The Federal Deposit Insurance Corporation (FDIC) collection of personally identifiable information was hacked 54 times between Jan. 1, 2015, and Dec. 1, 2016, according to an Inspector General (IG) report released last week.
The IG found that FDIC didn’t complete key breach investigation activities and didn’t notify affected individuals in a timely manner, it didn’t document key assessments and decisions, it needs to strengthen controls over its data breach management team, and it didn’t track and report key breach response metrics.
“In fulfilling its mission of insuring deposits, supervising insured financial institutions, and resolving the failure of insured financial institutions, the Federal Deposit Insurance Corporation (FDIC) collects and manages considerable amounts of personally identifiable information (PII),” the IG report said. “Implementing proper controls to safeguard this information and respond to breaches when they occur is critically important to maintaining stability and public confidence in the nation’s financial system and protecting consumers from financial harm.”
FDIC collects PII about its employees, contractors, and the customers of failed institutions. This information includes names, home addresses, telephone numbers, Social Security numbers, driver’s license numbers, Employee Identification Numbers (EIN), and dates and places of birth. FDIC also collects information related to education, finances, medical histories, criminal histories, and employment histories.
FDIC breach response process includes eight stages: establish incident response capabilities in the event of a breach, detect breaches through security scans, report known and suspected breaches to the FDIC Help Desk/Computer Security Incident Response Team (CSIRT), collect facts about the incident and notify internal and external resources, analyze the risk and determine a course of action, notify affected individuals in a timely manner, prepare an incident close-out report, and leverage lessons learned to improve the security process.
However, during the 18 out of 54 breaches that the IG investigated, FDIC didn’t notify affected individuals in a timely manner, clearly explain its rationale for determining the risk levels of a breach, effectively oversee data breach management team members, or use performance metrics to measure and assess the effectiveness of key breach response processes. In the examples provided by the IG, it took FDIC 145 to 215 days to notify affected individuals of the breach.
The IG found that the staffing to support breach response activities wasn’t sufficient and the employees didn’t receive adequate training.
The IG recommended that the CIO:
- Allocate the appropriate level of FDIC resources to ensure that the FDIC can effectively meet its obligations with respect to breach response activities.
- Establish a procedure that requires the FDIC to explain its rationale, in written form, justifying the overall impact levels assigned to breaches.
- Establish a charter for the data breach management team that defines its purpose, scope, responsibilities, membership, governance structure, and operations.
- Develop and use a process for briefing the data breach management team on the final findings of breach investigations and the actions taken in response to recommendations to resolve breach events.
- Provide specialized training for data breach management team members that includes tabletop exercises to ensure they fully understand their roles and responsibilities.
- Establish, track, and report metrics to assess the performance of breach response activities.
- Coordinate with the FDIC chairman to update the chief privacy officer designation to reflect organizational changes made since 2005.