the FCRA, the NCUA, and the State: Understanding the Laws Protecting your Members’ Information NASCUS 2016 Cybersecurity Symposium

Reed & Jolly, PLLC Your Presenter David A. Reed Attorney at Law Reed & Jolly, LLC (703)

Ripped from the Headlines $80 million FICU victim of Crypto wall – ($500 us bitcoin to get data systems released) – Other small FICUs (refused ransom, wiped the box and restored data successfully) $60 million FICU victim of Acct takeover – Corp CU recognized unusual transaction and halted auto wire pending human confirmation. Medium institution(s) ID theft, tax return fraud with false identities. Data exfiltration (sold on black market) Website defacement Ransomware took down portion of network where backup failed. ($$$$ to mitigate) Reed & Jolly, PLLC

Bottom Line Every product and service we offer is covered by a series of laws, rules and regulations. But one set of requirements surrounds everything: Privacy. We continually need to monitor and inventory our data access and usage. From tellers to marketing and lending to collections and even third parties, who has access to what and how do they protect it? Reed & Jolly, PLLC

What’s the Big Deal with Privacy? Members get sensitive about their “GOODIES” Have you done a data/privacy inventory? –Who has access? –Who can share information? –What does our data sharing really look like in the credit union? Reed & Jolly, PLLC

NPI: A Refresher Nonpublic personal information generally is any information that is not publicly available and that: –Consumer provides to a credit union to obtain a financial product or service from the credit union; –Results from a transaction between the consumer and the credit union involving a financial product or service; or –Credit union otherwise obtains about a consumer in connection with providing a financial product or service. Reed & Jolly, PLLC

Do You Remember When this Was the Biggest Threat to Data Security? Reed & Jolly, PLLC

So Many Laws All of them focus on keeping your member’s goodies safe! Gramm-Leach-Bliley (Reg P) Fair Credit Reporting Act –FACT Act NCUA Rules and Regulations –716, 717 and 748 State Laws Reed & Jolly, PLLC

Gramm-Leach-Bliley Act Implemented by NCUA Regulation Part 716 and Guidelines in Part 748, Appendix A Privacy Notices, Policies and Procedures Opt Out Affiliated and Non Affiliated Third Parties –More than Third Party Due Diligence Exceptions Training Reed & Jolly, PLLC

Fair Credit Reporting Act Implemented by NCUA for FCUs by Regulation Part 717 Affiliate Marketing –Opt Out Opportunity Duties of Data Furnishers –Reasonable Policies and Direct Disputes Duties of Report Users –Disposal and Address Discrepancies Identity Theft Red Flags Reed & Jolly, PLLC

Board and SC Duties Federal (or State) Credit Union Act NCUA Regulations –Board Duties and Authority §701.4 –SC Duties §715 Bylaws –Board- Articles VI and VII –SC- Article IX Policies and Procedures Best Practices Examination Guidance Reed & Jolly, PLLC

The Moving Parts of Security Part 748 Security Program Part Filing of Reports –Compliance Report –Catastrophic Act –Suspicious Activity Report Part BSA Compliance –Establish a compliance program –CIP Appendix A Safeguarding Member Information Appendix B Response Program – Unauth. Access Reed & Jolly, PLLC

The Certification “The chairperson of the Credit Union’s Board of Directors is required to certify compliance with Part 748 each year. The statement of compliance is provided at the bottom of the Credit Union Profile Form that is submitted annually to the regional director following the credit union’s election of officials.” Source: NCUA CU Profile Form 6/14 Reed & Jolly, PLLC

I hereby certify to the best of my knowledge and belief that this credit union has developed and administers a security program that equals or exceeds the standards prescribed by Part 748.0of the NCUA Rules and Regulations; that such security program has been reduced to writing, approved by this credit union's Board of Directors; and this credit union has provided for the installation, maintenance, and operation of security devices, if appropriate, in each of its offices. Further, I certify that I am the president or managing official of the credit union or that the president or managing official has authorized me to make this submission on his/her behalf. ______________________________________________ VOLUNTEER’S NAME HERE Reed & Jolly, PLLC

NCUA Guidance January 15, 2015, NCUA Letter No.: 15-CU-01, provided guidance to CU Boards of Directors and Chief Executive Officers on the NCUA examinations in 2015 The first item in the guidance letter: Cybersecurity “In 2015, NCUA will redouble efforts to ensure that the credit union system is prepared for a range of cybersecurity threats.” Reed & Jolly, PLLC

NCUA Guidance Guidance letter identified 6 “proactive measures credit unions can take to protect their data and their members: –encrypting sensitive data; –developing a comprehensive information security policy; –performing due diligence over third parties that handle credit union data; –monitoring cybersecurity risk exposure; –monitoring transactions; and, –testing security measures.” Reed & Jolly, PLLC

NCUA Supervisory Priorities 2016 LCU 16-CU-01 Here’s their top emerging risks for the year: –Cybersecurity Assessment –Response Programs for Unauthorized Access to Member Information –Bank Secrecy Act Compliance –Interest Rate Risks –TILA – RESPA Integrated Disclosures –CUSO Reporting Reed & Jolly, PLLC

AIRES Questionnaires Automated Integrated Regulatory Examination Software They are the audit questions the examiner will use during the examination for each operational area Good resource for planning and preparation px Reed & Jolly, PLLC

NCUA AIRES Questionnaires Reed & Jolly, PLLC

NCUA Privacy Questionnaire Reed & Jolly, PLLC

NCUA AIRES IT Questionnaires Reed & Jolly, PLLC

But Wait! There’s More! What’s in your state Code? –What is your code? At last count 47, states have some form of data breach notification laws and most of those have very sharp teeth! –Alabama, New Mexico, and South Dakota –See attachment You need to know coverage, definitions of NPI and breach, notice requirements and exemptions. Reed & Jolly, PLLC

Questions? Reed & Jolly, PLLC

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.