The Federal Deposit Insurance Corp. may have suffered more than 50 breaches that compromised the personal information of hundreds of thousands of Americans in recent years. And in most cases, the agency did a poor job of responding to the incidents, a new watchdog report shows.
The FDIC’s inspector general released a report this week detailing response efforts to the bank regulator’s 54 “suspected or confirmed” data breaches in 2015 and 2016. In five of those incidents alone, more than 113,000 individuals’ personally identifiable information (PII) was compromised.
FDIC was created in 1933 after the Great Depression to restore the public’s faith in the banking industry and stabilize the economy by insuring deposits in the event of bank failures. The agency’s website says “The FDIC directly examines and supervises about 4,000 banks and savings banks for operational safety and soundness, more than half of the institutions in the banking system.”
Breaches happen, as the IG explains in its report — the U.S. Computer Emergency Readiness Team received reports on more than 50,000 security incidents involving PII between 2014 and 2016, the report explains. But it’s FDIC’s response to its breaches that concern the watchdog.
The IG reviewed 18 of those 54 breaches, and in 13 cases, the agency didn’t “complete key breach investigation activities (i.e., impact/risk assessments and/or convene the DBMT) within the timeframes established” within agency response guides. Moreover, the FDIC took 288 days on average to notify potentially affected individuals. Six of the surveyed breaches were considered “major incidents” per Office of Management and Budget policy, some of which FedScoop reported, such as one that the agency said was “inadvertent.”
This is important and unacceptable, the report explains, because “the longer it takes to complete breach investigation activities and notify potentially affected individuals, the greater the risk of harm that may come to individuals because they cannot quickly take proactive actions to protect themselves.”
The FDIC struggled in its response efforts, the IG said, because it didn’t “have an Incident Response Coordinator to centrally manage its incidents; provide ISMs with adequate training; dedicate sufficient Privacy Staff to manage breach response activities; or take appropriate steps to ensure it was prepared to handle a large increase in required notifications.”
CISO Howard Whyte responded to the report by noting that the agency has since dramatically increased its resources for incident response, hired a permanent Incident Response Coordinator, elevated the privacy staff to a formal section within the CIO’s office and allocated 25 percent more federal staff and 40 percent more contractors “to ensure the FDIC can more effectively meet its breach response obligations as well as other privacy functions.”
The agency also struggled during response to those breaches to adequately document and explain the risk and impact levels assigned to the incidents. Likewise, the report criticized the FDIC’s operational guide for responding to breaches, saying it needs a charter for its Data Breach Management Team “that defines its purpose, scope, governance structure, and key operating procedures.”
The FDIC has since introduced a new guide, the Breach Response Plan, that defines an overhauled Breach Response Team’s purpose and includes its scope, responsibilities, membership and governance structure, said Whyte, who will be filling in for CIO Lawrence Gross, who announced last week he is retiring from his role in January.
In all, the FDIC concurred with the IG’s seven recommendations.