After new guidance from the FDIC's inspector general, the agencyis reporting five additional security breaches, bringing the total number of breachessince October 2015 to seven.
In February, the bank regulator's inspector general said a databreach meets the seven-day reporting requirement to Congress any time 10,000 ormore records are exposed for any length of time, the FDIC stated. The agency hadpreviously reported two data breaches since October 2015.
"We take data security very seriously and are always lookingfor ways to improve and provide a more secure environment," the FDIC said ina statement.
The bank regulator is conducting a 60-day review, which willinclude implementing digital rights management software to locate and destroy dataas needed, executing encryption software on portable devices, and having a thirdparty conduct an assessment of the FDIC's security and privacy programs. In addition,the agency has created an incident response coordinator to serve as the main contactfor security incidents. Any employees that need a flash drive to transport datamust have permission to do so, and the agency is looking for an alternative systemto transport sensitive bank data to other regulators, the FDIC stated.
The FDIC considered these breaches low-risk because they involvedemployees who were leaving the agency, were in good standing and had a businessreason for having access to the data.
These data breaches would have been included in an annual requiredreport to Congress, the FDIC stated.
Lawrence Gross Jr., the FDIC's chief information officer andchief privacy officer, and Fred Gibson, acting inspector general at the FDIC, arescheduled to testifyon the data breaches before the House Committee on Science, Space and Technologyon May 12.