The Federal Deposit Insurance Corporation is kicking its cybersecurity efforts into high gear after reporting five more security incidents that were unknowingly caused by outgoing employees.
The FDIC on May 9 said five “low risk” incidents occurred since October, when outgoing employees downloaded customer data while they were saving personal information to their own devices.
FDIC said the cases would have been reported in its annual Federal Information Security Modernization Act (FISMA) report to Congress if not for recently revised guidance. The agency immediately addressed the incidents, the FDIC said.
“Every indication is that all of the individuals without malicious intent inadvertently downloaded the material when they were downloading personal files before separating from the FDIC,” the agency said. “We identified the downloads swiftly, contacted the employees and recovered the information. These employees provided affidavits affirming that they did not share the information.”
The FDIC said the employees were all in good standing when they left the agency, and left due to retirement or had reached the end of their term-limited positions. Each of the employees had a reason to have access to the information while working for the FDIC.
“We take data security very seriously and are always looking for ways to improve and provide a more secure environment,” an FDIC spokesperson said in a statement.
These five reports are in addition to two other breaches that have been reported, one in October and another in April. News of those breaches was reported by Federal Times and the Washington Post, respectively.
After the most recent incidents, the FDIC is conducting a 60-day review, which includes implementing digital rights management software, that will let the FDIC locate, recall and destroy data, when appropriate, that is outside the agency’s network.
Beginning this month, the review also includes the agencywide application of encryption software.
The FDIC is working with a third party “to conduct an end-to-end assessment of the FDIC IT security and privacy programs, and to provide actionable steps to mitigate any program gaps identified.”
Other actions FDIC is taking include:
Revising a policy prohibiting the use of mobile media devices for the majority of FDIC employees. As of early April, if an FDIC employee connects removable media to his or her computer, it is blocked.
Creating a new incident tracking system and creation of an incident response coordinator position that will serve as the main point of contact for IT security incidents at the FDIC.
Monitoring printed materials in high-risk areas.
Starting a chief information office and operationswide review of all policy documents to ensure they reflect current cybersecurity oversight policies.
Revising the data breach management guide to incorporate new guidance and address reporting and incident escalation procedures.
“Annual training for all employees and routine reminders on procedures are a part of our ongoing efforts,” FDIC said.
Office of Management and Budget Director Shaun Donovan in October released new guidance on information security and management requirements. This included the definition of a “major incident” as one involving 10,000 or more records.
Following a February 2016 Inspector General report, Larry Gross, FDIC’s chief information officer, directed the agency to review all security incidents that not only involved 10,000 or more records, but were “outside of the FDIC’s control for any length of time.”
Under this revised guidance, the FDIC reported these five additional incidents.
In April, Rep. Lamar Smith (R-Texas) chairman of the Science, Space, and Technology Committee, sent a letter to FDIC Chairman Martin Gruenberg to address the compromise.
In a statement provided to Federal News Radio, Smith called the FDIC’s pattern of data security breaches “troubling.”
“In the two incidents previously reported to Congress, which occurred in October 2015 and February 2016, over 54,000 individuals’ personally identifiable information was compromised,” Smith said May 9. “What is equally troubling is that the FDIC apparently withheld reporting five additional major breaches to Congress until faced with congressional scrutiny. The FDIC’s decision to retroactively classify five additional incidents as major breaches raises serious concerns about the agency’s transparency to Congress. At the hearing on Thursday, committee members will probe who knew what when.”
Gross, who also is FDIC’s chief privacy officer, is scheduled to testify May 12 along with FDIC acting IG Fred Gibson before a House subcommittee on his agency’s data breaches and cyber challenges.