Q & A: Is a member notification required if a credit card or debit card has been compromised?
By: Katherine Romano Schnack, Senior Compliance and Corporate Counsel
We are often asked about the notification requirements when there is unauthorized access to personally identifiable information, including credit or debit card numbers. The credit union can learn about unauthorized access from various methods, including a data breach of the credit union’s network, an ATM or point of sale (POS) skimmer, or identification on a Compromised Account Management System (CAMS) alert from a card issuer like Visa or Mastercard.
If a credit or debit card number is compromised by any means and there is a reasonable possibility that misuse of that account will occur, the credit union should notify the member of the compromise as soon as possible. There are statutory and regulatory requirements for member notification and also potential statutory and common law claims based on failure to notify the member that their account has been compromised. The applicable laws and potential claims are discussed below.
NCUA Regulations Part 748, Appendix B—Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice
For federally-insured credit unions, NCUA has provided guidance on compliance with the Gramm-Leach-Bliley Act regarding information security programs, including member notification procedures. NCUA Appendix B states that, “If the credit union determines that misuse of its information about a member has occurred or is reasonably possible, it should notify the affected member as soon as possible.” This is a very broad standard, and under most circumstances the credit union would be able to conclude that a misuse of a compromised card number is reasonably possible.
Part 748, Appendix B provides:
III. MEMBER NOTICE
- Credit unions have an affirmative duty to protect their members’ information against unauthorized access or use. Notifying members of a security incident involving the unauthorized access or use of the member’s information in accordance with the standard set forth below is a key part of that duty.
- Timely notification of members is important to manage a credit union’s reputation risk. Effective notice also may reduce a credit union’s legal risk, assist in maintaining good member relations, and enable the credit union’s members to take steps to protect themselves against the consequences of identity theft. When member notification is warranted, a credit union may not forgo notifying its customers of an incident because the credit union believes that it may be potentially embarrassed or inconvenienced by doing so.
Standard for Providing Notice
When a credit union becomes aware of an incident of unauthorized access to sensitive member information, the credit union should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. If the credit union determines that misuse of its information about a member has occurred or is reasonably possible, it should notify the affected member as soon as possible. Member notice may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the credit union with a written request for the delay. However, the credit union should notify its members as soon as notification will no longer interfere with the investigation.
12 CFR Part 748, Appendix B, Paragraph III (accessible here; also see Appendix B for information about the content and form of member notices).
For our privately insured credit unions, even though this NCUA regulation applies only to federally-insured credit unions, similar standards are required by the Illinois Department of Financial and Professional Regulation.
The Illinois Personal Information Protection Act
The Illinois Personal Information Protection Act (PIPA) also has requirements regarding member notification for unauthorized access to personally identifiable information, including payment card numbers. PIPA requires a disclosure notification to be made if there is a “breach of the security of the system data” defined as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information” including credit or debit card numbers. 815 ILCS §530/5 (PIPA is accessible here). PIPA has a similar exception to the one in NCUA Part 748, Appendix B, allowing a delay in member notification if requested by law enforcement.
Section 10(a) of PIPA provides:
Any data collector that owns or licenses personal information concerning an Illinois resident shall notify the resident at no charge that there has been a breach of the security of the system data following discovery or notification of the breach. The disclosure notification shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.
Section 10(d) of PIPA provides:
Notwithstanding any other subsection in this Section, a data collector that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this Act, shall be deemed in compliance with the notification requirements of this Section if the data collector notifies subject persons in accordance with its policies in the event of a breach of the security of the system data.
In reality, if a credit union has a member notification procedure consistent with NCUA Part 748’s requirement to send a member notification “as soon as possible,” then the credit union’s notification will also be in compliance with PIPA’s requirement to send the notification at “the most expedient time possible and without unreasonable delay.”
Statutory and Common Law Claims
In addition to the requirements discussed above, there are statutory and common law claims that can be alleged against a credit union for failure to notify members of compromised cards. PIPA provides that a violation of its requirements is also a violation of the Illinois Consumer Fraud and Deceptive Business Practices Act. PIPA, 815 ILCS §530/20. Consumer fraud claims can also be based on a failure to maintain adequate security procedures and failure to provide a timely notice to members. See In re Michaels Stores Pin Pad Litigation, 830 F.Supp.2d 518 (N.D. Ill. 2011). Other potential claims for failure to provide member notification of compromised cards include breach of contract, negligence, and violation of the Federal Trade Commission Act (through enforcement actions by the FTC).
Given the regulatory requirements and potential statutory and common law claims, credit unions should send member notifications as soon as possible if members’ credit or debit cards have been compromised in any way and there is a reasonable possibility that misuse of the card accounts will occur.
Federal Trade Commission Data Breach Response Guide for Business link
Illinois Attorney General Information Security and Security Breach Notification Guidance link