Washington, D.C. – The Oversight Subcommittee today held a hearing to examine the recent pattern of significant data breaches at the Federal Deposit Insurance Corporation (FDIC). The Subcommittee heard from FDIC Chief Information Officer (CIO) and Chief Privacy Officer Lawrence Gross, Jr. and FDIC Acting Inspector General Fred W. Gibson regarding growing concerns that the agency is unprepared to protect Americans’ data from cyberattacks.
The FDIC has suffered several significant data breaches since 2013, all as a result of departing agency employees copying information to portable storage devices and taking the devices with them.
The Subcommittee today uncovered numerous inconsistencies in the FDIC’s testimony. The facts laid out in the documents the FDIC provided to the Committee do not match the testimony from CIO Larry Gross. Thus, the Committee will continue its oversight in this area.
The agency has obstructed the Committee’s investigation by not providing a full and complete production of documents per the Committee’s request. Subcommittee Chairman Loudermilk demonstrated the discrepancy between the documents produced by the FDIC and those produced by the Inspector General. Mr. Gross’ excuses for the disparity are hollow. The Subcommittee’s requests for documents make clear that Congress expects a full and complete production. Click here or on the photo below to watch the exchange.
Chairman Loudermilk questioned Mr. Gross on the circumstances surrounding the FDIC’s characterization of the October 2015 Florida data breach as “inadvertent.” Members on both sides of the aisle were outraged by this characterization. The documents provided by the Inspector General show that it took weeks to recover the portable storage device and the former FDIC employee responsible for taking the data hired an attorney to negotiate the return of the device.
The FDIC has been less than forthcoming with Congress. From providing incomplete document productions to mischaracterizing the facts, this agency is obstructing Congress’ oversight and failing to protect taxpayers personally identifiable information (PII).
Oversight Subcommittee Chairman Barry Loudermilk (R-Ga.): “According to the FDIC, none of the 160,000 individuals has anything to worry about because all of the FDIC employees who improperly walked out of the agency with sensitive information were required to sign affidavits stating the information was not disseminated. At best, this is a misleading statement because apparently all employees who are separating from FDIC are generally required to sign an exit document attesting that they have not removed any FDIC materials from the premises.
“It is Congress’ responsibility to shine a light on FDIC’s history of cybersecurity breaches. The Committee will continue its oversight of FDIC’s failures to secure Americans’ sensitive information from apparent foreign entities and disgruntled FDIC employees.”
According to the Federal Information Security Modernization Act of 2014 (FISMA), the FDIC is required to notify Congress of major security incidences within seven days. The October 2015 incident that involves PII for more than 10,000 individuals was not reported until more than four months after the breach when the FDIC Office of Inspector General (OIG) prompted the agency to do so.
Chairman Lamar Smith (R-Texas): “If not for the Office of Inspector General’s openness and transparency with the Committee, we would not have been aware of the agency’s attempts to avoid providing a full and complete response to the Committee.
“The FDIC’s repeated efforts to conceal information from Congress are inexcusable. They raise significant questions about whether the agency actively attempts to hide potentially incriminating information from Congress. As an agency that has faced repeated security breaches, it should focus its resources on reforming its internal cybersecurity mechanisms instead of engaging in efforts to conceal information from this Committee.”
Emails obtain from the Inspector General show that as recent as last week, the CIO was waffling on whether to timely report a breach to Congress.
Mr. Gibson testified that the OIG has ongoing audits and investigations of the data security breaches.
For more information about today’s hearing, including witness testimony and the hearing webcast, please visit the Science, Space, and Technology Committee website.