Federal Deposit Insurance Corp. officials assured the House Committee on Science, Space and Technology that they had rectified the issues related to five inadvertent data breaches and moved to put stronger security measures in place.
Lawrence Gross, the FDIC’s CIO, testified in front of the committee Thursday after it came to light last month that an employee leaving the agency inadvertently downloaded data containing 44,000 banking customers’ personal details to their own mobile device. Earlier this week, it was revealed there have been five such instances where employees have left the agency with thousands of records containing highly sensitive information.
Gross told the committee he has instituted various new security measures, including limiting the use of mobile media devices inside the agency, revising the agency’s data breach management guide and hiring a third party to assess the agency’s IT security and privacy program.
Gross said his office took steps to mitigate risk of harm from the breaches, including recovering the devices that had stored the data. Despite the fact that one of the employees left to work with a foreign-based financial firm and initially resisted turning over the device in question, Gross said the “incidents did not rise to the level of major incidents.”
Rep. Don Beyer, D-Va., expressed doubt over Gross’ claims that the risk presented by the breaches was low.
“You’ll forgive us if there is a certain amount of skepticism if seven different people download information just as they’re leaving that affects more than 10,000 records and none of them rise to the level of major incident,” Beyer told Gross.
Yet Gross told Beyer that despite the largest breach happening before the Office of Management and Budget issued its 2015 FISMA guidance — which states agencies must notify Congress within seven days of a breach — the agency still included the incident in its end-of-year FISMA report.
“I make a concerted effort to be very transparent in all the activities in the security realm,” Gross said. “It was of my encouragement to the staff that we knew the policy was coming out as we were reviewing this incident and asked that they supply the standard of the policy to the incident.”
As to shutting off the use of mobile media such as USB drives, Gross told Rep. Barry Loudermilk, R-Ga., he has dropped employee use of those devices by approximately 50 percent.
“Our goal is zero,” Gross said. “However, we need to work through different business processes that still require the use of [USB drives],” such as employees who need the drives when they are traveling for work.
Gross added that any mobile media use inside the agency now needs the approval of the division director. He also added that approved devices are encrypted once they are allowed to connect to the network.
Watch the full hearing on YouTube.