Following a slew of recent data breaches, the U.S main banking regulator is in the hot seat about how notifications following the breaches were handled.
A U.S. congressional subcommittee spent time yesterday (May 12) during a hearing where the FDIC was questioned about a string of data breaches, including two recent incidents that involved 10,000 sensitive and private data records to be downloaded from workers onto storage devices before they left the agency.
Upon learning of the breaches, the FDIC also discovered that there were five other incidents where this same behavior had occurred, according to Republican Rep. Barry Loudermilk, who is the chair of the House of Representatives subcommittee on oversight and technology.
All together, this led to the personal data of more than 160,000 people being impacted, according to a Reuters report on the meeting.
“To date, FDIC has failed to notify any of those individuals that their private information may have been compromised,” he said.
The FDIC’s recent disclosure to Congress suggested that at least five major data breaches that occurred sometime between now and Oct. 30, 2015. Though details are still scarce, the FDIC noted that each case was not of the run-of-the-mill hacking variety. Instead, in each incident, an FDIC employee soon to leave the agency had inadvertently downloaded the personal details and then take that data outside of the FDIC’s control.
Despite the breaches, the FDIC is maintaining that none of the accessed information was shared illicitly, just as it believes none of the employees downloaded the data with untoward activities in mind.
While the exact number of people affected by the breaches is unknown, the FDIC chose to categorize the cases as “major incidents” in which at least 10,000 individuals are confirmed to be affected. In April, the FDIC disclosed the occurrence of a breach by similar means that affected 44,000 agency employees, which makes seven total dating back to the original on Oct. 30.
Representative Don Beyer, a democrat on the subcommittee, suggested the FDIC handled the incidents too slowly, and did not notify Congress in a timely manner. He said the breaches should have been disclosed within a week of occurring.
During the hearing, the FCIC’s CIO and chief privacy officer, Lawrence Gross, said the agency is implementing a new system to terminate employees’ ability to use portable media on its devices in order to prevent similar incidents from occurring again. It is also determining how to implement a “digital rights management,” software to change the amount of time someone could have access to data for.
For now, Gross said the agency will be completing a “top to bottom review,” of what needs to be done when it comes to its technology information policies. This also means hiring a third-party consultant to assess the issues.
As for what pressure it faces in Congress, there’s still some debate about how intentional the downloading of data is, as the FDIC claims the downloads were accidental. But not everyone in congress is buying that claim.
“In at least one case … a former employee who downloaded such data was evasive about her actions and not cooperative when initially confronted,” Rep. Bill Johnson was quoted as saying during the hearing.
“Some FDIC employees also suggest that it was highly improbable that this former employee’s actions were accidental. In addition this former employee is now working for a U.S. subsidiary of a non-U.S. financial services company which raises additional concerns,” he added.