California Data Breach Exposes NCUA Hypocrisy

Just last week, I listened to NCUA Chairman Debbie Matz wax self-righteously about data security and the danger posed to credit unions by third-party data breaches.

Throughout this year, credit unions and their members have suffered from data breaches they did not cause, Matz said. When breaches occur … the responsible third parties should be held accountable.

Turns out she was talking about the NCUA.

This week, the NCUA acknowledged that an NCUA examiner was responsible for a massive data breach in October at the $13.1 million Palm Springs Federal Credit Union. The examiner lost a thumb drive containing member names, addresses, Social Security numbers, and account numbers (Credit Union Times, NCUA Examiner Blamed For Data Breach, Dec. 15, 2014).

This situation is appalling at many different levels. In what world is it ever permissible to place unencrypted personally identifiable information (PII) onto a portable device and transport it out of a secure area?

Answer: None.

There is no universe in which this sort of practice is remotely acceptable or tolerable. Unless, apparently, you are an all-powerful, unreviewable regulator charged in part with protecting that data, those institutions, and their member-owners.

For this to have happened, at least one of two indefensible things must have occurred: Either the examiner was executing NCUA policy by demanding that the credit union engage in a practice that would not be acceptable under NCUA regulations if the data was being given to anyone other than an examiner, or the examiner was sufficiently untrained, unsupervised, self-important, and/or irresponsible to demand the data in this insecure form and credit union officials did not feel empowered to refuse.

If it’s the latter, then we should be talking immediate termination of the examiner and, potentially, legal charges. If it’s the former, then the NCUA should publicly acknowledge its inadequate security protocols and take public steps to fix them both systemically and in terms of the damage done to the credit union. NCUA should do what Chairman Matz says all responsible third-parties should do.

The damage at Palm Springs FCU is not trivial. Even if there is never a single identity stolen or dollar purloined, the costs will still be significant. The credit union is providing its member-owners a year’s protection against identity theft at no cost. So who’s paying for it? The NCUA? If that’s the case, the agency should say so. More likely, the credit union is footing the bill. In context, it’s a big one.

In the credit union’s letter announcing the breach to its members, it mentions AllClear PRO, the monthly cost of which $14.95 per person. I’m sure the commercial plan is much cheaper, but it can’t be cheaper enough. According to data from Callahan & Associates, Palm Springs FCU has 1,580 members and an ROA of 0.08% less than $10,500. Even with a 50% discount for the service, one month of protection would cost more than $11,800. A year’s coverage would run more than 8% of the institution’s capital. The letter to member-owners should have said the protection is coming at a significant cost.

Even more disturbing, the letter never mentions NCUA. Not a word places responsibility where it belongs. No mention of examination, examiner, supervisor, or regulator anything that would send a clear message to the cooperative’s member-owners that its management was not responsible for the breach.

The letter’s explanation of the loss as part of the audit process inaccurately and unfairly implies a failure of credit union management, not a failure of the federal regulator whose edicts have force of law.

Finally, Chairman Matz was preaching at the Washington Metropolitan Area Credit Union Management Association annual dinner, seven weeks after the data breach. Either she knew about the breach and spoke anyway, in which case she is a hypocrite, or she didn’t know about the breach, in which case she is an irresponsible manager.