Written by Alicia Nealon, Regulatory Compliance Counsel
As the holidays officially come to a close, and we all deal with the mountain of decorations-to-be-taken-down, gifts-to-be-returned, and unwanted-holiday-pounds-to-lose, the credit union community also has to deal with the holiday gift that nobody asked for- the Target data breach.
In late December 2013, Target confirmed that there was a massive data breach at their stores between November 27 and December 15 of credit and debit card information. There are a few things to consider when a breach of information like this occurs.
First, it may be important for a credit union determine the appropriate operational controls that need to be taken, such as monitoring accounts, closing accounts and reissuing cards. While they will ultimately be a business decision for the credit union, these decisions will depend on what information from the account has been compromised, as that will dictate the risk of fraudulent and unauthorized transactions that could be charged to the card and/or account. Depending on the number of impacted accounts within an individual credit union, the credit union will have to make the business decision whether to reissue the cards, or close the accounts.
Second, it may be appropriate for a credit union to address its liability for unauthorized transactions. Both Regulation E and Regulation Z limit a member’s liability for unauthorized transactions. 12 CFR 1005.6; 12 CFR 1026.13. Additionally, the agreements between the credit union and VISA and MasterCard typically require a “zero liability” for the member for unauthorized transactions. Accordingly, the liability often falls onto the credit union. To mitigate this risk, credit unions may make the business decision to reissue cards or close compromised accounts.
There is no technical federal regulatory requirement to for a credit union to notify its members or NCUA of a merchant (e.g., Target) data breach. Credit unions are only required to notify members and NCUA when there has been a direct data breach of the credit union’s system maintained by it or its third-party service provider. However, member notification, in any data breach context, may help to mitigate against the risk of fraudulent or unauthorized transactions, and NCUA generally would want to know about a merchant breach. If a credit union chooses to alert their members, NCUA’s Regulation Appendix B to Part 748 contains a Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice.
Overall, the Target breach serves as reminder to credit unions who have card accounts (especially credit card accounts) of the usefulness of having established practices for incidents that compromise their member’s financial and personal information. These practices, which are designed foremost to protect members and also protect the credit union from the effects of data breaches, can help guide a credit union as it determines what operational control actions are required for dealing with fraudulent activity.
While the Target breach may have been as unwanted as the mountain of holiday decorations, returns and pounds cluttering our households, NAFCU has made one of our new year resolutions to encourage Congress to addresse data security, and retailers to protect consumers from breaches that compromise their financial and personal information.