Last week, the United States House Science, Space and Technology Committee released the scathing results of the committee’s investigations into data breaches at the Federal Deposit Insurance Corporation (FDIC). The FDIC is an independent agency created by the Congress to maintain stability and public confidence in the nation’s financial system by:
- insuring deposits;
- examining and supervising financial institutions for safety and soundness and consumer protection;
- making large and complex financial institutions resolvable; and managing receiverships.
The report revealed that the FDIC retroactively reported five additional breaches to the Committee. It also revealed that over 160,000 individuals had been the victims of having their information leave the FDIC by “accident.” The report also found that purported Chinese actors had compromised the FDIC several times between 2010 and 2013 and that the FDIC Chairman’s workstation was also compromised. The Committee’s preliminary findings weren’t encouraging:
- The Chief Information Officer (CIO) has created a toxic work environment, misled Congress, and retaliated against whistleblowers.
- The FDIC deliberately evaded Congressional oversight.
- The FDIC has historically experienced deficiencies related to its cybersecurity posture and those deficiencies continue to the present.
Given today’s threat landscape and the inevitability of intrusions, breach disclosure should be a well thought-out component of your cybersecurity program. The FDIC’s disclosure debacle raises some key considerations:
- Do you have the situational awareness to detect and respond to intrusions? If a tree falls in a forest and no one is around to hear it, does it make a sound? If a breach occurs and no one detects it, does a breach occur? Of course it does. You need to have the visibility to detect intrusions and ideally prevent breaches. Do you have the appropriate mix of technology and people to detect malicious activity within your environment? Do you have the visibility to detect your intellectual property/personally identifiable information after it has left your environment?
- Plan for failure; create a breach disclosure strategy. Just as you shouldn’t learn how to swim after you have been thrust into the deep end of a pool, you shouldn’t make the majority of your breach disclosure decisions in the midst of a breach. There are unique circumstances that need to be considered on a case-by-case basis, however this shouldn’t preclude you from planning in advance. Some key questions here: What third party will you use to assist with breach notification preparation and communication? What will you disclose? When will you disclose it?
- Are you aware of your breach notification obligations? Work with your Chief Privacy Officer and Legal department to ensure you are up to speed on your disclosure requirements. Your team might need to work with outside counsel or consultants to stay up to date on the myriad and state and global requirements. You also need to plan for the future; how might the European Union’s new data protection laws and requirements around breach notification impact you?
- How does your breach disclosure policy align to your organization’s value statements? Your organization likely has value statements posted on your company’s homepage. Are the values simply window dressing or are they a part of your operational culture? Given the Science, Space, and Technology Committee’s findings, you have to wonder how seriously the FDIC took its integrity value: “We adhere to the highest ethical and professional standards.” If ethics are an organizational value, they must be included in your breach disclosure policies.
- Understand the implications of non-disclosure. When it comes to breach disclosure, the elephant in the room is that, in the absence of breach notification mandates (e.g.: PCI, HIPAA), many organizations opt to not air their dirty laundry. If your organization opts to not disclose a breach, you must understand the potential financial and brand implications should the breach ever become public. Your executives and board of directors should be completely aware of the risks associated with non-disclosure. Consumer options are limited when it comes to federal agencies; the same isn’t true for commercial enterprise.