This is an update to Letter CU 1-07 from March 1, 2007 and is to inform credit unions of their responsibility to have a response program in place that specifies actions to be taken when unauthorized access to personal member information occurs or is suspected. Credit unions must also notify the Office of Credit Unions if an incident involving unauthorized access to or use of sensitive member information occurs.

Appendix B of Part 748, NCUA Rules & Regulations, Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice, is applicable to all federally insured credit unions. This appendix describes response programs and provides guidance, including member notification procedures, that a credit union should develop and implement to address unauthorized access to or use of member information that could result in substantial harm or inconvenience to a member. It is expected that all Wisconsin credit unions follow this guidance and have response programs that specify action to be taken that will provide for a timely response should a data breach occur.

In addition, Wisconsin Statute 134.98, Notice of Unauthorized Acquisition of Personal Information, requires credit unions to provide a notice of unauthorized acquisition of personal information to affected individuals. This statute provides guidance on the timing and manner of notice.

Included with this letter is a form that should be used in notifying the Office of Credit Unions if an incident involving unauthorized access to or use of sensitive member information occurs. Please complete the form, print it and mail it to the office.

Questions regarding this letter should be directed to the Office of Credit Unions at (608) 261-9543.

Sincerely,

 

Kim Santos, 

Director

OFFICE OF CREDIT UNIONS