ALEXANDRIA, Va.–NCUA said it has now put into place improved security measures recommended by its Office of Inspector General in the wake of a lost memory stick containing member data at Palm Springs FCU.
That memory stick has never been recovered, but no resulting compromised data has been reported.
Effective immediately, NCUA said its examiners may only accept sensitive data electronically via two options:
- Option 1. Secure Electronic Transmission Or Transfer By Removable Media Includes Encryption. “The preferred method is for the data file(s) to be provided on removable media (thumb drives, external hard drives, etc.) or transmitted through a secure electronic transmission,” NCUA said in a letter to CEOs. “Either the data file(s) or the device or electronic transmission conveying the file(s) must be encrypted under this method. Credit unions can provide such information using their own removable media or, if permitted by the credit union’s information technology security policy, media provided by NCUA.” The agency said credit unions can use various commercially available methods to electronically transmit files, such as via e-mail or some type of secure file sharing service, provided the method incorporates encryption that meets the standards it has set forth, including 128-bit AES encryption. A password must be provided separately from the device or transmission under this option, when encrypted media provided by NCUA is not used…If the transfer occurs while NCUA staff is onsite, it can be accomplished by the credit union representative signing (a) Chain of Custody document, which will be provided by the examiner.
- Option 2 – In Person Transfer by Removable Media Does Not Include Encryption. If a credit union is unable or unwilling to electronically provide sensitive data in a manner that meets the requirements outlined for option 1, NCUA said its examiners may then only accept such data electronically if a credit union representative in person provides the data file(s) to the examiner and remains physically present while the examiner transfers the data to NCUA’s encrypted equipment.