How to Navigate the NCUA Data Disposal Guidelines

NCUA Regulations & Guidance emphasize meticulous supervision in credit union cybersecurity compliance, requiring adherence to secure data handling practices. Federally insured credit unions under NCUA oversight must comply with stringent data handling protocols, including specific media sanitization guidelines for data disposal—a top priority in NCUA’s regulatory scrutiny. The NCUA Security Guidelines mandate that credit unions establish risk-based disposal procedures tailored to their records. This article will list current NCUA guidelines on ‘disposal of information’ as per Federal Financial Institutions Examination Council handbook Section II.C.13(c).

NCUA Regulations & Guidance

The NCUA 12 CFR Section 748.0: Security Program mandates that each federally insured credit union takes responsibility for disposing of any consumer information it maintains or possesses. NCUA adheres to policies outlined in NIST Special Publication 800-53 Revision 5 – Security and Privacy Controls for Information Systems and Organization, as well as NIST Cybersecurity Framework (CSF) standards, which include ‘Media Protection (MP)’ policies. Within Media Protection, NCUA exercises complete control over safeguarding media throughout its lifecycle, encompassing operations, access, storage, transportation, sanitization, use, and downgrading.

In this article, we’ll delve into ‘Media Sanitization’ (MP-6) (on Page 9) as referenced in the Cyber Security & Credit Union Resilience Report published by NCUA in June 2021. Before exploring media sanitization, credit unions need a thorough understanding of record retention, confidentiality, and the protection of sensitive data and storage devices governed by these guidelines.

Record Retention Guidelines

according to NCUA While NCUA doesn’t directly regulate Credit Unions on Record Retention, it recommends adherence to suggested guidelines outlined in the official document of Code of Federal Regulations Appendix A to Part 749 – Record Retention Guidelines. Published initially in July 2009 and updated in 2019, Appendix A lays out the following directives for NCUA members:

A. Specify the Format for Record Retention
B. Designate Responsibility for Establishing a Record Disposal System
C. Outline Procedures for Record Destruction
D. Define Recommended Minimum Retention Periods
E. Identify Records for Permanent Retention
F. Designate Records for Periodic Destruction

While credit unions are obligated to comply with all sections of the Appendix (A-F), this article focuses on point F: which records need retention and periodic destruction?

The Appendix suggests that credit unions should maintain an index of records destroyed (Periodic destruction list) permanently. Destruction should typically involve at least two individuals, with their signatures affirming the destruction affixed to the listing. This protocol applies to both paper documents and digital records stored on drives and devices.

Documents slated for periodic disposal include fully repaid loan applications and associated notes, unless mandated by law to retain longer. Also included are various consumer disclosure forms, exempt if required by legislation. Additionally, cash receipts, journal vouchers, canceled checks, and bank statements post-relevance are earmarked for disposal. Outdated manuals, voided instructions, and nonpayment notices from NCUA and government agencies are similarly slated for disposal to ensure legal compliance and operational efficiency.

Record Retention Time

Record retention guidelines for credit unions are diverse. Non-critical records, such as certain member account details, can undergo destruction after scrutiny by the supervisory committee. However, documents like Individual Share and Loan Ledgers necessitate indefinite preservation. Records should remain intact until they’ve undergone an annual audit by the supervisory committee and been verified by the National Credit Union Administration (NCUA). Additionally, credit unions must retain account holder records for a minimum of six years post-account closure or loan term completion. Concerning corporate records, such as board meeting minutes and personnel files, the retention period can span multiple decades, contingent upon specific circumstances. For further insights, consult Credit Union Records Retention Appendix A.

Confidentiality and Protection of Sensitive Data

Credit Unions overseen by NCUA have a responsibility to securely handle sensitive data, whether in the form of documents or electronic media. For paper-based records, the directive is straightforward: they must be thoroughly destroyed to ensure no confidential information can be retrieved or exploited. Similarly, for records stored on obsolete computer storage media, the disposal process must adhere to the guidelines outlined in the National Institute of Standards and Technology Publication 800-88 “Guidelines for Media Sanitization”. For more details, refer to NCUA’s specific media sanitization practices.

Storage Devices Covered by These Guidelines

NCUA’s guidelines encompass a broad spectrum of IT equipment and storage devices, including computers, servers, removable drives (such as USBs, tapes, optical discs), smartphones, tablets, SSDs, office machines with storage capabilities (such as photocopiers, fax machines, printers), and onsite or offsite backup tapes.

Secure Disposal of Information according to NCUA

Credit Unions are obligated to sanitize media using specified techniques and procedures that align with federal and organizational standards. This involves implementing sanitization methods like clear, purge, cryptographic erase, and degaussing, depending on the media and type of information. When reusing media, NCUA favors the method of ‘Overwriting’. However, for overwriting to be effective, it may need to be repeated multiple times, as outlined in NIST guidelines. The selected method must irreversibly wipe data, ensuring unauthorized access or reconstruction of sensitive information is impossible.

The Significance of Proof of Data Destruction

NCUA mandates credit unions to adhere to NIST guidelines for media sanitization. Within their policies, it explicitly states that any data destruction must be documented and evidenced for compliance purposes. The documentation must be comprehensive and encompass:

NCUA also underscores the importance of training credit union staff in data handling and disposal to uphold data security practices among all involved members. Staff should receive training on proper disposal methods, guaranteeing secure handling and discarding of sensitive data. This training regimen plays a pivotal role in cultivating a vigilant and knowledgeable workforce capable of safeguarding the credit union and its members from security threats.

0/5 (0 Reviews)