Bank Regulator Loses Sensitive Customer Data

When a federal banking regulator insists that a bank official handed over data under investigation, what obligation does that regulator have in protecting that data? That’s what the Palm Springs Federal Credit Union is asking, after a flash drive containing member names, addresses and Social Security numbers was after a routine audit by the National Credit Union Administration.

The Credit Union Times published the letter the credit union sent to members explaining the breach. “Financial institutions are required to have their operations and records audited regularly. As part of the audit process, the Credit Union provided information regarding members on an external drive containing members’ names, addresses, Social Security numbers and account numbers,” the letter said. “Regrettably, the drive was lost and its location is now unknown. At this time, we do not know if the external drive has been inadvertently destroyed or if it was acquired by an unauthorized person.”

The liability question is interesting. If a financial institution turns over mandated data to a regulator and the regulator loses that data, is the institution off the hook?

A Bank Info Security story said the issue raised is troubling. “We are deeply concerned about this event,” the story quoted Eric Richard, general counsel for the Credit Union National Association, saying. “NCUA examiners are charged with promoting the safety and soundness of credit unions, not putting it at risk. NCUA should conduct a thorough review of the situation to see what steps it can take to make sure that nothing like this happens again. Trust in the agency is at stake.”