Credit Union Legal Update - Winter 2007

Identity Theft Notifications

It is estimated that in 2006 over 85 million United States consumers should have been informed that their personal and financial data may have been compromised due to data breaches or identity theft. Clearly, it is impossible for a credit union to operate without retaining some personal information of its members. However, data security is becoming increasingly important.

A growing number of states have enacted or are considering requirements for data security and breach notification. As of July 1, 2006, 31 states had enacted security breach laws in one form or another. In this Update we will provide some state law highlights and suggestions for notification requirements and recommended practices.

Notification Requirements
The reoccurring theme of state laws addressing data security breaches is the requirement of notice. Generally the notice or disclosure must be made in the most expedient manner without unreasonable delay. The methods of notice include: (1) written notice; (2) electronic notice such as emails; (3) conspicuous postings on the credit union's website; or (4) notification through statewide media.

Contents of Notice
The notice to affected members should be clear and include the following:
a general description of the incident;

  • a description of the type of personal information that was involved: social security number, driver's license or state ID card number, credit union account number, credit card number, or other financial account numbers;
  • steps the credit union has taken to protect the member's personal information from further breaches;
  • assistance the credit union will offer to members, including a toll-free contact telephone number for more information; and
  • information on what members can do to protect themselves from identity theft, including advising members to review their account statements in addition to contact information for the three credit reporting agencies, so that members may monitor free credit reports on an ongoing basis.

Some exceptions to timely notification might include delays requested by law enforcement agencies or system requirements that must be addressed before isclosure.

All credit unions are encouraged to give priority attention to the protection of personal data and information and the prevention of unauthorized access. There is a growing trend of class-action lawsuits being sought against companies where data security breaches have occurred. Recent studies have concluded that total costs of data breaches average $182 per lost customer record. There are direct incremental costs such as offers for free or discounted financial services, notification letters, phone calls, and emails. Additionally, there is potential for loss of membership as well as lost employee time and productivity.

In summary, all credit unions are encouraged to carefully review, on a periodic basis, their information security program. A comprehensive multi-layered program to protect personal data and information is strongly recommended. Inadvertent breaches may occur and if so, appropriate notification is strongly recommended.

For specific state and federal law requirements, credit unions are encouraged to consult legal counsel.

Source: Jeanne D. Wertz, 'State Data Security Laws,' The Lawyer's Brief, 30 Sept. 2006: 1-9.


The contents of this publication are intended for general information only and should not be construed as legal advice or a legal opinion on specific facts and circumstances. Copyright 2017.

Search News