The Federal Deposit Insurance Corp. (FDIC) is set to enhance cyber security procedures following Mondays’ retroactive report to Congress that five additional “major incidents” of data breaches have occurred since Oct 2015
The FDIC has built up an impressive resume of “major incidents” apparently caused by insiders – both accidentally or deliberately. FDIC is launching an initiative to enhance cyber security requirements. FDIC said the cases would have been reported in its annual Federal Information Security Modernization Act (FISMA) report to Congress if not for recently revised guidance. The agency immediately addressed the incidents, the FDIC said.
The incidents mentioned involved the breach of taxpayers’ personally identifiable information, The Washington Post has learned. In each case, employees with legitimate access to the information were leaving the agency when they inadvertently downloaded the data along with personal files. The individuals involved provided affidavits saying the data was not shared.
FDIC considers these to be low-risk cases, but they each meet the threshold of 10,000 records inappropriately exposed. They are being retroactively reported now because the cases were closed before an FDIC Office of Inspector General decision in February to define “major incident” as one that involves at least 10,000 records.
The new initiative to enhance cyber security, according to a FDIC document, includes the use of computer software “to force encryption of portable devices” for many purposes. FDIC also will hire a contractor “to conduct an end-to-end assessment of the FDIC IT security and privacy programs, and to provide actionable steps to mitigate any program gaps identified.” A management software program will be implemented to allow the FDIC to locate misplaced, sensitive data, “recall it, and destroy it as appropriate, regardless of where the data are located.”
Last month, The Post reported that the personal information of 44,000 FDIC customers was breached by an employee leaving the agency. In that case, an internal memo from Lawrence Gross Jr., FDIC’s chief information and privacy officer, said the data was placed on a personal storage device by an employee “inadvertently and without malicious intent.”
That apparently was the case with the five incidents now being revealed and a similar October incident reported in April by the Federal Times.
Other actions FDIC is taking include:
- Revising a policy prohibiting the use of mobile media devices for the majority of FDIC employees. As of early April, if an FDIC employee connects removable media to his or her computer, it is blocked.
- Creating a new incident tracking system and creation of an incident response coordinator position that will serve as the main point of contact for IT security incidents at the FDIC.
- Monitoring printed materials in high-risk areas.
- Starting a chief information office and operations wide review of all policy documents to ensure they reflect current cybersecurity oversight policies.
- Revising the data breach management guide to incorporate new guidance and address reporting and incident escalation procedures.
- Annual training for all employees and routine reminders on procedures are a part of ongoing efforts
Following a February 2016 Inspector General report, Larry Gross, FDIC’s chief information officer, directed the agency to review all security incidents that not only involved 10,000 or more records, but were “outside of the FDIC’s control for any length of time.”
Gross, who also is FDIC’s chief privacy officer, is scheduled to testify May 12 along with FDIC acting IG Fred Gibson before a House subcommittee on his agency’s data breaches and cyber challenges.