NCUA PRIVACY REGULATION Flashcards
What is the definition of “member” used in the privacy regulation?
This definition includes some nonmembers. A “member” is defined as a consumer who has a continuing relationship with the credit union.
What is the requirement for delivering the privacy notice?
Credit unions must deliver written privacy notices (oral notices are not sufficient) in a form the member can retain.
If the credit union does not share information with a third party for marketing purposes, is a privacy notice still required?
Yes, the regulations require all credit unions to provide privacy notices to those people using their products and services even if the credit union does not share information with third parties.
List at least two of the features of the model privacy notice.
Some of the features of the model privacy notice include:
* The title
* The Introductory section, called the “key frame”, that provides context to helpmembers understand the required disclosures
* The disclosure table that describes the types of permissible sharing by credit unions under Federal law; which of those types of sharing the credit union
engages in; and whether the consumer can limit or opt out of the credit union’s sharing
* Information on how to limit sharing via opt-out (if applicable). If the credit union provides a mail-in opt-out form, that form appears on the bottom of the
first page.
* Credit union’s contact information
* Additional explanatory/supplemental information in a “Frequently Asked Questions” format.
Is the credit union required to give a separate privacy and opt out notice to each joint account holder?
No, the credit union can provide one initial notice to them jointly
The Board of Directors is responsible for the general oversight of the credit union’s information security program.
True OR False
True.
While developing and implementing the information security system, credit unions are required to assess any risks to member information. List the other
four duties that credit unions have in connection with the information security system.
Manage and control risk; oversee service provider arrangements, adjust the security program as needed, and make reports to the board.
What are the three actions required when overseeing arrangements with service providers?
Exercise due diligence in selecting service providers, require service providers to implement appropriate measures designed to meet the objectives of the NCUA Guidelines, and if necessary, monitor service providers to ensure they have implemented the appropriate measures.
The parental notice required by COPPA must include specific information. Name three pieces of information that must be in that notice.
The notice must include:
* That the operator has collected the parent’s online contact information from the child, and, if such is the case, the name of the child or the parent, in order to
obtain the parent’s consent;
* That the parent’s consent is required for the collection, use, or disclosure of such information, and that the operator will not collect, use, or disclose any personal information from the child if the parent does not provide such consent;
* The additional items of personal information the operator intends to collect from the child, or the potential opportunities for the disclosure of personal
information, should the parent provide consent;
* A hyperlink to the operator’s online notice of its information practices required under the rule;
* The means by which the parent can provide verifiable consent to the collection, use, and disclosure of the information; and
* That if the parent does not provide consent within a reasonable time from the date the direct notice was sent, the operator will delete the parent’s online contact information from its records.
You must get a parent’s consent before collecting, using, and disclosing a child’s personal information.
True OR False
True
Credit unions must develop procedures to respond to the unauthorized access to sensitive member information. What are the five necessary components of such a response program?
A response program should contain procedures for:
1. Assessing the nature and scope of an incident including what information systems were involved and what types of member information was accessed.
2. Notifying the appropriate NCUA Regional Director, and, in the case of federally insured state-chartered credit unions, its applicable state supervisory authority, as soon as possible when the credit union becomes aware of an incident involving unauthorized access to or use of “sensitive” member information.
3. Notifying appropriate law enforcement authorities, in addition to filing a timely Suspicious Activity Report (SAR) in situations involving Federal criminal violations requiring immediate attention, such as when a reportable violation is on-going;
4. Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of member information (e.g., monitoring,
freezing, or closing affected accounts) while preserving records and other evidence; and
5. Notifying members when warranted.
