The chairman of the House Science, Space and Technology Committee blasted a federal agency with oversight of U.S. financial institutions after a watchdog investigation revealed “systemic issues” plaguing the agency’s handling and disclosure of data breaches.
Committee Chairman Lamar Smith (R-Texas) is accusing leaders of the Federal Deposit Insurance Corporation (FDIC) of orchestrating a plan to “withhold information from Congress” after the inspector general found that the agency did not accurately report breaches to Congress or respond to document requests in 2016.
{mosads}The FDIC, an independent agency that provides deposit insurance and supervises financial institutions for safety and consumer protection, has previously been cited for poor cybersecurity practices. The agency suffered over 50 security breaches in just two years, according to an inspector general report issued last October.
Eight of those incidents occurred between late 2015 and early 2016, and involved outgoing employees taking sensitive information, like Social Security numbers of bank customers and data belonging to financial institutions, without authorization.
The Science, Space and Technology Committee began investigating the agency’s response to those breaches in early 2016.
The latest inspector general report, published earlier this week, says that the FDIC failed to report the incidents to Congress within a seven-day time frame, as required by law. When the FDIC did report the incidents to Congress, the agency either did not sufficiently convey their severity or did not accurately characterize them, according to the inspector general.
The FDIC also did not completely respond to congressional document requests at the outset of the committee’s investigation, and was not clear in testimony about its “approach and progress” to these requests, the inspector general found.
“Our work revealed certain systemic weaknesses that hindered the FDIC’s ability to handle multiple information security incidents and breaches efficiently and effectively; contributed to untimely, inaccurate, and imprecise reporting of information to Congress; and led to document productions that did not fully comply with Congressional document requests,” the report says.
“We also identified shortcomings in the performance of certain individuals in key leadership positions as they handled the incidents and related activities,” it says. The report names the agency’s former chief information officer, director of legislative affairs and the former deputy general counsel.
Drawing on the report, Smith sent a letter Thursday asking the agency whether anyone had been held accountable for the failures, and to detail the actions taken against them.
“At best, these actions exhibit ignorance of congressional authorities; at worst, they are willful obstruction of a congressional investigation,” Smith charged.
The inspector general made 13 recommendations to address its data security practices. The FDIC concurred with all of the recommendations, the report says.
In his letter, Smith also requested an update on the implementation of the recommendations.
The FDIC declined to comment.
This post was updated at 12:27 p.m.