Despite assurances that the Federal Deposit Insurance Corporation is taking steps to keep personally identifiable and financial information secure, the agency cannot be certain that tens of thousands of files accidentally downloaded from its network won’t fall into the wrong hands.
Larry Gross, FDIC’s chief information officer, defended the former employees who unknowingly took the information before congressional members at a May 12 Capitol Hill hearing. But he admitted that even though they signed affidavits saying they did not share the information, because the agency lacks digital rights management, there’s no guarantee that data didn’t end up on someone else’s storage drive.
“We don’t have digital rights management deployed across the FDIC at this moment, it is one of the 60-day response activities that I’ve laid out for the [Inspector General],” Gross said to Rep. Zoe Lofgren (D-Calif.) during a House oversight subcommittee hearing.
“So we don’t know for sure whether this information that was taken was not in fact further copied because there was no DRM to prevent it,” Lofgren said. “Technologically we have no assurance of that.”
Gross said the FDIC has started the process of identifying DRM technology it can use and establishing an implementation timeline. Two options are being considered but he did not go into detail.
“One of the things we have to look at, we want to make sure we don’t break the business,” Gross said. “That means we have to be focused on the data that is the most sensitive and work our way out. We are not going to do this as a wholesale change across the organization, because it’s not only do we have to evaluate if there’s any internal impact, we have to evaluate is this going to create an impact with the businesses that we have to work with.”
‘Misrepresenting the truth’
Gross’ testimony came days after FDIC reported five additional breaches — the two other breaches that have been reported took place in October and April — caused by outgoing employees who unknowingly downloaded customer data onto their own mobile devices when saving their own personal information as they left their positions.
Gross echoed the FDIC’s statement earlier in the week, calling the incidents “low-risk” and informed committee members that the individuals whose information was included in the incidents would not receive credit monitoring.
“We evaluated each of the cases and determined because there was a low risk of harm, there were no individuals affected or impacted adversely as a result of the downloading of the information,” Gross said. “So as a result of the lack of impact to the individuals, it was deemed that credit monitoring was not warranted.”
Gross said the former employees involved in the incidents were all in good standing when they left the agency, and left due to retirement or had reached the end of their term-limited positions. Each of the employees had a reason to have access to the information while working for the FDIC, Gross said, but he acknowledged they were “not computer proficient.”
Annual employee training and routine reminders are part of a new FDIC initiative launched as a result of the incidents.
Rep. Don Beyer (D-Va.) said one of the first steps going forward should be that employees don’t keep personal information on their computer.
“I’m glad you’re making progress, because this sort of boggles the mind that somebody could go in and download an entire disk or all the information that FDIC has on record about companies and individuals,” Beyer said.
Rep. Darin LaHood (R-Ill.) asked about reports that one of the former employees was evasive and uncooperative, but Gross said having to prove to a former employee that they took information after signing something that says they didn’t can create “awkward situations.”
“When we go back to that employee and we have proof because of our [data loss prevention] capabilities that they have downloaded information, at that instant that conversation is an employee who has now realized ‘I have made a mistake,'” Gross said. “As a result of that, that relationship has to be managed from the standpoint of a trusted employee who now realized they inadvertently took information and now they’re caught misrepresenting the truth.”
FDIC acting IG Fred Gibson confirmed that there is one criminal investigation stemming from recent reports.
“When we conduct a criminal investigation we do so when we have probable cause to believe there’s been a crime that’s been committed,” Gibson said. “When information comes to us, when we are able to open an investigation, we do. In one of these cases, we have.”
Gibson said his office is conducting two audits which look at:
The FDIC’s process for identifying and reporting major security incidents, as required by applicable federal law and related guidance.
The FDIC’s controls for mitigating the risk of an unauthorized release of sensitive resolution plans submitted by systemically important financial institutions.
The five additional data incidents are a result of revised guidance stemming from a February 2016 FDIC IG report. Gross directed the agency to review all security incidents that not only involved 10,000 or more records, but were “outside of the FDIC’s control for any length of time.”
Office of Management and Budget Director Shaun Donovan in October released new guidance on information security and management requirements. This included the definition of a “major incident” as one involving 10,000 or more records.
Other actions FDIC is taking include:
Creating a new incident tracking system and creation of an incident response coordinator position that will serve as the main point of contact for IT security incidents at the FDIC.
Monitoring printed materials in high-risk areas.
Starting a chief information office and operationswide review of all policy documents to ensure they reflect current cybersecurity oversight policies.
Applying encryption software agencywide.
Gross said his goal is to eliminate the use of mobile media devices within FDIC. He said less than 50 percent of employees have access to USB drives. But at the same time, there are still positions like examiners who need mobile access out in the field.
That’s why “we can’t immediately drive down to zero,” Gross said. “My goal is to get to zero on use of mobile media within the organization.”