NCUA Regulations & Guidance emphasize meticulous supervision in credit union cybersecurity compliance, requiring adherence to secure data handling practices. Federally insured credit unions under NCUA oversight must comply with stringent data handling protocols, including specific media sanitization guidelines for data disposal—a top priority in NCUA's regulatory scrutiny. The NCUA Security Guidelines mandate that credit unions establish risk-based disposal procedures tailored to their records.
This article will list current NCUA guidelines on ‘disposal of information’ as per Federal Financial Institutions Examination Council handbook Section II.C.13(c) and demonstrate how professional 'Overwriting’ software like BitRaser help in ensuring regulatory compliance with NCUA.
NCUA Regulations & Guidance
The NCUA 12 CFR Section 748.0: Security Program requires each federally insured credit union to dispose of any consumer information the Federal credit union maintains or otherwise possesses. The NCUA follows policies in adherence to NIST Special Publication 800-53 Revision 5 – Security and Privacy Controls for Information Systems and Organization along with NIST Cybersecurity Framework (CSF) standards that cite ‘Media Protection (MP)’ policies. Under Media Protection, NCUA leverages the complete control on protecting media from its operation stage to access, storing, transportation, sanitization, usage and downgrading.
For the purpose of this article, we will be considering ‘Media Sanitization’ (MP-6) (on Page 9) as referred in the Cyber Security & Credit Union Resilience Report June 2021 published by NCUA. Before looking at the Media sanitization, credit unions must understand about record retention, confidentiality and protection of sensitive data and storage devices that are subjected to these guidelines.
Record Retention Guidelines as per NCUA
NCUA does not regulate Credit Unions on Record Retention, but recommends them to follow suggested guidelines listed in the official document of Code of Federal Regulations Appendix A to Part 749 – Record Retention Guidelines, published in July 2009, updated in 2019. Appendix A describes the following to be adhered by NCUA members –
A. What Format Should Credit Union Use for Retaining Records
B. Who Is Responsible for Establishing a System for Record Disposal?
C. What Procedures Should a Credit Union Follow When Destroying Records?
D. What Are the Recommended Minimum Retention Times?
E. What Records Should Be Retained Permanently?
F. What Records Should a Credit Union Designate for Periodic Destruction?
While credit unions must ensure that they adhere to all parts of the Appendix (A-F); here in this article, the focus will be on F point – what records need to be retained and made available for periodic destruction?
The Appendix states that “the credit union should prepare an index of any records destroyed (Periodic destruction list) and retain the index permanently. Destruction of records should ordinarily be carried out by at least two persons whose signatures, attesting to the fact that records were actually destroyed, should be affixed to the listing.” This holds true for both paper documents and digital records stored on drive and devices.
Documents set for periodic disposal include fully repaid loan applications and their notes, unless law mandates longer retention. This includes various consumer disclosure forms, exempt if required by legislation. Also destined for disposal are cash receipts, journal vouchers, canceled checks, and bank statements post-relevance. Outdated manuals, voided instructions, and nonpayment notices from the NCUA and government agencies are similarly marked for disposal to ensure legal compliance and operational efficiency.
Record Retention Time
For credit unions, record retention guidelines vary. Non-critical records, like certain member account details, can be destroyed after the supervisory committee checks them. However, documents such as Individual Share and Loan Ledgers must be kept forever. Records should not be discarded until they've been reviewed in an annual audit by the supervisory committee and checked by the National Credit Union Administration (NCUA). Credit unions are also required to keep account holder records for a minimum of six years once an account is closed or a loan term concludes. For corporate records, such as minutes from board meetings and personnel files, the storage period can extend to several decades, based on specific situations. For more information refer to Credit Union Records Retention Appendix A.
Confidentiality and Protection of Sensitive Data
Credit Unions under NCUA must handle sensitive data both in form of documents and electronic media securely. For records that exist in paper form, the directive is clear: they must be destroyed beyond recognition, ensuring that no confidential information can be retrieved or misused. When it comes to records stored on computer storage media that is obsolete and not needed the disposal process must be according to National Institute of Standards and Technology Publication 800-88 "Guidelines for Media Sanitization”. See details - NCUA's specific media sanitization practices.
Storage Devices Subjected To These Guidelines
The NCUA guidelines cover a wide range of IT equipment and storage devices, including computers, servers, removable drives (USBs, tapes, optical discs), smartphones, tablets, SSDs, office machines with storage (photocopiers, fax machines, printers), and backup tapes stored onsite or offsite.
Secure Disposal of Information as per NCUA
Credit Unions must sanitize media using specified techniques and procedures aligned with federal and organizational standards. This includes following sanitization methods such as clear, purge, cryptographic erase, and degaussing basis the media and type of information. NCUA prefers ‘Overwriting’ when the media will be reused. To be effective, overwriting may have to be performed many times as stated in NIST guidelines. The method chosen must irretrievably wipe data, preventing unauthorized access or reconstruction of sensitive information.
Additionally, the NCUA emphasizes the need for meticulous oversight of sanitization efforts, including the review, approval, tracking, documentation, and verification of all disposal actions. NCUA further states in the FFIEC handbook page 28, that “Logs should record the party responsible for disposal, as well as the date, media type, hardware serial number, and method of disposal. In cases when such devices are rented, rather than owned, by the institution, media sanitization should be addressed contractually so that sensitive information is disposed of properly before returning equipment at the end of the rental period.”
Importance of Proof of Data Destruction
NCUA prescribes credit unions to follow NIST guidelines for media sanitization. In their policies it is clearly stated that any data destruction must have a record and proof available for compliance purposes. The record must be detailed and include:
- Hardware details of media
- Media type
- Date and time of data disposal
- Method of disposal
- Number of times data was overwritten
- Verification type
- Person performing data erasure
NCUA also highlights importance of training staff of credit union on data handling and disposal to ensure data security practices are followed by all concerned members. Staff must also be trained on the proper disposal methods, ensuring sensitive data is handled and discarded securely. This training regimen is vital for creating a vigilant and knowledgeable workforce capable of protecting the credit union and its members from security threats.
How BitRaser Helps Comply with NCUA Guidelines?
BitRaser Drive Eraser is a pivotal solution, enabling secure data wiping on HDD/SSD, PC, Laptop, Mac, and Servers. Credit unions can use it while disposing of old IT assets, returning leased IT hardware, and upgrading system hardware, ensuring data is securely erased beyond recovery. The tool follows NIST guidelines and is also tested and approved by NIST and DHS for its efficacy.
The software's flexibility in deployment—whether through USB, PXE boot solutions, or remotely via MSI package caters to the diverse needs of credit unions operating across multiple locations, offering a streamlined and efficient method for data erasure.
The software generates tamper-proof erasure reports and certificates that act as a comprehensive audit trail, ensuring adherence to data privacy laws, regulations, and standards including compliance with CCPA, SEC, EU-GDPR, SOX, ISO 27001, PCI DSS, CMMC 2.0, among others, providing clear evidence of secure data handling practices.
This scalable and secure solution ensures credit unions can manage data erasure processes across devices effectively, aligning with evolving data security challenges.
+1-844-775-0101
