AGENCY:
National Credit Union Administration (NCUA).
ACTION:
Notice of proposed rulemaking and request for comment.
SUMMARY:
The NCUA Board is proposing a modification to the security program requirements to include security of member information. Further, the NCUA Board is requesting comment on proposed Guidelines for safeguarding member information published to implement certain provisions of the Gramm-Leach-Bliley Act (the GLB Act or Act).
The GLB Act requires the NCUA Board to establish appropriate standards for federally-insured credit unions relating to administrative, technical, and physical safeguards for member records and information. These safeguards are intended to: insure the security and confidentiality of member records and information; protect against any anticipated threats or hazards to the security or integrity of such records; and protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any member.
DATES:
NCUA must receive comments not later than August 14, 2000.
ADDRESSES:
Direct comments to: Becky Baker, Secretary of the Board. Mail or hand-deliver comments to: National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314-3428. You may fax comments to (703) 518-6319, or e-mail comments to boardmail@ncua.gov. Please send comments by one method only.
FOR FURTHER INFORMATION CONTACT:
Matthew Biliouris, Information Systems Officer, or Jodee Jackson, Compliance Officer, Office of Examination and Insurance, at the above address or telephone (703) 518-6360.
SUPPLEMENTARY INFORMATION:
The contents of this preamble are listed in the following outline:
I. Background
II. Section-by-Section Analysis
III. Regulatory Procedures
A. Paperwork Reduction Act
B. Regulatory Flexibility Act
C. Executive Order 13132
D. Treasury and General Government Appropriations Act, 1999
IV. Agency Regulatory Goal
I. Background
On November 12, 1999, President Clinton signed the GLB Act (Pub. L. 106-102) into law. Section 501, entitled Protection of Nonpublic Personal Information, requires the NCUA Board, the federal banking agencies, including the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision, the Securities and Exchange Commission, state insurance authorities, and the Federal Trade Commission (collectively, the “Agencies”) to establish appropriate standards for the financial institutions subject to their respective jurisdictions relating to the administrative, technical, and physical safeguards for customer records and information. These safeguards are intended to: (1) Insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of such records; and (3) protect against unauthorized access to or use of such records or information that would result in substantial harm or inconvenience to any customer.
Section 505(b) of the GLB Act provides that these standards are to be implemented by the NCUA and the federal banking agencies in the same manner, to the extent practicable, as standards pursuant to section 39(a) of the Federal Deposit Insurance Act (FDIA). Section 39(a) of the FDIA requires the federal banking agencies to establish operational and managerial standards for insured depository institutions relative to, among other things, internal controls, information systems, and internal audit systems, as well as such other operational and managerial standards as determined to be appropriate. 12 U.S.C. 1831p(a). Section 39 of the FDIA provides for standards to be prescribed by guideline or by rule. 12 U.S.C. 1831p(d)(1). The FDIA also provides that, if an institution fails to comply with a standard issued as a rule, the institution must submit a compliance plan within particular time frames while, if an institution fails to comply with a standard issued as a guideline, the agency has the discretion as to whether to require an institution to submit a compliance plan. 12 U.S.C. 1831p(e)(1). Section 39 of the FDIA does not apply to the NCUA, and the Federal Credit Union Act does not contain a similar, regulatory framework for the issuance and enforcement of standards. In preparation of NCUA's proposed regulation and appendix with guidelines, NCUA staff has worked with an interagency group that has included representatives from the federal banking agencies. The NCUA Board's understanding is that the federal banking agencies intend to issue proposed standards by guidelines that will be published as an appendix to their safety and soundness standards.
The NCUA Board has determined that it can best meet the congressional directive to prescribe standards through an amendment to NCUA's existing regulation governing security programs in federally-insured credit unions. The proposed regulation will require that federally-insured credit unions establish a security program addressing the safeguards required by the GLB Act. The Board also proposes to publish an appendix to the regulation that will set out guidelines, the text of which is substantively identical to the guidelines anticipated from the federal banking agencies. The guidelines are intended to outline industry best practices and assist credit unions to develop meaningful and effective security programs to ensure their compliance with the safeguards contained in the regulation.
Currently, NCUA regulations require that federally-insured credit unions have a written security program designed to protect each credit union from robberies, burglaries, embezzlement, and assist in the identification of persons who attempt such crimes. Expanding the environment of protection to include threats or hazards to member information systems is a natural fit within a comprehensive security program. To evaluate compliance, the NCUA will expand its review of credit union security programs and annual certifications. This review will take place during safety and soundness examinations for federal credit unions and within the established oversight procedures for state-chartered, federally-insured credit unions. If a credit union fails to establish a security program meeting the regulatory objectives, the NCUA Board could take a variety of administrative actions. The Board could use its cease and desist authority, including its authority to require affirmative action to correct deficiencies in a credit union's security program. 12 U.S.C. 1786(e) and (f). In addition, the Board could employ its authority to impose civil money penalties. 12 U.S.C. 1786(k). A finding that a credit union is in violation of the requirements of proposed § 748.0(b)(2) would typically result only if a credit union fails to establish a written policy or its written policy is insufficient to reasonably address the objectives set out in the proposed regulation.
The proposed Guidelines apply to “nonpublic personal information” of “members” as those terms are defined in 12 CFR part 716, the Privacy Rule. Under Section 503(b)(3) of the GLB Act and part 716, credit unions will be required to disclose their policies and practices with respect to protecting the confidentiality, security, and integrity of nonpublic personal information as part of the initial and annual notices to their members. Defining terms consistently should facilitate the ability of credit unions to develop their privacy notices in light of the guidelines set forth here. NCUA derived key components of the proposed Guidelines from security-related supervisory guidance developed with the federal banking agencies through the Federal Financial Institutions Examination Council (FFIEC).
The NCUA Board requests comment on all aspects of the proposed amendment of § 748.0 and the guidelines, as well as comment on the specific provisions and issues highlighted in the section-by-section analysis below.
II. Section-by-Section Analysis
The discussion that follows applies to the proposed rule Part 748.
The security program in § 748.0(b) previously addressed only those threats due to acts such as robberies, burglaries, larcenies, and embezzlement. In the emerging electronic marketplace, the threats to members, credit unions, and the information they share to have a productive, technologically competitive, financial relationship, have increased. The security programs to ensure protections against these emerging crimes and harmful actions must keep pace. Congress directed in Section 501(b) of the GLB Act that the Agencies establish standards to ensure financial institutions protect the security and confidentiality of the nonpublic personal information of its customers.
To meet this directive, the proposed rule revises paragraph (b) of § 748.0 to require that a credit union's security program include protections to ensure the security and confidentiality of member records, protect against anticipated threats or hazards to the security or integrity of such records, and protect against unauthorized access to or use of such records that could result in substantial harm or inconvenience to a member. This modification expands the security program objectives to include the emerging threats and hazards to members, credit unions, and the information they share to have a financial relationship.
The proposed rule would have an effective date of November 13, 2000; however, compliance would not be required until July 1, 2001. This is consistent with Part 716, the Privacy Rule, and the other Agencies. NCUA intends to maintain its 90-day compliance period for newly-chartered or insured credit unions found in § 748.0(a). This section requires that each credit union establish its written security program within 90 days from the date of insurance. While the GLB Act, and the other Agencies regulations are silent as to compliance for newly chartered or insured institutions, NCUA believes it is reasonable to continue to provide this compliance time frame for such credit unions.
The discussion that follows applies to the NCUA's proposed Guidelines.
Appendix A to Part 748—Guidelines for Safeguarding Member Information
I. Introduction
Proposed paragraph I. sets forth the general purpose of the proposed Guidelines, which is to provide guidance to each credit union in establishing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of member information. This paragraph also sets forth the statutory authority for the proposed Guidelines, sections 501 and 505(b) of the GLB Act. 15 U.S.C. 6801 & 6805(b).
I.A. Scope
Paragraph I.A. describes the scope of the proposed Guidelines. The proposed Guidelines can apply to all federally-insured credit unions.
I.B. Definitions
Paragraph I.B. sets forth the definitions of various terms for purposes of the proposed Guidelines.
I.B.1. In General. Paragraph I.B.1. provides that terms used in the proposed Guidelines have the same meanings as set forth in 12 CFR part 716, except to the extent that the definition of the term is modified in the proposed Guidelines or where the context requires otherwise.
I.B.2. Member information. Proposed paragraph I.B.2. defines member information. Member information includes any records, data, files, or other information about a member containing nonpublic personal information, as defined in 12 CFR 716.3(q). This includes records in paper, electronic, or any other form that are within the control of a credit union or that are maintained by any service provider on behalf of a credit union. Although the GLB Act uses both the terms “records” and “information,” for the sake of simplicity, in the proposed Guidelines the term “records” encompasses all member information.
Section 501(b) refers to safeguarding the security and confidentiality of “customer” information. The term “customer” is also used in other sections of Title V of the GLB Act. The NCUA Board has used the term “member” in place of the term “customer” in implementing these sections of the GLB Act in Part 716. The term “member” includes individuals who are not actually members, but are entitled to the same privacy protections under Part 716 as members. Examples of individuals that fall within the definition of member in Part 716 are nonmember joint account holders, nonmembers establishing an account at a low-income designated credit union, and nonmembers holding an account in a state-chartered credit union under state law. The term “member” does not cover business members, or consumers who have not established an ongoing relationship with the credit union (e.g., those consumers that merely use an ATM or purchase travelers checks). See 12 CFR 716.3(n) and (o).
The NCUA Board proposes defining “member” for purposes of the Guidelines consistently with Part 716 to facilitate the ability of a credit union to develop the privacy notices and to make disclosures required under Section 503(b)(3). However, the NCUA Board is considering whether the scope of the Guidelines should address records for all consumers, the credit union's business account holders, or all of a credit union's records. The NCUA Board solicits comment on whether a broader definition will change the information security program that a credit union would implement, or, whether, as a practical matter, credit unions will respond to the Guidelines by implementing an information security program for all types of records under their control rather than segregating “member” records for special treatment.
I.B.3. Member. Proposed paragraph I.B.3. defines member to include any member of a credit union as defined in 12 CFR 716.3(n). A member is a consumer who has established a continuing relationship with a credit union under which the credit union provides one or more financial products or services to the member to be used primarily for personal, family or household purposes.
I.B.4. Service provider. Proposed paragraph I.B.4. defines a service provider as any person or entity that maintains or processes member information on behalf of a credit union, or is otherwise granted access to member information through its provision of services to a credit union.
I.B.5. Member information system. Proposed paragraph I.B.5. defines member information system to be electronic or physical methods used to access, collect, store, use, transmit, and protect member information.
II. Standards for Safeguarding Member Information
II.A. Information Security Program
The proposed Guidelines describe NCUA's expectations for the creation, implementation, and maintenance of an information security program. The proposed Guidelines first describe the oversight role of the board of directors in this process and management's continuing duty to evaluate and report to the credit union's board on the overall status of the program. The proposed Guidelines proceed to describe a four-step information security program that: (1) Identifies and assesses the risks that may threaten member information; (2) develops a written plan containing policies and procedures to manage and control these risks; (3) implements and tests the plan; and (4) adjusts the plan on a continuing basis to account for changes in technology, the sensitivity of member information, and internal or external threats to information security.
Lastly, the proposed Guidelines describe responsibilities for overseeing outsourcing arrangements.
Proposed paragraph II.A. sets forth the general requirement in section 501 of the GLB Act that each credit union have a comprehensive information security program. This program is to include administrative, technical, and physical safeguards appropriate to the size and complexity of the credit union and the nature and scope of its activities.
II.B. Objectives
Proposed paragraph II.B. describes the objectives for an information security program. They are to ensure the security and confidentiality of member information, protect against any anticipated threats or hazards to the security or integrity of such information, and protect against unauthorized access to or use of member information that could either: (1) Result in substantial harm or inconvenience to any member; or (2) present a safety and soundness risk to the credit union.
Unauthorized access to or use of member information does not include access to or use of member information with the member's consent. The NCUA Board requests comment on whether there are additional or alternative objectives that should be included in the Guidelines.
III. Development and Implementation of Information Security Program
III.A. Involve the Board of Directors and Management
Proposed paragraph III.A. describes the involvement of the board and management in the development and implementation of an information security program. This paragraph specifies these board responsibilities: (1) Approve the credit union's written information security policy and program; and (2) oversee efforts to develop, implement, and maintain an effective information security program, including the regular review of management reports.
The proposed Guidelines set forth three responsibilities for management as part of its implementation of the credit union's information security program. The first provision recognizes the need for an ongoing assessment of changes in technology and their impact on the credit union, as appropriate. On a regular basis, management has a responsibility to evaluate the impact on the credit union's security program of changing business arrangements (e.g. alliances, joint ventures, or outsourcing arrangements), and changes to member information systems.
The second provision describes management's responsibility to document compliance with these Guidelines.
The third responsibility of management is to keep the credit union's board of directors informed of the current status of the credit union's information security program. On a regular basis, management should report to the board on the overall status of the information security program, including material matters related to: risk assessment; risk management and control decisions; results of testing; attempted or actual security breaches or violations and responsive actions taken by management; and any recommendations for improvements to the information security program.
The NCUA Board invites comment as to whether the Guidelines should provide that in some instances the credit union's board of directors should designate an Information Security Officer or other responsible individual who would have the authority, subject to the board's approval, to develop and administer the credit union's information security program. The NCUA Board also invites comment on what best practices or business models would be most appropriate for the assignment of these tasks, depending upon the size and complexity of the credit union.
The NCUA Board invites comment regarding the appropriate frequency of reports to the credit union's board of directors. Should the Guidelines specify best practices for reporting intervals-monthly, quarterly, or annually? How often should management report to the credit union's board of directors regarding the credit union's information security program and why are these intervals appropriate?
III.B. Assess Risk
Proposed paragraph III.B. describes the risk assessment process that should be developed as part of the information security program. First, as described in paragraph III.B.1, a credit union should identify and assess risks that may threaten the security, confidentiality, or integrity of member information, whether in storage, processing, or transit. The risk assessment should be made in light of a credit union's operations and technology. A credit union should determine the sensitivity of member information to be protected as part of this analysis.
Next, as described in paragraph III.B.2, a credit union should conduct an assessment of the sufficiency of existing policies, procedures, member information systems, and other arrangements intended to control the risks identified under III.B.1.
Finally, as described in paragraph III.B.3, a credit union should monitor, evaluate, and adjust, their risk assessments, taking into consideration any technological or other changes or the sensitivity of the information.
III.C. Manage and Control Risk
Proposed paragraph III.C describes the elements of a comprehensive risk management plan designed to control identified risks and to achieve the overall objective of ensuring the security and confidentiality of member information. Paragraph 1 identifies the factors a credit union should consider in evaluating the adequacy of its policies and procedures to effectively manage these risks commensurate with the sensitivity of the information as well as the complexity and scope of the credit union and its activities. Specifically, a credit union should consider whether its risk management program includes appropriate:
(a) Access rights to member information;
(b) Access controls on member information systems, including controls to authenticate and grant access only to authorized individuals and companies;
(c) Access restrictions at locations containing member information, such as buildings, computer facilities, and records storage facilities;
(d) Encryption of electronic member information, including, while in transit or in storage on networks or systems to which unauthorized individuals may have access;
(e) Procedures to confirm that member information system modifications are consistent with the credit union's information security program;
(f) Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to member information;
(g) Contract provisions and oversight mechanisms to protect the security of member information maintained or processed by service providers;
(h) Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into member information systems;
(i) Response programs that specify actions to be taken when unauthorized access to member information systems is suspected or detected;
(j) Protection against destruction of member information due to potential physical hazards, such as fire and water damage; and
(k) Response programs to preserve the integrity and security of member information in the event of computer or other technological failure, including, where appropriate, reconstructing lost or damaged member information.
The NCUA Board intends that these elements accommodate credit unions with varying operations and risk management structures. The NCUA Board invites comment on the degree of detail that should be included in the Guidelines regarding the risk management program, which elements should be specified in the Guidelines, and any other components of a risk management program that should be included.
Paragraph 2 refers to staff training. The information security program should include a training component designed to teach employees to recognize and respond to fraudulent attempts to obtain member information and report any attempts to regulatory and law enforcement agencies.
Paragraph 3 refers to testing procedures. An information security program should include regular testing of systems to confirm the credit union, and its service providers, control identified risks and achieve the objectives to ensure the security and confidentiality of member information. The NCUA Board invites comment on whether the Guidelines should address specific types of security tests, such as penetration tests or intrusion detections tests. Should there be a degree of independence in connection with the testing of information security systems and the review of test results. Should the tests or reviews of tests be conducted by persons who are not employees or volunteers of the credit union? If employees, or volunteers such as members of the credit union's supervisory committee, what measures, if any, are appropriate to assure their independence?
Paragraph 4 describes the need for an ongoing process of monitoring, evaluation, and adjustment of the information security program in light of any relevant changes in technology, the sensitivity of member information, and internal or external threats to information security.
III.D. Oversee Outsourcing Arrangements
Proposed paragraph III.D addresses outsourcing. A credit union should exercise appropriate due diligence in managing and monitoring its outsourcing arrangements to confirm that its service providers have implemented an effective information security program to protect member information and member information systems consistent with these Guidelines.
The NCUA Board welcomes comments on the appropriate treatment of outsourcing arrangements. For example, which “best practices” most effectively monitor service provider compliance with security precautions? Do service providers accommodate requests for specific contract provisions regarding information security? To the extent that service providers do not accommodate these requests, how does a credit union implement an effective information security program? Should these Guidelines contain specific contract provisions for service provider performance standards in connection with the security of member information?
III. Regulatory Procedures
A. Paperwork Reduction Act
The NCUA Board has determined that the proposed information security plan requirements are covered under the Paperwork Reduction Act. NCUA is submitting a copy of this proposed rule to the Office of Management and Budget (OMB) for its review.
The proposed amendment would require federally-insured credit unions to develop a written information security plan to protect the security, confidentiality, or integrity of member information systems. The Board estimates it will take an average of 40 hours for a credit union to comply with the information security plan requirement. The Board also estimates that 10,525 credit unions will have to develop this plan so the total initial paperwork burden is estimated to be approximately 421,000 hours. The estimate of annual burden of review and changes is 15 hours for 10,500 credit unions, totaling 157,500.
The Paperwork Reduction Act of 1995 and OMB regulations require that the public be provided an opportunity to comment on the paperwork requirements, including an agency's estimate of the burden of the paperwork requirements. The NCUA Board invites comment on: (1) Whether the paperwork requirements are necessary; (2) the accuracy of NCUA's estimate on the burden of the paperwork requirements; (3) ways to enhance the quality, utility, and clarity of the paperwork requirements; and (4) ways to minimize the burden of the paperwork requirements. Comments should be sent to: OMB Reports Management Branch, New Executive Office Building, Room 10202, Washington, DC 20503; Attention: Alex T. Hunt, Desk Officer for NCUA. Please send NCUA a copy of any comments you submit to OMB.
B. Regulatory Flexibility Act
The Regulatory Flexibility Act (5 U.S.C. 601-612) (RFA) requires an agency to publish an initial regulatory flexibility analysis with this proposed rule except to the extent provided in the RFA, whenever the agency is required to publish a general notice of proposed rulemaking for a proposed rule. The Board cannot at this time determine whether the proposed rule would have significant economic impact on a substantial number of small entities as defined by the RFA. Therefore, pursuant to subsections 603(b) and (c) of the RFA, the Board provides the following initial regulatory flexibility analysis.
1. Reasons for Proposed Rule
The NCUA is requesting comment on the proposed interagency Guidelines published pursuant to section 501 of the GLB Act. Section 501 requires the Agencies to publish standards for financial institutions relating to administrative, technical, and physical standards to: (1) Insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of such records; and (3) protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer. Since these requirements are expressly mandated by the GLB Act, it is the view of the Board that the GLB Act's requirements account for most, if not all, of the economic impact of the proposed Guidelines.
2. Statement of Objectives and Legal Basis
The SUPPLEMENTARY INFORMATION section above contains this information. The legal basis for the proposed rule is the GLB Act.
3. Estimate of Small Credit Unions to Which the Rule Applies
The proposed rule would apply to all federally insured credit unions. Small credit unions are those with less than $1,000,000 in assets of which there are approximately 1,624.
4. Projected Reporting, Recordkeeping and Other Compliance Requirements
The information collection requirements imposed by the proposed rule are discussed above in the section on the Paperwork Reduction Act.
5. General Requirements
The statute and the proposed rule require a credit union to develop an information security program to safeguard member information. Development of such a program involves assessing risks to member information, establishing policies, procedures, and training to control risks, testing the program's effectiveness, and managing and monitoring service providers. The NCUA believes that the establishment of information security programs is a sound business practice for a credit union and is already addressed by existing supervisory procedures. However, some credit unions may need to establish or enhance information security programs, but the cost of doing so is not known. The NCUA seeks any information or comment on the costs of establishing information security programs.
6. Identification of Duplicative, Overlapping, or Conflicting Federal Rules
The NCUA is unable to identify any statutes or rules which would overlap or conflict with the requirement to develop and implement an information security program. The NCUA seeks comment and information about any such statutes or rules, as well as any other state, local, or industry rules or policies that require a credit union to implement business practices that would comply with the requirements of the proposed rule.
7. Discussion of Significant Alternatives
As previously noted, the proposed rule's requirements are expressly mandated by the GLB Act. The proposed rule attempts to clarify the statutory requirements for all credit unions. The proposed rule also provides substantial flexibility so that any credit union, regardless of size, may adopt an information security program tailored to its individual needs. The NCUA welcomes comment on any significant alternatives, consistent with the GLB Act, that would minimize the impact on small credit unions.
C. Executive Order 13132
Executive Order 13132 encourages independent regulatory agencies to consider the impact of their regulatory actions on state and local interests. In adherence to fundamental federalism principles, NCUA, an independent regulatory agency as defined in 44 U.S.C. 3502(5), voluntarily complies with the executive order. This proposed rule, if adopted, will not have substantial direct effects on the states, on the relationship between the national government and the states, or on the distribution of power and responsibilities among the various levels of government. NCUA has determined the proposed rule and appendix does not constitute a policy that has federalism implications for purposes of the executive order.
D. Treasury and General Government Appropriations Act, 1999
NCUA has determined that the proposed rule and appendix will not affect family well-being within the meaning of section 654 of the Treasury and General Government Appropriations Act, 1999, Pub. L. 105-277, 112 Stat. 2681 (1998).
IV. Agency Regulatory Goal
NCUA's goal is clear, understandable regulations that impose minimal regulatory burden. NCUA requests comments on whether the proposed rule and appendix are understandable and minimally intrusive if implemented as proposed. NCUA invites comments on how to make this proposal easier to understand. For example:
(1) Has NCUA organized the material to suit your needs? If not, how could this material be better organized?
(2) Are the provisions in the Guidelines clearly stated? If not, how could the Guidelines be more clearly stated?
(3) Do the Guidelines contain technical language or jargon that is not clear? If so, which language requires clarification?
(4) Would a different format (grouping and order of sections, use of headings, paragraphing) make the Guidelines easier to understand? If so, what changes to the format would make the Guidelines easier to understand?
(5) What else could NCUA do to make the Guidelines easier to understand?
List of Subjects in 12 CFR Part 748
- Credit unions
- Crime
- Currency
- Reporting and recordkeeping requirements
- Security measures
By the National Credit Union Administration Board on June 6, 2000.
Becky Baker,
Secretary of the Board.
For the reasons set forth in the preamble, the NCUA Board proposes to amend 12 CFR 748 as follows:
PART 748—SECURITY PROGRAM, REPORT OF CRIME AND CATASTROPHIC ACT AND BANK SECRECY ACT COMPLIANCE
1. The authority citation for Part 748 is revised to read as follows:
Authority: 12 U.S.C. 1766(a), 1786(Q); 15 U.S.C. 6801 and 6805(b); 31 U.S.C. 5311.
2. Heading for Part 748 is revised to read as set forth above.
3. In § 748.0 revise paragraph (b) to read as follows:
(b) The security program will be designed to:
(1) Protect each credit union office from robberies, burglaries, larcenies, and embezzlement;
(2) Ensure the security and confidentiality of member records, protect against anticipated threats or hazards to the security or integrity of such records, and protect against unauthorized access to or use of such records that could result in substantial harm or serious inconvenience to a member;
(3) Assist in the identification of persons who commit or attempt such actions and crimes; and
(4) Prevent destruction of vital records, as defined in the Accounting Manual for Federal Credit Unions.
4. Add Appendix A to read as follows:
Appendix A to Part 748—Guidelines for Safeguarding Member Information
I. Introduction
A. Scope
B. Definitions
II. Guidelines for Safeguarding Member Information
A. Information Security Program
B. Objectives
III. Development and Implementation of Member Information Security Program
A. Involve the Board of Directors and Management
B. Assess Risk
C. Manage and Control Risk
D. Oversee Outsourcing Arrangements
I. Introduction
The Guidelines for Safeguarding Member Information (Guidelines) set forth standards pursuant to sections 501 and 505(b), codified at 15 U.S.C. 6801 and 6805(b), of the Gramm-Leach-Bliley Act. These Guidelines provide guidance standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of member information.
A. Scope. The Guidelines apply to member information maintained by or on behalf of federally-insured credit unions. Such entities are referred to in this appendix as “the credit union.”
B. Definitions. For purposes of the Guidelines, the following definitions apply:
1. In general. For purposes of the Guidelines, except as modified in the Guidelines or unless the context otherwise requires, the terms used have the same meanings as set forth in 12 CFR part 716.
2. Member information means any records, data, files, or other information containing nonpublic personal information, as defined in 12 CFR 716.3(q), about a member, whether in paper, electronic or other form, that are maintained by or on behalf of the credit union.
3. Member means any member of the credit union as defined in 12 CFR 716.3(n).
4. Service provider means any person or entity that maintains or processes member information on behalf of the credit union, or is otherwise granted access to member information through its provision of services to the credit union.
5. Member information systems means the electronic or physical methods used to access, collect, store, use, transmit and protect member information.
II. Guidelines for Safeguarding Member Information
A. Information Security Program. A comprehensive information security program includes administrative, technical, and physical safeguards appropriate to the size and complexity of the credit union and the nature and scope of its activities.
B. Objectives. An information security program: ensures the security and confidentiality of member information; protects against any anticipated threats or hazards to the security or integrity of such information; and protects against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any member or risk to the safety and soundness of the credit union. Protecting confidentiality includes honoring members' requests to opt out of disclosures to non-affiliated third parties, as described in 12 CFR 716.1(a)(3).
III. Development and Implementation of Member Information Security Program
A. Involve the Board of Directors and Management.
1. The board of directors of each credit union:
a. Approves the credit union's written information security policy and program; and
b. Oversees efforts to develop, implement, and maintain an effective information security program.
2. In conjunction with responsibilities to implement the credit union's information security program, management should regularly:
a. Evaluate the impact on the credit union's security program of changing business arrangements, such as alliances and, outsourcing arrangements, and changes to member information systems;
b. Document its compliance with these Guidelines; and
c. Report to the board of directors on the overall status of the information security program, including material matters related to: risk assessment; risk management and control decisions; results of testing; attempted or actual security breaches or violations and responsive actions taken by management; and any recommendations for improvements in the information security program.
B. Assess Risk. To achieve the objectives of its information security program, credit unions should:
1. Identify and assess the risks that may threaten the security, confidentiality, or integrity of member information systems. As part of the risk assessment, a credit union should determine the sensitivity of member information and the internal or external threats to the credit union's member information systems;
2. Assess the sufficiency of policies, procedures, member information systems, and other arrangements in place to control risks identified in this appendix; and
3. Monitor, evaluate, and adjust its risk assessment in light of any relevant changes to technology, the sensitivity of member information, and internal or external threats to information security.
C. Manage and Control Risk. As part of a comprehensive risk management plan, each credit union should:
1. Establish written policies and procedures that are adequate to control the identified risks and achieve the overall objectives of the credit union's information security program. Policies and procedures should be commensurate with the sensitivity of the information as well as the complexity and scope of the credit union and its activities. In establishing the policies and procedures, each credit union should consider appropriate:
a. Access rights to member information;
b. Access controls on member information systems, including controls to authenticate and grant access only to authorized individuals and companies;
c. Access restrictions at locations containing member information, such as buildings, computer facilities, and records storage facilities;
d. Encryption of electronic customer information, including, while in transit or in storage on networks or systems to which unauthorized individuals may have access;
e. Procedures to confirm that member information system modifications are consistent with the credit union's information security program;
f. Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to member information;
g. Contract provisions and oversight mechanisms to protect the security of member information maintained or processed by service providers;
h. Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into member information systems;
i. Response programs that specify actions to be taken when unauthorized access to member information systems is suspected or detected;
j. Protection against destruction of member information due to potential physical hazards, such as fire and water damage; and
k. Response programs to preserve the integrity and security of member information in the event of computer or other technological failure, including, where appropriate, reconstructing lost or damaged member information.
2. Train staff to recognize, respond to, and, where appropriate, report to regulatory and law enforcement agencies, any unauthorized or fraudulent attempts to obtain member information.
3. Regularly test the key controls, systems and procedures of the information security program to confirm that they control the risks and achieve the overall objectives of the credit union's information security program. The frequency and nature of such tests should be determined by the risk assessment, and adjusted as necessary to reflect changes in internal and external conditions. Tests should be conducted, where appropriate, by independent third parties or staff independent of those that develop or maintain the security programs. Test results should be reviewed by independent third parties or staff independent of those whom conducted the test.
4. Monitor, evaluate, and adjust, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its member information, and internal or external threats to information security.
D. Oversee Outsourcing Arrangements. The credit union continues to be responsible for safeguarding member information even when it gives a service provider access to that information. The credit union should exercise appropriate due diligence in managing and monitoring its outsourcing arrangements to confirm that its service providers have implemented an effective information security program to protect member information and member information systems consistent with these Guidelines.
[FR Doc. 00-14783 Filed 6-13-00; 8:45 am]
BILLING CODE 7535-01-P