« Back to The Blog

The FDIC’s Story on Data Breach Response

The FDIC has been plagued with a number of data breaches recently, and a congressional report details the story and facts, along with FDIC’s cooperation (or lack of), relating to two breaches caused by separating employees removing confidential information.  The report is an interesting read, and provides a lot of how-not-to report and respond.

The report details one story and includes FDIC comments, along with the findings from the governmental investigation.  In short:

The Story:  On February 26, 2015, the FDIC notified Congress that a breach occurred on October 15, 2015 and that the FDIC learned of the breach on October 23, 2015.  The notification stated that a separating employee, inadvertently and without malicious intent, copied sensitive FDIC Information, which included customer data for over 10,000 individuals to a portable storage device (thumb drive).  The FDIC later, on March 18, 2016, updated the information to over 44,000 individuals.

The Facts:  The data included 71,069 individuals and entities (40,354 individuals and 30,715 banks and other entities), along with Suspicious Activity Reports, Bank Currency Transaction Reports, and Customer Data Reports.

The Story:  The former FDIC employee was simply trying to download family photos when the PII was transferred to the thumb drive.  FDIC’s Chief Information Officer stated the individual was not computer proficient.

The Facts:  The former employee created two folders on the thumb drive, one for a small set of personal files and another solely for FDIC materials, with each of the FDIC files conveniently labeled with bank names or with the type of bank data in the files – demonstrating an understanding of computers, downloads, and storage.  Mind you, the former employee also holds two masters degrees, including one in Information Technology Management.

The Story:  The former employee was non-adversarial and cooperative in recovering the portable storage device.

The Facts:  At first, the former employee denied owning a thumb drive and stated she would never do such a thing.  She later hired an attorney to engage in a negotiation of return of the thumb drive.  The FDIC did not recover the thumb drive for nearly two months.

I recommend those in IT security, and those that enjoy an almost fictional, non-fiction tale, take a look at the report.

   

Compliance Services Group Copyright 2026.© All Rights Reserved | Privacy Policy

No Legal Advice Intended

The information on this website is provided as a service to our clients and visitors. The contents of this website, and the posting and viewing of the information on this website may convey information that can be characterized as “law related services” as defined by Rule 5.7 of the Rules of Professional Conduct (“RPC”) governing lawyers, but should not be construed as, and is not intended to be legal services, legal advice, or forming a client-lawyer relationship. Since CSG is not engaged in the practice of law, neither our services nor our relationship will be governed by the RPCs governing lawyers including, but not limited to, specific RPC rules applicable to privileged communications and prohibitions of conflicts of interest. While CSG uses reasonable efforts to include accurate, up-to-date information on this website, CSG makes no warranties or representations as to its accuracy and assumes no liability or responsibility for any errors or omissions in the content of this website or any third-party websites accessed through links from this website.

Formal Agreement Required for Services

You cannot engage CSG to render services for you through e-mail. CSG is not committed to provide services of any kind to you unless a formal services agreement has been executed by both you and CSG. CSG makes no commitment to you to maintain the confidentiality of any e-mail you send to us nor to respond to any e-mail.

Copyrights

Except for information in the public domain, or whether other ownership is acknowledged, CSG owns the copyright to this web site and all of its content. You may not copy or distribute materials from this web site except for personal, noncommercial use.

Links

Links provided by this web site are to assist our clients and visitors in identifying other useful resources and are not intended to state or imply that CSG sponsors or is associated with these resources or endorses or recommends any of the third party information, products, or services found there.

Compliance Services Group
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.