LETTER CU 6-16

​​​​August 8, 2016

TO:     ALL WISCONSIN STATE-CHARTERED CREDIT UNIONS

RE:     UNAUTHORIZED ACCESS TO PERSONAL MEMBER INFORMATION

This is an update to Letter CU 1-07 from March 1, 2007 and is to inform credit unions of their responsibility to have a response program in place that specifies actions to be taken when unauthorized access to personal member information occurs or is suspected. Credit unions must also notify the Office of Credit Unions if an incident involving unauthorized access to or use of sensitive member information occurs.

Appendix B of Part 748, NCUA Rules & Regulations, Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice, is applicable to all federally insured credit unions. This appendix describes response programs and provides guidance, including member notification procedures, that a credit union should develop and implement to address unauthorized access to or use of member information that could result in substantial harm or inconvenience to a member. It is expected that all Wisconsin credit unions follow this guidance and have response programs that specify action to be taken that will provide for a timely response should a data breach occur.

In addition, Wisconsin Statute 134.98, Notice of Unauthorized Acquisition of Personal Information, requires credit unions to provide a notice of unauthorized acquisition of personal information to affected individuals. This statute provides guidance on the timing and manner of notice.

Included with this letter is a form that should be used in notifying the Office of Credit Unions if an incident involving unauthorized access to or use of sensitive member information occurs. Please complete the form, print it and mail it to the office.

Questions regarding this letter should be directed to the Office of Credit Unions at (608) 261-9543.

Sincerely,

 
Kim Santos, 
Director
OFFICE OF CREDIT UNIONS



​OFFICE OF CREDIT UNIONS

UNAUTHORIZED ACCESS TO PERSONAL MEMBER INFORMATION


​Credit Union:                                                                                                                                   Date of Incident:

​Direct to CU, Third Party Service Provider, or Unaffiliated Third Party:
​Description of unauthorized access/data breach:





​Source of unauthorized access/data breach:




​Date of awareness/notification:
​Extent Damage
Amount of Bond Coverage: $
Amount of bond coverage for plastic card losses: $
Estimated cost of Resolution: $
Potential loss to credit union: $
# of members affected:
Notification to Members
​Date:
Letter, Phone call, email, or other:
​Was a Suspicious Activity Report (SAR) Filed?
​Date:
​Was a law enforcement investigation necessary?  If so, what was the result?


​If the unauthorized access was directly to the credit union systems/member information versus being caused by an unaffiliated third party, what steps have been taken to prevent future incidents?



​Additional information/comments:




​Competed by:
​Date: