Star of Texas Credit Union will maintain physical, electronic, and procedural safeguards that comply with federal standards to guard members’ nonpublic personal information.
Star of Texas Credit Union will not gather, collect or maintain any information about its members that is not necessary in order to offer its products and services, to complete member transactions or for other relevant business purposes.
Star of Texas Credit Union does not sell or provide any member information to third parties including list services, telemarketing firms, or outside companies for independent use.
Information Security Program
Management is responsible for developing, implementing, and maintaining an effective information security program to:
- Ensure the security and confidentiality of member records and information
- Protect against any anticipated threats or hazards to the security or integrity of such records, and
- Protect against unauthorized access to or use of such records or information that would result in substantial harm or inconvenience to any member.
Management will report at least annually to the board on the current status of the credit union’s information security program.
Assessment of Risk
In order to assess the risks that may threaten the security, confidentiality, or integrity of member information or member information systems, management will:
- Identify all reasonably foreseeable internal as well as external threats that can result in unauthorized disclosure, misuse, alteration, or destruction of member information or member information systems,
- Determine the likelihood as well as potential damage of the internal and external threats,
- Determine the sufficiency of policies, procedures, and member information systems to control the identified risks.
Management and Control of Risk
In order to manage and control the risk that have been identified, management will consider whether the security measures outlined in III.D. of Appendix A of NCUA Rules and Regulations Part 748 are appropriate for Star of Texas Credit Union.
Key controls, systems, and procedures of the information security program will be regularly tested by staff independent of those that develop or maintain the security programs.
Service Provider Arrangements
Management will exercise appropriate due diligence in selecting service providers.
All contracts with service providers will contain appropriate provisions requiring the service providers to protect the confidentiality of the members’ non public personal information.
Management will, according to risk, monitor service providers by reviewing audits, summaries of test results, or other evaluations.
The information security program will be monitored, evaluated, and adjusted as necessary in light of any relevant changes in technology, the sensitivity of member information, internal or external threats, business arrangements, outsourcing arrangements, and member information systems.
Employees will be trained with regard to their responsibilities under this policy. In addition, employees will be trained to recognize, respond to, and where appropriate, report any unauthorized or fraudulent attempts to obtain member information.
Confidentiality of Members’ Accounts
No credit union officer, director, committee member or employee may disclose to any person, other than the member, or to any company or government body the individual savings, shares, or loan records of any credit union member, contained in any document or system, by any means unless specifically authorized to do so in writing by such the members, except as follows:
- Reporting credit experience to a bona fide credit reporting agency, another credit union, or any other bona fide credit-granting business and/or merchants information exchange, provided that applicable state and federal laws and regulations pertaining to credit collection and reporting are followed;
- Furnishing information to a duly constituted government agency or taxing authority, or any subdivision thereof, including law enforcement agencies;
- Furnishing information, orally or in written form, in response to the order of a court of competent jurisdiction or pursuant to other processes of discovery duly issuing from a court of competent jurisdiction;
- Furnishing reports of loan balances to co-borrowers, co-makers, and guarantors of loans or a member and of share or deposit account balances, signature card information, and related transactions to join account holders;
- Furnishing information to and receiving information from check and draft reporting, clearing, cashing and authorization services relative to past history of a member’s draft and checking accounts at the credit union; or
- As otherwise authorized by law.
The credit union may release the name and address of members to assist the credit union in its marketing efforts or sale of third party products, provided that the credit union obtains a written non-disclosure statement providing assurances that the information will be used exclusively for the benefit of the credit union and no other.