Advice for Credit Unions Following the Equifax Data Breach

Information to share with your members, including steps they can take to protect their information.

9/12/17

Equifax, one of the big three U.S. credit bureaus, announced on Thursday, Sept. 7, 2017, that a data breach at the company may have exposed 143 million American consumers’ sensitive personal information.

Although Equifax states they found no evidence of unauthorized activity on its core consumer credit reporting database, other information was lost. According to Equifax, the breach lasted from mid-May through July. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. This is the information fraudsters need to commit identity theft.

In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information for consumers in any other country has been impacted.

What Credit Unions Can Share With Members

Members will look to their trusted credit unions for advice and assurance. Local media will look to you for information on the impact of the breach, and tips on what consumers should do. You cannot speculate on the impact of the breach, but you can give consumers helpful information about the Equifax breach.

Members’ credit union accounts are not part of the Equifax breach. Assure members you remain ever-vigilant in securing their credit union data.  They should also use the products you have available to monitor their credit union accounts, and report any suspicious activity to you.

Unfortunately, with 143 million Americans’ personal information compromised in the Equifax breach, there’s a good chance anyone with a credit report is at risk.

Credit unions will want to follow their processes for handling third-party breaches. This may include educating members on steps they can take to protect their information from being misused. Here are steps to share with your members:

  • Find out if your information was exposed. Go to  www.equifaxsecurity2017.com, click on the “Potential Impact” tab, and enter your last name and the last six digits of your Social Security number. Your Social Security number is sensitive information, so make sure you’re on a secure computer and an encrypted network connection any time you enter it. The site will tell you if you’ve been affected by this breach.
  • Equifax has provided a link where consumers can determine if their personal information is part of the breach, and sign up for free credit monitoring.   The offer when initially announced was controversial, because it bore a clause that consumers who signed up for credit monitoring, waived their rights to a class action lawsuit. After an outcry from elected officials and consumer watchdog groups, Equifax reversed its policy and stated the arbitration clause and class action waiver does not apply to this enormous cyber security incident.  Credit unions should determine whether they want to send consumers to Equifax, or recommend that they check their credit reports themselves by visiting www.annualcreditreport.com.
  • Access the frequently asked questions on the site.

Following are other steps members can take to protect themselves after a data breach:

  • Check your credit reports from Equifax, Experian, and TransUnion by visiting annualcreditreport.com. Accounts or activity that you don’t recognize could indicate identity theft. Visit IdentityTheft.gov to find out what to do.
  • Consider placing a credit freeze on your files. A credit freeze makes it harder for someone to open a new account in your name. Keep in mind that a credit freeze won’t prevent a thief from making charges to your existing accounts.
  • Monitor your existing credit card and bank accounts closely for charges you don’t recognize.
  • If you decide against a credit freeze, consider placing a fraud alert on your files. A fraud alert warns creditors that you may be an identity theft victim and that they should verify that anyone seeking credit in your name really is you.
  • File your taxes early — as soon as you have the tax information you need, before a scammer can. Tax identity theft happens when someone uses your Social Security number to get a tax refund or a job. Respond right away to letters from the IRS.
  • Visit Identitytheft.gov/databreach to learn more about protecting yourself after a data breach.

In addition, credit unions may wish to make sure their members are well-informed and understand their rights and obligations. Here are some communications credit unions may wish to adopt from previous card breaches:

  • Assure members that your credit union has security and monitoring policies in place, and that you’re watching closely for suspicious activity. Tell members what steps you will take if you find suspicious activity, or are taking if the situation has progressed to that point. Briefly share your method of direct contact with members so they will be informed of any suspicious activity on their cards. If the you plan on cancelling all cards that were possibly affected and issuing new ones, it would be helpful to tell members before their cards are cancelled.
  • Urge members to leverage the alert services that you offer on your cards. Consumers should monitor their transactions daily and should report anything suspicious to the card issuer. They can do so by using the 800 number on the back of the card. Credit unions may want to include an online link for members, too.
  • Inform members of the limitations in their liability for unauthorized transactions. Debit card liability is governed by Regulation E; credit cards follow the VISA and Mastercard limitations on liability. Stress to members that they need to report any unauthorized or suspicious transactions to you as soon as they can.
  • Urge members to change passwords and PIN numbers if they notice suspicious activity. They may request that new cards be issued to them.
  • Summarize what is known about the current breach and update with new information as needed. In your statement, link to sites where the breach occurred, such as the retail chain for more information.

Additional Insight

The NWCUA has partnered with the law firm Farleigh Wada Witt, who has provided the following insight regarding this incident.

Equifax Data Breach – Preliminary Compliance Considerations

In the wake of Equifax’s announcement regarding a massive data breach, many credit unions are asking about their own obligations to affected members with respect to the breach.  Although the situation is still developing, we have outlined some preliminary guidance based on what we know of the Equifax breach to date:

Credit Union Duties to Members

Under the NCUA’s Guidelines for Safeguarding Member Information (NCUA Regulations Part 748, Appendix B), the credit union’s duty to disclose a security breach to members is triggered when each of the following criteria are met:

(i)  the credit union becomes aware of unauthorized access to sensitive member information;

(ii)  the information is maintained by the credit union or the credit union’s service providers; and

(iii)  the credit union determines that misuse of the information has occurred or is reasonably possible.

A “service provider” is a party that maintains, processes, or is otherwise permitted access to member information through its provision of services directly to the credit union. Equifax is a service provider to many credit unions.

However, if the credit union neither reports directly to Equifax nor receives reports directly from Equifax, Equifax is not a service provider to the credit union (unless there is some other relationship between the credit union and Equifax).

Under Part 748, if the breach relates to a service provider, notice provided by the service provider may satisfy the credit union’s obligation to notify members.  Has sensitive member information of your members been lost in the Equifax breach?  First, it is too early to tell. Second, based upon how Equifax treats its information this is an open question.

Credit unions who report to Equifax provide “account information” of members on a monthly basis. Equifax then incorporates some of that account information into the Equifax computerized credit reporting system. Under the Equifax service agreement, the information incorporated ceases to be property of the credit union and becomes property of Equifax and Equifax must destroy any media received from the credit union. Until we learn more about the member information that has been breached, such as names plus account numbers, it is premature to say a credit union’s sensitive member information has been breached.

If no sensitive member information has been breached, a credit union would NOT have a duty to notify any member.

Initial Credit Union Response

Based on the regulatory analysis outlined above, and on what we currently know about the Equifax breach, we offer the following guidance on initial credit union response:

  • If Equifax is not a service provider to the credit union as outlined above, the credit union will have no obligation to notify members under the NCUA regulation.
  • If Equifax is a service provider to the credit union, the credit union will have a notice obligation only when the credit union actually becomes aware that sensitive member information of its members was subject to the breach.
  • Although it is likely that most credit unions will have at least some affected members, credit unions do not have any actual knowledge at this point as to whether their sensitive member information has been breached. We do not know at this time whether Equifax intends to provide specific information to credit unions about member information subject to the breach.
  • Equifax has its own notice obligations under both federal and state law. It is likely that Equifax’s notice to affected consumers will satisfy both Equifax’s obligations and those of financial institutions for whom Equifax is a service provider.  But we will not know that unless and until we actually see the form of notice that Equifax provides.

For all these reasons, credit unions are justified in taking a “wait and see” approach before notifying any individual members. However, we encourage credit unions to consider providing some information for members simply as a matter of member service and proactive communication. For such communications, the following points may be useful:

The credit union can confirm that the breach occurred in Equifax’s systems, and not in the credit union’s systems.

  • The credit union can provide a link to the FTC’s release on the Equifax breach:  https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do.
  • The credit union can provide a link to Equifax’s web page related to the breach:  https://www.equifaxsecurity2017.com where consumers can verify if Equifax believes their information was subject to the breach.
  • The credit union can advise members to check their account information frequently through the credit union’s online and mobile channels in order to quickly detect any unauthorized activity.

Question of the Week

Does a credit union have to provide an adverse action notice when it denies a request for a line of credit increase?

Yes, an adverse action notice must be provided when a credit union denies a member’s request for a line of credit increase. An adverse action is defined as:

  • A refusal to grant credit in substantially the amount or on substantially the terms requested in an application unless the creditor makes a counteroffer (to grant credit in a different amount or on other terms) and the applicant uses or expressly accepts the credit offered;
  • A termination of an account or an unfavorable change in the terms of an account that does not affect all or substantially all of a class of the creditor’s accounts; or
  • A refusal to increase the amount of credit available to an applicant who has made an application for an increase.

Resources:

12 CFR 1002.9

12 CFR 1002.2(c)(1)

Legal Briefs

National Credit Union Administration (NCUA)

The NCUA, FRB, OCC, and FDIC issued joint guidance: Frequently Asked Questions on the New Accounting Standard on Financial Instruments—Credit Losses.

The NCUA announced that it awarded more than $1.8 million in grants to credit unions for digital services and security, leadership development, and small low-income credit union capacity.

The NCUA released its Second Quarter 2017 Credit Union System Performance Data. The data shows that total assets have grown by 7.7% over the year, delinquency rates remain unchanged, and that the number of low-income designated credit unions grew over the past year.

Consumer Financial Protection Bureau (CFPB)

The CFPB posted a blog article about the recent Equifax data breach that discusses steps consumers can take to protect themselves and their credit.

The CFPB announced a new financial empowerment toolkit, Focus on People with Disabilities. This guide is a companion to the Your Money, Your Goals toolkit.

Federal Reserve Board (FRB)

The FRB announced that it has published the September 6, 2017 issue of the Beige Book.

The FRB announced the release of its paper, Strategies for Improving the U.S. Payment System: Federal Reserve Next Steps in the Payments Improvement Journey. The paper is a follow up to the FRB’s last paper published in January of 2015, which discussed strategies for improving the U.S. Payment System.

The FRB has released the September 2017 issue of FedFocus.

Federal Trade Commission (FTC)

The FTC posted a blog article detailing steps consumers can take to deal with the recent Equifax data breach.

Federal Deposit Insurance Corporation (FDIC)

The FDIC released its State Profiles for the second quarter of 2017. The profiles summarize the banking and economic conditions in each state.

The FDIC issued FIL-40-2017 to announce the launch of the FFIEC’s New Industry Outreach Website. The website is designed for financial institutions, trade associations, third-party providers, and consultants.

Office of Foreign Assets Control (OFAC)

OFAC has updated the SDN list as of September 6, 2017. The last update prior to this was August 29, 2017.

Questions? Contact the Compliance Hotline: 1.800.546.4465, compliance@nwcua.org.