Deep Dive: Credit Unions Work To Keep Members’ Data Private

Credit unions’ emphasis on member relationships is one of the main factors that distinguishes them from large banks and FinTechs. PYMNTS’ Credit Union Innovation Index found 65 percent of CU members chose credit unions as their primary financial institutions (FIs) because they trusted them, compared to 45 percent of non-CU members who said the same. It also revealed that 60.8 percent of the former said they would not leave their CUs for other FIs even if offered the same financial services — an indicator of how important trust is in influencing members’ decisions.

Failing to prevent a data breach is a surefire way to lose that trust, however. Credit unions possess vast troves of personal information such as credit card data and Social Security numbers that could devastate members if leaked. Those affected by such incidents are likely to switch to another credit union or even abandon the industry entirely.

Several CUs have fallen victim to data breaches over the years, but many are instituting new defenses to combat such problems. Governments are stepping up to protect CU members, too, adding a layer of assurance that those affected by breaches will not be irreparably harmed. The following Deep Dive explores the devastating impacts data breaches can have on credit unions, as well as the measures that CUs and the state of California are developing to protect CU members.

Data Breaches Within And Without

Credit unions are no strangers to data breaches. Canada’s largest CU, the 4.2 million-member Desjardins Credit Union, fell victim to one in June 2019. The credit union initially claimed the incident affected 2.7 million members and 173,000 businesses, but later admitted that its entire member base was compromised. The leaked data did not include passwords, codes or identification questions, but did expose names, addresses, birthdates, social insurance numbers and information about transaction habits. The total financial damage from the leak is still being tallied, but the loss of trust experience by Desjardins’ members cannot be easily undone.

Problems outside CUs’ control can affect members’ faith in their FIs, too. A National Association of Federally-Insured Credit Unions (NAFCU) survey found 82 percent of credit unions were negatively affected by data breaches stemming from local businesses in the past two years, for example. A recent hack against Pennsylvania-based convenience store chain Wawa exposed credit and debit card credentials issued by hundreds of local credit unions. The breach resulted in more than $5 million in losses, but the damage done to CU members’ trust was incalculable. At least two local CUs — First Choice Federal Credit Union and Inspired Federal Credit Union — even filed class-action lawsuits against Wawa for not adhering to best security practices.

Third-party incidents are difficult for CUs, as they do not have direct control over outside security practices. Many are bolstering their own defenses to retain their members’ trust, however.

CUs’ Tools To Secure Member Privacy 

Most U.S. credit unions have invested in anti-malware, firewalls and other technologies to protect members’ personal data, but such measures are reactive. Proper data security relies on active detection and anticipation of future threats rather than static defenses that cannot meet evolving security needs.

CUs have limited resources when developing active detection, however. Larger banks and well-funded FinTechs can create dedicated security operation centers staffed by experts, but CUs often do not have the budgets to offer round-the-clock active protection.

Many are leveraging the Automated Cybersecurity Examination Tool, developed by the National Credit Union Administration (NCUA), to bridge this gap. It establishes a CU industry security benchmark and identifies potential problems in five major domains: cyber incident management, cyber risk management and oversight, cybersecurity controls, external dependency management and threat intelligence and collaboration. The NCUA will collect data from these areas, which it will then leverage to establish data nationwide standards. Some states are taking personal data protection matters into their own hands, too.

California’s Protective Measures And Their Costs

The California Consumer Privacy Act (CCPA) is a state-level data security measure mandating best security and privacy practices for business and organizations — including credit unions. CUs transacting in the Golden State are required to inform members of any personal data they collect and comply with requests for deletion. Proper implementation of the CCPA will go a long way toward building members’ trust in their CUs by protecting their personal data from theft.

Implementing these security practices is costly, however. The California Attorney General’s Office estimates that CCPA compliance’s total cost to California businesses will start at $55 billion initially, then cost anywhere from $467 million to $16 billion over the next 10 years.

Credit unions are poised to shoulder a significant share of these costs, as they will require an extensive review of every megabyte of personal data they process to ensure they remain compliant. They will also be required to create new internal security procedures and invest in staff training to avoid violation risks.

It is yet to be determined whether CUs will have to comply with CCPA’s effect in the first place, however. The regulation applies to businesses, which it defines as any organization operating for profit. Credit unions are nonprofit, but many experts agree that they fit the legal definition of businesses and would be subject to the CCPA. It will likely be up to the courts to decide whether CUs will have to comply, but the stress of indecision is an additional burden affecting credit unions’ executive teams.

The future of member privacy and data security among CUs looks bright overall. The forecast should become considerably sunnier once the questions behind the CCPA’s impacts are resolved.