Presentation is loading. Please wait.

Presentation is loading. Please wait.

The GLBA, the FCRA, the NCUA, and the State: Understanding the Laws Protecting your Members’ Information NASCUS 2016 Cybersecurity Symposium.

Published byLogan McCoy Modified over 8 years ago

Similar presentations

Presentation on theme: "The GLBA, the FCRA, the NCUA, and the State: Understanding the Laws Protecting your Members’ Information NASCUS 2016 Cybersecurity Symposium."— Presentation transcript:

1 The GLBA, the FCRA, the NCUA, and the State: Understanding the Laws Protecting your Members’ Information NASCUS 2016 Cybersecurity Symposium

2 Reed & Jolly, PLLC Your Presenter David A. Reed Attorney at Law Reed & Jolly, LLC (703) 675-9578 David @reedandjolly.com

3 Ripped from the Headlines $80 million FICU victim of Crypto wall – ($500 us bitcoin to get data systems released) – Other small FICUs (refused ransom, wiped the box and restored data successfully) $60 million FICU victim of Acct takeover – Corp CU recognized unusual transaction and halted auto wire pending human confirmation. Medium institution(s) ID theft, tax return fraud with false identities. Data exfiltration (sold on black market) Website defacement Ransomware took down portion of network where backup failed. ($$$$ to mitigate) Reed & Jolly, PLLC

4 Bottom Line Every product and service we offer is covered by a series of laws, rules and regulations. But one set of requirements surrounds everything: Privacy. We continually need to monitor and inventory our data access and usage. From tellers to marketing and lending to collections and even third parties, who has access to what and how do they protect it? Reed & Jolly, PLLC

5 What’s the Big Deal with Privacy? Members get sensitive about their “GOODIES” Have you done a data/privacy inventory? –Who has access? –Who can share information? –What does our data sharing really look like in the credit union? Reed & Jolly, PLLC

6 NPI: A Refresher Nonpublic personal information generally is any information that is not publicly available and that: –Consumer provides to a credit union to obtain a financial product or service from the credit union; –Results from a transaction between the consumer and the credit union involving a financial product or service; or –Credit union otherwise obtains about a consumer in connection with providing a financial product or service. Reed & Jolly, PLLC

7 Do You Remember When this Was the Biggest Threat to Data Security? Reed & Jolly, PLLC

8 So Many Laws All of them focus on keeping your member’s goodies safe! Gramm-Leach-Bliley (Reg P) Fair Credit Reporting Act –FACT Act NCUA Rules and Regulations –716, 717 and 748 State Laws Reed & Jolly, PLLC

9 Gramm-Leach-Bliley Act Implemented by NCUA Regulation Part 716 and Guidelines in Part 748, Appendix A Privacy Notices, Policies and Procedures Opt Out Affiliated and Non Affiliated Third Parties –More than Third Party Due Diligence Exceptions Training Reed & Jolly, PLLC

10 Fair Credit Reporting Act Implemented by NCUA for FCUs by Regulation Part 717 Affiliate Marketing –Opt Out Opportunity Duties of Data Furnishers –Reasonable Policies and Direct Disputes Duties of Report Users –Disposal and Address Discrepancies Identity Theft Red Flags Reed & Jolly, PLLC

11 Board and SC Duties Federal (or State) Credit Union Act NCUA Regulations –Board Duties and Authority §701.4 –SC Duties §715 Bylaws –Board- Articles VI and VII –SC- Article IX Policies and Procedures Best Practices Examination Guidance Reed & Jolly, PLLC

12 The Moving Parts of Security Part 748 Security Program Part 748.1 Filing of Reports –Compliance Report –Catastrophic Act –Suspicious Activity Report Part 748.2 BSA Compliance –Establish a compliance program –CIP Appendix A Safeguarding Member Information Appendix B Response Program – Unauth. Access Reed & Jolly, PLLC

13 The Certification “The chairperson of the Credit Union’s Board of Directors is required to certify compliance with Part 748 each year. The statement of compliance is provided at the bottom of the Credit Union Profile Form that is submitted annually to the regional director following the credit union’s election of officials.” Source: NCUA CU Profile Form 6/14 Reed & Jolly, PLLC

14 I hereby certify to the best of my knowledge and belief that this credit union has developed and administers a security program that equals or exceeds the standards prescribed by Part 748.0of the NCUA Rules and Regulations; that such security program has been reduced to writing, approved by this credit union's Board of Directors; and this credit union has provided for the installation, maintenance, and operation of security devices, if appropriate, in each of its offices. Further, I certify that I am the president or managing official of the credit union or that the president or managing official has authorized me to make this submission on his/her behalf. ______________________________________________ VOLUNTEER’S NAME HERE Reed & Jolly, PLLC

15 NCUA Guidance January 15, 2015, NCUA Letter No.: 15-CU-01, provided guidance to CU Boards of Directors and Chief Executive Officers on the NCUA examinations in 2015 The first item in the guidance letter: Cybersecurity “In 2015, NCUA will redouble efforts to ensure that the credit union system is prepared for a range of cybersecurity threats.” Reed & Jolly, PLLC

16 NCUA Guidance Guidance letter identified 6 “proactive measures credit unions can take to protect their data and their members: –encrypting sensitive data; –developing a comprehensive information security policy; –performing due diligence over third parties that handle credit union data; –monitoring cybersecurity risk exposure; –monitoring transactions; and, –testing security measures.” Reed & Jolly, PLLC

17 NCUA Supervisory Priorities 2016 LCU 16-CU-01 Here’s their top emerging risks for the year: –Cybersecurity Assessment –Response Programs for Unauthorized Access to Member Information –Bank Secrecy Act Compliance –Interest Rate Risks –TILA – RESPA Integrated Disclosures –CUSO Reporting Reed & Jolly, PLLC

18 AIRES Questionnaires Automated Integrated Regulatory Examination Software They are the audit questions the examiner will use during the examination for each operational area Good resource for planning and preparation http://www.ncua.gov/Resources/CUs/Pages/AIRES.as px Reed & Jolly, PLLC

19 NCUA AIRES Questionnaires Reed & Jolly, PLLC

20 NCUA Privacy Questionnaire Reed & Jolly, PLLC

21 NCUA AIRES IT Questionnaires Reed & Jolly, PLLC

22 But Wait! There’s More! What’s in your state Code? –What is your code? At last count 47, states have some form of data breach notification laws and most of those have very sharp teeth! –Alabama, New Mexico, and South Dakota –See attachment You need to know coverage, definitions of NPI and breach, notice requirements and exemptions. Reed & Jolly, PLLC

23 Questions? Reed & Jolly, PLLC

Download ppt "The GLBA, the FCRA, the NCUA, and the State: Understanding the Laws Protecting your Members’ Information NASCUS 2016 Cybersecurity Symposium."

Similar presentations

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
UNDERSTANDING RED FLAG REGULATIONS AND ENSURING COMPLIANCE University of Washington Red Flag Rules Protecting Against Identity Fraud.

UNDERSTANDING RED FLAG REGULATIONS AND ENSURING COMPLIANCE University of Washington Red Flag Rules Protecting Against Identity Fraud.
Red Flags Compliance BANKERS ADVISORY 1 Red Flags Compliance Fair & Accurate Credit Transactions Act (FACTA) Identity Theft Prevention.

Red Flags Compliance BANKERS ADVISORY 1 Red Flags Compliance Fair & Accurate Credit Transactions Act (FACTA) Identity Theft Prevention.
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.

Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.
Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A. 2618 Centennial.

Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A Centennial.
©2012 CliftonLarsonAllen LLP 1 111 Red Flags- Why This Matters to You An overview of the FACT Act Identity Theft Red Flag Rule and its current impact.

©2012 CliftonLarsonAllen LLP Red Flags- Why This Matters to You An overview of the FACT Act Identity Theft Red Flag Rule and its current impact.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February.

Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February.
1 The FACT Act – An Overview The FACT Act An Overview of the Final Rulemaking on Identity Theft Red Flags and Address Discrepancies Naomi Lefkovitz Attorney,

1 The FACT Act – An Overview The FACT Act An Overview of the Final Rulemaking on Identity Theft Red Flags and Address Discrepancies Naomi Lefkovitz Attorney,
Areti Moularas, Senior Manager

Areti Moularas, Senior Manager
E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.

E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.
Data Classification & Privacy Inventory Workshop

Data Classification & Privacy Inventory Workshop
Security Controls – What Works

Security Controls – What Works
Division of Depositor and Consumer Protection Banker Teleconference Series Third-Party Compliance Risk Management Tuesday, June 5, 2012.

Division of Depositor and Consumer Protection Banker Teleconference Series Third-Party Compliance Risk Management Tuesday, June 5, 2012.
First Quarter 2014 NCUA Liquidity and Contingency Funding Interest Rate Derivative Authority CFPB Ability to Repay / Qualified Mortgages Loan Originator.

First Quarter 2014 NCUA Liquidity and Contingency Funding Interest Rate Derivative Authority CFPB Ability to Repay / Qualified Mortgages Loan Originator.
Copyright 2007, Integrated Compliance Solutions, LLC FACT Act Red Flags Bank Compliance Association of Connecticut September 3, 2008 Copyright 2007, Integrated.

Copyright 2007, Integrated Compliance Solutions, LLC FACT Act Red Flags Bank Compliance Association of Connecticut September 3, 2008 Copyright 2007, Integrated.
Tiffany George Attorney, Division of Privacy & Identity Protection Federal Trade Commission COMPLYING WITH THE RED FLAGS RULE & ADDRESS DISCREPANCY RULE.

Tiffany George Attorney, Division of Privacy & Identity Protection Federal Trade Commission COMPLYING WITH THE RED FLAGS RULE & ADDRESS DISCREPANCY RULE.
FAIR CREDIT REPORTING ACT.  Serves the following principal purposes:  To regulate the consumer-reporting industry.  To prohibit unfair actions from.

FAIR CREDIT REPORTING ACT.  Serves the following principal purposes:  To regulate the consumer-reporting industry.  To prohibit unfair actions from.

Similar presentations

Ads by Google