The FDIC’s Processes for Responding to Breaches of Personally Identifiable Information
On September 29, 2017, the Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) issued an audit report entitled, The FDIC’s Processes for Responding to Breaches of Personally Identifiable Information. We initiated the audit in response to concerns raised by the Chairman of the Senate Committee on Banking, Housing, and Urban Affairs regarding a series of data breaches reported by the FDIC in late 2015 and early 2016.
Implementing proper controls to safeguard personally identifiable information (PII) and respond to breaches when they occur is critical to maintaining stability and public confidence in the nation’s financial system and protecting consumers from financial harm. Our audit assessed the adequacy of the FDIC’s processes for evaluating the risk of harm to individuals potentially affected by a breach involving PII and notifying and providing services to those individuals, when appropriate. Our review sample included 18 of 54 suspected or confirmed breaches involving PII that the FDIC discovered during the period January 1, 2015 through December 1, 2016. The breaches we reviewed potentially affected over 113,000 individuals.
We reported that the FDIC had established formal processes for evaluating the risk of harm to individuals potentially affected by a breach involving PII and providing notification and services to those individuals, when appropriate. However, the implementation of these processes was not adequate. Specifically:
- FDIC Did Not Complete Key Breach Investigation Activities and Notify Affected Individuals Timely. The FDIC did not complete key breach investigation activities (i.e., impact/risk assessments and/or convene the Data Breach Management Team or DBMT) within the timeframes established in the FDIC’s Data Breach Handling Guide (DBHG) for 13 of 18 suspected or confirmed breaches that we reviewed. In addition, the FDIC did not notify potentially affected individuals in a timely manner for the incidents we reviewed. Specifically, it took an average of 288 days (more than 9 months) from the date the FDIC discovered the breaches to the date that the Corporation began to notify individuals.
- FDIC Did Not Adequately Document Key Assessments and Decisions. Our review of 18 suspected or confirmed breaches found that Incident Risk Analysis (IRA) forms did not clearly explain the rationale behind the overall impact/risk levels assigned to the incidents. Some IRA forms were not substantially complete prior to convening the DBMT. The underlying analysis used to support assigned impact/risk levels for three breaches was inconsistent with the methodology in the DBHG. The overall risk ratings recorded in the IRA forms for five breaches were not consistent with the risk mitigation actions taken by the FDIC.
- FDIC Needed to Strengthen Controls Over the DBMT. Although the DBHG describes the role and activities of the DBMT, the FDIC had not established a formal charter or similar mechanism for the DBMT that defines its purpose, scope, governance structure, and key operating procedures. The FDIC had also not developed a process for briefing DBMT members on the outcome of their recommended actions. Such a process would allow DBMT members to more effectively leverage lessons-learned for future breach response decision-making and promote consistency in the process. In addition, the FDIC did not provide DBMT members with specialized training to help ensure the successful implementation of their responsibilities.
- FDIC Did Not Track and Report Key Breach Response Metrics. The DBHG identifies key categories of qualitative and quantitative metrics for benchmarking, tailoring, and continuously improving the FDIC’s breach prevention and response capabilities. However, the FDIC generally did not track or report the metrics in the DBHG for the suspected or confirmed breaches we reviewed.
We made seven recommendations to address the issues we identified. The FDIC concurred with the recommendations and proposed actions to address the recommendations.