[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]


                FDIC DATA BREACHES: CAN AMERICANS TRUST
                       THAT THEIR PRIVATE BANKING
                         INFORMATION IS SECURE?

=======================================================================

                                HEARING

                               BEFORE THE

                       SUBCOMMITTEE ON OVERSIGHT

              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             SECOND SESSION

                               __________

                              May 12, 2016

                               __________

                           Serial No. 114-77

                               __________

 Printed for the use of the Committee on Science, Space, and Technology
 
 [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]


       Available via the World Wide Web: http://science.house.gov

                                __________
                                
                     
                     U.S. GOVERNMENT PUBLISHING OFFICE
20-874PDF                     WASHINGTON : 2017                     
_____________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). 
E-mail, [email protected].  
             
              
              
              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY

                   HON. LAMAR S. SMITH, Texas, Chair
FRANK D. LUCAS, Oklahoma             EDDIE BERNICE JOHNSON, Texas
F. JAMES SENSENBRENNER, JR.,         ZOE LOFGREN, California
    Wisconsin                        DANIEL LIPINSKI, Illinois
DANA ROHRABACHER, California         DONNA F. EDWARDS, Maryland
RANDY NEUGEBAUER, Texas              SUZANNE BONAMICI, Oregon
MICHAEL T. McCAUL, Texas             ERIC SWALWELL, California
MO BROOKS, Alabama                   ALAN GRAYSON, Florida
RANDY HULTGREN, Illinois             AMI BERA, California
BILL POSEY, Florida                  ELIZABETH H. ESTY, Connecticut
THOMAS MASSIE, Kentucky              MARC A. VEASEY, Texas
JIM BRIDENSTINE, Oklahoma            KATHERINE M. CLARK, Massachusetts
RANDY K. WEBER, Texas                DON S. BEYER, JR., Virginia
JOHN R. MOOLENAAR, Michigan          ED PERLMUTTER, Colorado
STEVE KNIGHT, California             PAUL TONKO, New York
BRIAN BABIN, Texas                   MARK TAKANO, California
BRUCE WESTERMAN, Arkansas            BILL FOSTER, Illinois
BARBARA COMSTOCK, Virginia
GARY PALMER, Alabama
BARRY LOUDERMILK, Georgia
RALPH LEE ABRAHAM, Louisiana
DARIN LaHOOD, Illinois
                                 ------                                

                       Subcommittee on Oversight

                 HON. BARRY LOUDERMILK, Georgia, Chair
F. JAMES SENSENBRENNER, JR.,         DON BEYER, Virginia
    Wisconsin                        ALAN GRAYSON, Florida
BILL POSEY, Florida                  ZOE LOFGREN, California
THOMAS MASSIE, Kentucky              EDDIE BERNICE JOHNSON, Texas
DARIN LaHOOD, Illinois
LAMAR S. SMITH, Texas
                            C O N T E N T S

                              May 12, 2016

                                                                   Page
Witness List.....................................................     2

Hearing Charter..................................................     3

                           Opening Statements

Statement by Representative Barry Loudermilk, Chairman, 
  Subcommittee on Oversight, Committee on Science, Space, and 
  Technology, U.S. House of Representatives......................     5
    Written Statement............................................     7

Statement submitted by Representative Donald S. Beyer, Jr., 
  Ranking Minority Member, Subcommittee on Oversight, Committee 
  on Science, Space, and Technology, U.S. House of 
  Representatives................................................    13
    Written Statement............................................    15

Statement by Representative Lamar S. Smith, Chairman, Committee 
  on Science, Space, and Technology, U.S. House of 
  Representatives................................................    17
    Written Statement............................................    19

Statement by Representative Eddie Bernice Johnson, Ranking 
  Member, Committee on Science, Space, and Technology, U.S. House 
  of Representatives.............................................    26
    Written Statement............................................    28

                               Witnesses:

Mr. Lawrence Gross, Jr., Chief Information Officer and Chief 
  Privacy Officer, FDIC
    Oral Statement...............................................    30
    Written Statement............................................    32

Mr. Fred W. Gibson, Acting Inspector General, FDIC
    Oral Statement...............................................    36
    Written Statement............................................    38
Discussion.......................................................    47

             Appendix I: Answers to Post-Hearing Questions

Mr. Lawrence Gross, Jr., Chief Information Officer and Chief 
  Privacy Officer, FDIC..........................................    70

Mr. Fred W. Gibson, Acting Inspector General, FDIC...............    72

            Appendix II: Additional Material for the Record

Documents submitted by Representative Darin LaHood, Subcommittee 
  on Oversight, Committee on Science, Space, and Technology, U.S. 
  House of Representatives.......................................    78

 
                   FDIC DATA BREACHES: CAN AMERICANS
                   TRUST THAT THEIR PRIVATE BANKING      
                       INFORMATION IS SECURE?

                              ----------                              


                         THURSDAY, MAY 12, 2016

                  House of Representatives,
                  Subcommittee on Oversight
               Committee on Science, Space, and Technology,
                                                   Washington, D.C.

    The Subcommittee met, pursuant to call, at 10:04 a.m., in 
Room 2318 of the Rayburn House Office Building, Hon. Barry 
Loudermilk [Chairman of the Subcommittee] presiding.
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

    Chairman Loudermilk. The Subcommittee on Oversight will 
come to order.
    Without objection, the Chair is authorized to declare a 
recess of the Subcommittee at any time.
    Welcome to today's hearing entitled ``FDIC Data Breaches: 
Can Americans Trust That Their Private Banking Information is 
Secure?''
    I recognize myself for five minutes for an opening 
statement.
    Good morning. We're here today to learn more about 
cybersecurity breaches at the Federal Deposit Insurance 
Corporation. As a former information systems technology company 
owner for over 20 years, I know firsthand the importance of 
safeguarding sensitive information and private customer data. 
Regrettably, the American people have good reason to question 
whether their private banking information is properly secured 
by the FDIC.
    The FDIC is an independent agency established by Congress, 
with the mission ``to maintain stability and public confidence 
in the nation's financial system.'' Unfortunately, the FDIC is 
failing to live up to its mission of maintaining public 
confidence in the Nation's financial system because the Agency 
is failing to safeguard private banking information for 
millions of Americans who rely on FDIC.
    During the Committee's current investigation, it has become 
clear that FDIC has a long history of cybersecurity incidents. 
According to information obtained by the Committee, in 2011, a 
foreign government hacked into the workstations of the former 
FDIC Chairman and other senior officials. It appears that this 
entity had access to senior officials' workstations for at 
least one year before the FDIC took remedial action.
    More recently, in letters dated February 26, 2016, and 
March 18, 2016, FDIC notified the Science Committee of two 
major security incidents. This notification to the Committee 
was required in accordance with the Federal Information 
Security Modernization Act of 2014, otherwise known as FISMA, 
and Office of Management and Budget guidelines that require 
executive branch departments and agencies to report major 
security incidents to Congress within seven days.
    The security breach reported in FDIC's February 26 letter 
to the Committee involved an FDIC employee who copied sensitive 
personally identifiable information, or PII, over 10,000 
individuals onto a portable storage device prior to separating 
from employment at the FDIC. The employee also downloaded 
suspicious activity reports, bank currency transaction reports, 
customer data reports and a small subset of personal work and 
tax files. This security incident is particularly troublesome, 
given that the FDIC did not ultimately recover the portable 
storage device from the former employee until nearly two months 
after the device was removed from FDIC premises.
    Further, according to the information obtained by the 
Committee, the FDIC did not report the incident to Congress 
within the seven-day time period as required by FISMA. In fact, 
FDIC waited for over four months to report the incident to 
Congress and only did so after being prompted by the FDIC 
Office of Inspector General.
    Just as troubling, FDIC continues to maintain that the 
employee ``accidently'' copied sensitive and proprietary 
information to a portable storage device, despite the fact that 
the employee initially told the agency that she ``would never 
do such a thing,'' and even denied ever owning a portable 
storage device. Ultimately, she retained legal counsel, who 
engaged in protracted negotiations with the agency for the 
return of the device.
    The second security breach reported to the Committee was on 
March 18, 2016, involved a disgruntled FDIC employee who 
obtained sensitive data for over 44,000 individuals prior to 
separating from employment at the agency. When the employee 
left the FDIC on February 26, 2016, the employee took the 
storage device from the premises. Upon learning of the incident 
three days later, FDIC personnel worked to recover the device. 
The device was ultimately recovered on March 1, 2016. According 
to the FDIC, this was just another case of an employee 
``accidently'' leaving the agency with sensitive information.
    This week, FDIC retroactively reported five additional 
major breaches to the Committee. In one of those instances, an 
employee retired from FDIC and took three portable storage 
devices containing over 49,000 individuals' personal data. In 
total, over 160,000 individuals have recently been a victim of 
having their personal information leave the FDIC by 
``accident.'' To date, FDIC has failed to notify any of those 
individuals that their private information may have been 
compromised.
    According to the FDIC, none of the 160,000 individuals has 
anything to worry about because all of the FDIC employees who 
improperly walked out of the agency with sensitive information 
were required to sign affidavits stating the information was 
not disseminated. At best, this is a misleading statement 
because apparently all employees who are separating from the 
FDIC are generally required to sign an exit document attesting 
that they have not removed any FDIC materials from the 
premises. In the recent breaches reported to this Committee, 
all employees who improperly took the data should have already 
signed exit documents before ever leaving the agency.
    It is Congress's responsibility to shine a light on FDIC's 
history of cybersecurity breaches. The Committee will continue 
its oversight of FDIC failures to secure Americans' sensitive 
information from apparent foreign entities and disgruntled FDIC 
employees.
    I thank the witnesses for being here today and sincerely 
hope that we are able to get answers from the FDIC here this 
morning.
    [The prepared statement of Chairman Loudermilk follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman Loudermilk. With that, I recognize the Ranking 
Member for his opening statement.
    Mr. Beyer. Thank you, Chairman Loudermilk, and I appreciate 
your extensive detailing of these breaches.
    Defending against cyber threats is a persistent and 
evolving battle, and the cyber hazards that confront the public 
and private sectors come in various forms. Hackers can and have 
wreaked havoc on Hollywood studios, global financial 
institutions, retail outlets, and public agencies alike, and no 
one seems immune from the various cyber threats that touch 
virtually everyone.
    Please forgive a certain amount of redundancy in my 
statement. It's important that we have both parties on record 
here.
    In case of the Federal Deposit Insurance Corporation, they 
suffered from seven major cyber incidents in the past 7 months, 
and these breaches include plugging removable media such as a 
USB drive into an FDIC computer and removing thousands of 
sensitive financial and other records from the agency as 
employees walked out the door. We'll be focusing on two of 
these breaches today, as well as the FDIC's cybersecurity 
practices.
    I'm glad the FDIC has installed new software that allowed 
them to identify these recent breaches and respond to them. 
Without that technology, known as data loss prevention tool, 
these incidents, whether inadvertent or intentional, would have 
gone unnoticed and unaddressed, and we in Congress would have 
remained uninformed. And I believe the FDIC Chairman has taken 
some positive steps in the wake of these breaches, phasing out 
the use of removable media such as flash drives and CDs that 
pose increased security risks.
    However, I, along with our Chairman, do have questions 
about why there was such a long delay in notifying Congress 
about major cyber incidents, particularly the one that occurred 
last October and was not reported to Congress until February 
26, 2016. And in that instance, it took a memo from the FDIC 
Inspector General's Office to the FDIC CIO reminding the agency 
that they had an obligation to report the incident to Congress.
    I would add that the IG was not the only one suggesting the 
FDIC notify Congress of the incident. It's my understanding 
that other FDIC employees had also recommended reporting this 
to Congress earlier.
    In addition, I believe that the new OMB guidance on federal 
information security and privacy management requirements, as 
detailed in the OMB memo 16-03 last October, is very clear. If 
it takes 8 hours or more to recover sensitive data that 
comprises 10,000 or more records or affects 10,000 or more 
people, it is considered a major cyber incident.
    Under these guidelines, once an agency is aware that a 
breach meets that criteria, the incident should be considered a 
major breach and must be reported to Congress within 7 days. 
This did not happen in either of the two cases this hearing 
will focus on or the other five that the FDIC just reported to 
the Committee this week, and I'm still unclear why.
    In the October incident, the breach included records from 
eight banks, more than 40,000 individuals, and 30,000 entities, 
including the sensitive bank currency transaction reports and 
Social Security numbers. Despite the OMB requirement that 
agencies inform Congress of major incidents within 7 days, FDIC 
notified Congress nearly 3 months after it had enough data to 
determine that this was a major breach.
    I hope that Mr. Gross, the Chief Information Officer at 
FDIC, can help explain FDIC's decision to delay notifying 
Congress in that October incident, and I hope also that you'll 
be able to help us understand the agency's characterization of 
the incident, which appears to be at odds with some of the 
information obtained by the Committee. I know the Inspector 
General has looked at the October incident and the FDIC's 
response, so I look forward to Mr. Gibson's testimony as well.
    As a business owner, we have a very important 
responsibility to protect our customer data, which includes 
Social Security numbers, cell phones, emails, personal 
addresses, and we do all we can to protect them, especially 
when an employee leaves, because we know that this has value to 
the employee in a different role. And we're just a business. 
We're not the government controlling these really sensitive 
government records. So this is a very important issue.
    And, Mr. Gross, I understand you just arrived at the FDIC 
in November, and the CIO's office has suffered from a lack of 
consistent leadership. You're the fourth CIO in the last four 
years. I hope that you'll be able to bring some stability to 
this office, and equally important is I hope that you'll help 
us establish a solid foundation of reliability and openness 
with Congress and that you'll strive to do that as well.
    So thank you both for being with us today, and we look 
forward to the questioning.
    Mr. Chairman, I yield back.
    [The prepared statement of Mr. Beyer follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman Loudermilk. Thank you, Mr. Beyer.
    I now recognize the Chairman of the Full Committee, the 
gentleman from Texas, Mr. Smith.
    Chairman Smith. Thank you, Mr. Chairman. And I appreciate 
both your comments and the Ranking Member's comments as well.
    The recent cybersecurity breaches experienced by the FDIC 
date back to October 2015 and compromise nearly 160,000 
individuals' sensitive information or personally identifiable 
information. The number of individuals whose information was 
compromised by the agency's poor cybersecurity posture could be 
much higher. The breaches reported to Congress represent only 
those that the agency itself called ``major.'' In reality, the 
FDIC likely has experienced additional breaches deemed 
insufficient by the agency to warrant reporting to Congress.
    On April 8, 2016, the Committee sent a letter to the FDIC 
about a February 2016 cyber breach. In that case, more than 
44,000 individuals' sensitive information was breached. Less 
than two weeks later, the Committee sent an additional letter 
to the FDIC concerning an earlier breach in October 2015, which 
compromised more than 10,000 individuals' sensitive 
information. The Committee sent the additional letter to the 
FDIC because the FDIC withheld reporting the breach to Congress 
for more than four months. In fact, the FDIC only reported the 
breach once the Office of Inspector General urged it to do so.
    The FDIC's attempts to shield information from Congress did 
not end with its hesitation to report the significant October 
breach. The Committee has encountered a pattern of obstruction 
from the FDIC when responding to Committee requests.
    In the FDIC's response to the Committee's letters, the 
agency initially produced documents extensively redacted for 
information the agency deemed to be confidential. These 
redactions included public information, such as the names of 
senior-level agency employees, whose identities were already 
known to the Committee.
    The FDIC failed to provide statutory authority or a valid 
privilege for redacting the information. Still, the agency 
resisted the Committee's request for unredacted documents until 
faced with the threat of the Committee's use of the compulsory 
process to obtain the information.
    Additionally, the Committee learned that the agency 
actively obstructed the Committee's ongoing investigation by 
limiting the scope of documents produced in response to the 
Committee's requests. The FDIC responded to the Committee's 
second letter and certified that it produced all responsive 
documents. However, subsequent discussions with the Office of 
Inspector General indicated that responsive documents were 
withheld by the agency.
    Upon learning of the agency's active obstruction, the 
Committee wrote to the Office of Inspector General to request 
these documents. If not for the Office of Inspector General's 
openness and transparency with the Committee, we would not have 
been aware of the Agency's attempts to avoid providing a full 
and complete response to the Committee.
    The FDIC's repeated efforts to conceal information from 
Congress are inexcusable. They raise significant questions 
about whether the Agency actively attempts to hide potentially 
incriminating information from Congress. As an agency that has 
faced repeated security breaches, it should focus its resources 
on reforming its internal cybersecurity mechanisms instead of 
engaging in efforts to conceal information from this Committee.
    The Committee will continue to investigate the shortfalls 
in the FDIC's cybersecurity posture and why the Agency 
continues to withhold certain information from Congress and 
this Committee. We also will hear what measures the Agency 
should take to remediate the damage to the tens of thousands of 
Americans' whose information was compromised.
    So, Mr. Chairman, we have a lot to learn this morning and 
look forward to the testimony of our two witnesses, and I yield 
back.
    [The prepared statement of Chairman Smith follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman Loudermilk. The gentleman yields back.
    I now recognize the Ranking Member of the Full Committee 
for a statement.
    Ms. Johnson. Thank you very much, Chairman Loudermilk, and 
thanks to you, our witnesses, for being here today.
    All data breaches that expose sensitive personal 
information should be taken very seriously. In today's digital 
age, our sensitive personal data is everywhere. When we swipe 
our credit cards at the grocery store, renew our driver's 
license at the Department of Motor Vehicles and passports at 
the Department of State, or visit the emergency room at the 
local hospital or the bank around the corner, our sensitive, 
personal, and financial data is processed, stored, and 
entrusted to those entities to safeguard it and ensure that it 
is not inadvertently breached or intentionally stolen.
    But that has happened seven times in the past 7 months in 
major cyber breaches at the Federal Deposit Insurance 
Corporation. None of these breaches were the result of 
sophisticated hackers, foreign adversaries, or cyber criminals. 
And those that downloaded this data, including Social Security 
numbers and suspicious activity reports, did not use high-tech 
digital tools. They simply plugged in their thumb drives and 
other removable media to their FDIC workstations in that office 
and downloaded sensitive, personal, and financial data onto 
their personal storage devices. These actions jeopardized the 
data security of thousands of individuals, multiple banks, and 
potentially criminal investigations.
    In virtually every--each of these seven instances the FDIC 
has said the sensitive data was inadvertently downloaded and 
that there was no malicious intent. In all of these cases the 
FDIC was able to recover the data, and the former FDIC 
employees signed affidavits saying they had not shared the data 
with others.
    However, in at least one case, according to FDIC's own 
records, a former employee who downloaded such data was evasive 
about her actions and not cooperative when initially confronted 
by FDIC staff. Some FDIC employees also suggest that it was 
highly improbable that this former employee's actions were 
accidental.
    In addition, this former employee is now working for a U.S. 
subsidiary of a non-U.S. financial services company, which 
raises additional concerns. I would remind FDIC that in 2013 an 
Inspector General review of another much more serious cyber 
accident at the agency resulted in one senior official in the 
CIO's office leaving the agency and another being demoted.
    My understanding is that this response by these former 
officials to both the Chairman of the FDIC and the IG's office 
and the Government Accountability Office lacked candor in both 
of their descriptions of the extent of this penetration and 
potential consequences to the agency.
    I hope IG's office will be able to clarify whether or not 
all of the recent data breaches were inadvertent, as the FDIC 
has claimed, when his office completes the two audits they are 
currently working on regarding FDIC's handling of major 
cybersecurity incidences in the coming weeks. I also hope that 
the IG's office can shed some light on the reasons why the 
office of the Chief Information Officer and the FDIC failed to 
inform Congress of these major incidences within the 7-day time 
frame required by the guidance from the Office of Management 
and Budget and that issued in the late October 2015.
    I believe that FDIC has already taken some positive steps 
in responding to the recent data breaches, phasing out the use 
of removable media, for instance. I encourage them to continue 
to ensure that sensitive data is not intentionally or 
inadvertently breached, but I would also request that the new 
CIO, Mr. Lawrence Gross, who is testifying with us today, to 
keep Congress appropriately and fully informed in a timely 
manner when major cybersecurity incidences do occur.
    I thank you, Mr. Chairman, and my time's expired. I yield 
back.
    [The prepared statement of Ms. Johnson follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman Loudermilk. I thank the lady. She has yielded 
back.
    Now, let me introduce our witnesses for today. Our first 
witness is Mr. Fred Gibson, acting Inspector General of the 
Federal Deposit Insurance Corporation. Mr. Gibson has 
previously served with the Resolution Trust Corporation Office 
of Inspector General and as Principal Deputy Inspector General 
and counsel to the Inspector General.
    Mr. Gibson received his bachelor's degree in history from 
the University of Texas at Austin and his master's degree in 
Russian Area Studies from Georgetown University. He received 
his J.D. from the University of Texas Law School.
    Our second witness today is Mr. Lawrence Gross?
    Chairman Loudermilk. Gross. Mr. Lawrence Gross, Jr., Chief 
Information Officer and Chief Privacy Officer of the Federal 
Deposit Insurance Corporation. Mr. Gross previously served as 
the CIO for the U.S. Department of Agriculture, Farm Service 
Agency and the Deputy CIO at the Department of the Interior.
    Mr. Gross received his bachelor's degree in information 
systems management from the University of Maryland, University 
College, and he received his CIO certification from the 
National Defense University.
    I now recognize Mr. Gibson for five minutes to present his 
testimony.

             TESTIMONY OF MR. LAWRENCE GROSS, JR.,

                   CHIEF INFORMATION OFFICER

                AND CHIEF PRIVACY OFFICER, FDIC

    Mr. Gibson. Thank you, sir.
    Chairman Smith, Ranking Member Johnson, Chairman 
Loudermilk, Ranking Member Beyer, and Members of the 
Subcommittee, my name is Fred Gibson, and I'm the acting 
Inspector General of the Federal Deposit Insurance Corporation. 
Thank you for the invitation to speak with the Subcommittee 
today regarding recent cybersecurity incidents at the Federal 
Deposit Insurance Corporation.
    The Federal Government has seen a marked increase in the 
number of information security incidents affecting the 
integrity, confidentiality, and availability of government 
information, systems, and services. The charter for this 
hearing is to address two specific security interests and 
concerns that this Committee has regarding the FDIC's 
cybersecurity posture.
    The FDIC's Office of Inspector General carries out two 
primary functions. The first is to audit and evaluate the 
FDIC's programs and operations, including controls designed to 
safeguard the Corporation's data and address and report 
breaches when they occur. The second function is to investigate 
suspected criminal activity, including breach incidents where 
case-specific facts lead us to believe that a crime may have 
occurred.
    With respect to our first role, we are currently conducting 
two audits pertinent to the Committee's concerns that we 
anticipate will be completed in the near future. The first 
examines the FDIC's process for identifying and reporting major 
security incidents, as required by applicable federal law and 
related guidance. The second audit addresses the FDIC's 
controls for mitigating the risk of an unauthorized release of 
sensitive information submitted by systemically important 
financial institutions.
    As you are aware, on February 19, 2016, during the planning 
phase of the first of these audits, we issued a memorandum to 
the FDIC's Chief Information Officer regarding a specific 
security incident which we believe warranted Congressional 
reporting. In the memorandum the OIG concluded that the 
Corporation was required under the Federal Information Security 
Modernization Act of 2014 and related guidance issued by the 
Office of Management and Budget--and that's OMB Memorandum 16-
03--to report the security breach as a major incident to the 
appropriate Congressional committees. Ultimately, the FDIC 
reported the major incident to this Committee, which led 
ultimately to our testimony today.
    With respect to our criminal investigative function, the 
FDIC OIG participates as a non-voting member on the FDIC's Data 
Breach Management Team, or DBMT, for situational awareness 
purposes. The DBMT, as its name implies, reviews data breach 
incidents. Where the facts of a particular incident, which we 
learn through our participation in the DBMT or from other 
sources, appear to point to a crime having been committed, we 
open an investigation. If the results of our investigation 
warrant, we make referrals to the Department of Justice. I can 
confirm the existence of one criminal investigation arising out 
of the incidents that formed the basis for today's hearing. 
However, that case is open. It's in a pre-indictment phase, 
which limits my ability to discuss it directly.
    Nevertheless, I hope to be able to provide you with the 
information that you need to conduct your oversight activities 
with regard to these issues, and I look forward to answering 
the questions that the Committee has. Thank you very much.
    [The prepared statement of Mr. Gibson follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman Loudermilk. I now recognize Mr. Gross for his 
opening statement.

                TESTIMONY OF MR. FRED W. GIBSON,

                 ACTING INSPECTOR GENERAL, FDIC

    Mr. Gross. Chairman Loudermilk, Ranking Member Beyer, and 
Members of the Subcommittee, thank you for the opportunity to 
appear before you today.
    At the FDIC, protecting sensitive information is critical 
to our mission of maintaining stability and public confidence 
in the Nation's financial system, and we are continually 
enhancing our information security program.
    My name is Lawrence Gross, and I am FDIC's Chief 
Information Officer and Chief Privacy Officer. I assumed my 
duties at the FDIC in November of 2015, and I have more than 39 
years of combined military and federal sector experience in the 
information technology, law enforcement, cybersecurity, and 
critical infrastructure fields. My testimony today will focus 
on our program to identify, analyze, report, and remediate 
incidents based on the risk of harm they pose.
    The FDIC has a strong information security program to 
identify events that could signal a data security incident, 
including mandatory annual training for all employees and 
contractors to ensure that they will be alert to inadequate 
protection of sensitive information and know when and how to 
notify our Computer Security Incident Response Team.
    We also have automated monitoring tools, including the data 
loss prevention tool, which scans for sensitive information in 
outgoing emails, uploads to Web sites, and any data downloaded 
to portable media from FDIC systems. Our goal is to assess and 
continually improve our situational awareness so that we can 
reduce and ultimately eliminate the risk of harm to individuals 
and entities.
    The FDIC has a security incident response and escalation 
plan to ensure the systemic gathering and analyzing of facts 
relevant to an event to determine the risk of harm and the 
taking of appropriate action. We then take steps to mitigate 
the risk of harm and complete the appropriate reporting and 
notifications based on the risk of harm.
    With the passage of FISMA in late 2014 and the subsequent 
issuance in October of OMB guidance on what constitutes a major 
incident, we have further refined our incident reporting 
regime. Notably, the new law and OMB's guidance have been 
applied to incidents over the past 6 months where FDIC 
employees departed employment and were identified by our 
monitoring tools as having downloaded personally identifiable 
information or other FDIC-sensitive information on portable 
media not long before their departure.
    It was my initial judgment, based on several factors, that 
these incidents did not rise to the level of major incident as 
defined in the OMB guidance. In each case, the employee had 
legitimate access to the sensitive data in question while at 
the FDIC. Further, our analysis indicated the downloading of 
the PII was inadvertent. The FDIC recovered the data from the 
former employees, and there was no evidence that the former 
employee had disseminated the data. And all the former 
employees assigned affidavits affirming they had not 
disseminated the data beyond themselves.
    Lastly, in each case, the circumstances surrounding the 
employees' departure were non-adversarial. Under these 
circumstances, I judged the risk of harm to be very low, 
meaning that the reporting of these incidents would fall under 
the annual FISMA-notification-to-Congress requirement.
    However, our Office of Inspector General reviewed one of 
these incidents and came to a different conclusion. Although 
our interpretations are different, we nevertheless gave such 
notification to Congress within seven days, and I further 
directed my staff to go back through all incidents that had 
occurred since issuance of the OMB guidance, regardless if they 
were closed, to identify any incidents that had characteristics 
we thought would meet the OIG's interpretation of major 
incident. FDIC has now reported those as well to Congress.
    Finally, let me touch on changes we have made or are making 
to lower the risk of future incidents. We've implemented a plan 
to eliminate the ability of employees and contractors to 
download to portable media. We're implementing digital rights 
management software that prevents copying of information. 
Further, I've directed my staff to begin immediately a top-to-
bottom review of IT policies and procedures with the focus on 
those for departing employees to ensure that everyone 
understands FDIC policy regarding downloading of data. Also, I 
will be engaging an independent third party to conduct an end-
to-end assessment of all the key areas of the IT security and 
privacy programs.
    The global interconnected landscape continues to evolve, 
and the threats continue to develop. The FDIC takes very 
seriously cybersecurity incident management and transparency as 
it relates to our reporting requirements and remains committed 
to maintaining a robust IT security program that ensures a 
real-time current view of our situational awareness.
    Thank you again for the opportunity to testify, and I would 
be happy to answer any of your questions.
    [The prepared statement of Mr. Gross follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman Loudermilk. I thank the witnesses for their 
testimony.
    And just before we begin our questions, for the witnesses 
and the Members of the Committee, it is the Chair's intention 
to be somewhat lenient with the clock because it is important 
that we do get these questions answered and as many rounds of 
questioning as we need. The Chair is ready to extend this 
hearing as long as we need to make sure that all the questions 
are adequately answered.
    And also to our witnesses, we ask that you be very 
truthful, as well as comprehensive, but also we have had 
incidents of filibustering answers. And again, the Chair will 
maintain the Subcommittee going as long as we need to, to make 
sure. So we ask that you be as accurate and as brief with your 
answer.
    I now recognize myself for five minutes for questioning.
    Mr. Gross, this Committee wrote the FDIC requesting 
documents and communications referring or relating to the 
security breaches we discussed here today. Are you aware of 
those letters?
    Mr. Gross. I am.
    Chairman Loudermilk. The FDIC has certified that all 
responsive documents pursuant to this Committee's request had 
been produced. Is that your understanding as of today?
    Mr. Gross. I believe the office has been responsive to your 
inquiries, sir, yes.
    Chairman Loudermilk. Mr. Gross, did anyone in your office, 
to your knowledge, voice any concern regarding the manner, 
scope, or have any other concerns about the FDIC's response to 
this Committee's request?
    Mr. Gross. No one in my office had any concern with being 
responsive----
    Chairman Loudermilk. No one expressed any concerns about 
the documents you were providing?
    Mr. Gross. No one in my office expressed any concerns, sir.
    Chairman Loudermilk. What about other offices, anyone in 
the FDIC express concerns about the comprehensiveness of the 
investigation or the documents you're providing?
    Mr. Gross. I'm not aware of anyone expressing any concerns.
    Chairman Loudermilk. No one in the FDIC. Mr. Gross, are you 
aware of any internal FDIC documents responsive to the 
Committee's request that were not produced to this Committee?
    Mr. Gross. I'm not aware of any that have not been 
provided, sir.
    Chairman Loudermilk. Mr. Gibson, to your knowledge, were 
all responsive documents produced to this Committee?
    Mr. Gibson. Sir, was that direction--was that question----
    Chairman Loudermilk. I'm sorry. Yes, I'm sorry. Mr. Gibson, 
that was directed to you. I was looking at Mr. Gross. Sorry.
    Mr. Gibson, to your knowledge, were all responsive 
documents produced to this Committee?
    Mr. Gibson. Sir, we haven't reviewed the FDIC's production 
of documents to the Committee. We received a request from the 
Committee for FDIC documents that were in our possession, and 
we provided the documents that we collected in the context of 
our audit.
    Chairman Loudermilk. Okay. So, Mr. Gross, just to summarize 
and make sure we understand, to your knowledge, you provided 
all the documents that were responsive to the Committee's 
request?
    Mr. Gross. To my knowledge, sir, we were responsive to the 
request. If there's a request for additional information, I'll 
stand ready to provide that.
    Chairman Loudermilk. Okay. Thank you.
    Mr. Gross, what I have here is the stack of documents that 
the FDIC provided to the Committee in response to our inquiry. 
This stack of documents, however--I may need a forklift. This 
stack of documents was provided to the Committee by the 
Inspector General's Office. Why were these documents not 
provided to the Committee by the FDIC?
    Mr. Gross. I had an opportunity to review the material 
provided by the IG, and in reviewing that material, a lot of it 
is duplicative, so the material that you received from us with 
the incident response forms that are in there, it includes 
information that has been duplicated in the IG's response. The 
incident response forms provide a summary of the incident, and 
it's--it may in fact provide a more comprehensive review of 
each of the incidents more so than what's in the documents.
    I did note that there were several copies of what we call 
our Data Breach Management Guide that was included in the 
material provided by the Inspector General, and there were 
multiple copies of that. That document is still currently being 
developed and in review.
    Chairman Loudermilk. So let me make sure I understand what 
your statement here is today, that everything that you provided 
is also covered in the IG's? There's no more information in 
what the IG provided to us than what is covered in this stack 
of documents here?
    Mr. Gross. I can----
    Chairman Loudermilk. Is that what you're telling me?
    Mr. Gross. I cannot make that as an affirmative statement, 
sir. I had a brief opportunity to review the IG's material 
yesterday----
    Chairman Loudermilk. Okay.
    Mr. Gross. --so I cannot say that it's a one-to-one 
correlation.
    Chairman Loudermilk. Well, you were saying it was 
duplicative----
    Mr. Gross. I said----
    Chairman Loudermilk. --but----
    Mr. Gross. --quite a bit of the material that was in there 
was duplicative. There was multiple copies, for example, of the 
Data Breach Management Guide. There are multiple copies of that 
guide provided in their response to you.
    Chairman Loudermilk. Okay. There are many emails that were 
provided to us by the IG that were not included in your 
documents. Those are not duplicative.
    Mr. Gross. I cannot speak to that without looking at the 
exact emails, but what we have in the incident response summary 
might be--well, I would think it's an encapsulation of what may 
be contained in emails that were transmitted between different 
entities that participated on the DBMT.
    Chairman Loudermilk. Okay. Okay. But you did say that you 
had reviewed the materials----
    Mr. Gross. I did----
    Chairman Loudermilk. --provided----
    Mr. Gross. I did a cursory review.
    Chairman Loudermilk. A cursory review----
    Mr. Gross. Yes.
    Chairman Loudermilk. --but you have not looked at them. 
When were these--Mr. Gibson, when were these documents 
provided?
    Mr. Gibson. Sir, I believe they were provided at ten 
o'clock yesterday morning.
    Chairman Loudermilk. Okay. Has Mr. Gross received copies of 
these documents?
    Mr. Gibson. Yes, sir. We provided a copy of our--I don't 
know if Mr. Gross personally has. We provided a copy of our 
production to the Congress to the FDIC so they would be aware 
of what we did.
    Chairman Loudermilk. And when was that provided?
    Mr. Gibson. At the same time we provided it to the 
Committee.
    Chairman Loudermilk. So ten o'clock yesterday morning?
    Mr. Gibson. Yes, sir, about ten o'clock.
    Chairman Loudermilk. Okay. Allow me to clear my desk for a 
moment here. Okay.
    So, Mr. Gross, you still stand by that--your previous 
testimony that you did provide this Committee all the documents 
that we requested?
    Mr. Gross. That wasn't my statement, sir. I said I believe 
we were responsive to your request. If there is additional 
documents that you think are necessary or required, I stand 
ready to deliver that.
    Chairman Loudermilk. Okay. So you're acknowledging that 
there may not be some documents that we requested that the 
FDIC----
    Mr. Gross. I believe----
    Chairman Loudermilk. --failed to provide us?
    Mr. Gross. I believe our response to you was responsive. If 
there's other material or additional material that you deem 
that's warranted, I stand ready to provide that.
    Chairman Loudermilk. So you will provide every document 
that we request?
    Mr. Gross. If there's a request for additional information, 
we stand ready to provide that.
    Chairman Loudermilk. Okay. Well, we requested the 
information the IG has actually provided as well. We're just 
asking for it to be comprehensive and all-inclusive.
    And so who's responsible for providing the documents in 
response to the Committee's request?
    Mr. Gross. When your letter came in and when the letter 
came in for the information, that's sent to each of the offices 
that may have relevant information. Each of those offices then 
provide that information. It's a--there's a coordination effort 
that's done by our Office of Legal Affairs, and then it's put 
together as a comprehensive package for submission.
    Chairman Loudermilk. Were any directions--to your 
knowledge, were any directions given to withhold or not provide 
certain documents to this Committee?
    Mr. Gross. No, sir.
    Chairman Loudermilk. To your knowledge, was anyone in your 
office or the legal division directed to limit the response to 
the Committee's request?
    Mr. Gross. I'm not aware of anyone making such a statement 
or providing any such direction.
    Chairman Loudermilk. I do have other questions, but I have 
run over the clock. I was a little more lenient with myself 
than I intended to be. I do have more questions. The Chair's 
intention is to do a second round of questioning.
    And so at this time I recognize the Ranking Member, Mr. 
Beyer.
    Mr. Beyer. Thank you, Mr. Chairman. And thanks again to the 
witnesses.
    Mr. Gross, are you aware--to follow up on Chairman 
Loudermilk's questions--of any documents requested by the 
Committee that you have not submitted yet?
    Mr. Gross. No, sir, I'm not aware of any.
    Mr. Beyer. So at this point if anything's missing, you'd be 
happy to provide it?
    Mr. Gross. Yes, sir, I will.
    Mr. Beyer. And I hope--are you willing to have your--you 
and your staff carefully go through Mr. Gibson's documents to 
make sure that anything he provided that you didn't that you 
affirm its value or its legitimacy? I'm trying to get--you 
pointed out that one reason the stack of documents are so 
different was there's many duplications, things provided again 
and again in Mr. Gibson's documents. I think what the Chairman 
is concerned about is, is there anything Mr. Gibson provided 
that you didn't?
    Mr. Gross. I understand. I can go through the material and 
review that and provide you any additional information that you 
may need or want. I haven't had a full opportunity to review 
the material, as he's indicated. I received it at 10 o'clock 
yesterday.
    Mr. Beyer. So we're 24 hours away. So--but you're willing 
to do the reconciliation?
    Mr. Gross. Yes, sir, I am.
    Mr. Beyer. Great. Great.
    The employee in the October breach reportedly left the FDIC 
on good terms. She was seeking new employment at the time, and 
she currently works for a foreign financial firm. Furthermore, 
she initially denied that she had downloaded the information. 
She resisted turning over the device to the FDIC, and we 
understand she was having personal problems at home, she was 
going through a divorce, she was living in a hotel room. All 
these factors highlight increased security risks, not 
mitigating factors, especially as outlined by the FBI and the 
U.S. counterintelligence community, as this brochure ``The 
Insider Threat'' details.
    Were these facts known by the Data Breach Management Team 
when the incident was being analyzed for risk of harm?
    Mr. Gross. All the circumstances surrounding the incident 
was known by the Data Breach Management Team. I'd like to even 
go back further and state that we--personally, I make a 
concerted effort to be very transparent in all the activities 
that we have within the security realm. This incident, when it 
occurred, it actually occurred prior to the promulgation of the 
OMB guidance, so it was in fact reported in 2015 in our annual 
FISMA report.
    It was my encouragement to the staff that we knew that the 
policy had come out as we were reviewing this incident, and I 
asked that they apply the standard of the policy to the 
incident. So we fully understood the circumstances surrounding 
it, yes, and we applied the standard to the incident to ensure 
that we were being responsive. But it had already been reported 
as part of our FISMA submission.
    Mr. Beyer. Okay. So let me break these up. On the one hand, 
you're arguing that the 7-day didn't apply because the OMB 
guidance didn't come out until January, but the greater concern 
is whether it was low risk, moderate risk, or high risk. And we 
know that this person had gone to work for a foreign bank, had 
initially denied downloading, refused to turn over the drive, 
and was going through a lot of personal problems. Don't all 
those elevate the sense of risk that your--the breach team 
would consider and that you would consider as CIO?
    Mr. Gross. I considered all the factors associated with the 
incident. We weighed all the factors. But I would say even if 
an individual leaves their employment with the Federal 
Government, we leave with not only potentially material that on 
removable media, we leave with corporate knowledge. And we 
still trust that the individuals leaving federal service is 
going to protect not only that digital media that they may 
take, but the corporate information they may take in their 
head. So that had to be weighed as to what risk of harm did the 
information that this individual inadvertently download pose.
    And yes, we considered what type of employment she may have 
been seeking outside the organization and other factors, and we 
deemed that the incident was in fact low.
    Mr. Beyer. In your testimony on page 4 you talk about that 
your initial judgment in all these incidents didn't rise to the 
level of the major incident as defined by OMB guidelines. But 
the OMB guidelines talked about 8 hours to restore the data, 
more than 10,000 records affected. Weren't more than 10,000 
records affected in virtually every one of these cases?
    Mr. Gross. Yes, sir, they were. Several of these incidents 
just barely met the threshold that we just retroactively 
reported.
    I think the larger issue is not only does the policy say 
that there's time-specific parameters for reporting, but it 
also says in the very end of the document that it's left to the 
discretion of the agency to determine if in fact the agency has 
sufficient information to determine if the incident rises to 
the level of a major. That was considered as part of the review 
of the policy and the incident.
    Mr. Beyer. I don't want to harp on this too much, but 
you'll forgive us if there's a certain amount of skepticism of 
seven different people downloading information just as they're 
leaving that affects more than 10,000 records, and none of them 
seem to rise to the level of major incident.
    Mr. Gross. Well, it's--in--from my perspective it's not a 
question of whether or not we're going to report. The agency 
has no relief in reporting. The issue that we were looking at 
was what was the time frame that the reporting was required. If 
there's a 7-day notification or a 30-day notification or if 
it's included in the annual FISMA report, you'll find that the 
FDIC is very responsive. And if you review our FISMA report, 
you will find that we report all incidents. There is no 
incidents not reported.
    Mr. Beyer. One more question right on this part of it. You 
said that in each of these cases the downloading was 
inadvertent.
    Mr. Gross. Yes, sir.
    Mr. Beyer. Once again, I have a hard time understanding how 
you could inadvertently download 10,000 customer records or 
bank records.
    Mr. Gross. The individuals involved in these incidents were 
not computer proficient. We have policies in place that will 
allow the FDIC IT staff to assist you when you're departing the 
organization to copy down things that you may have collected 
over your long tenure with the agency, specifically, 
photographs or your personal resume.
    The fact that they were not computer proficient, if you go 
in and you don't copy the material and do it as a targeted 
copying of that information, you could in fact inadvertently 
copy the entire hard drive. So if you insert and you do the 
copy and not being proficient in the technology, you may take 
more data than what you intended.
    Mr. Beyer. I would certainly hope as you--you talked about 
the many steps going forward. I think a major step going 
forward would be to make sure that all that personal 
information isn't on their computers and that there isn't a way 
to download an entire--I just--I'm glad you're making progress 
because all of this sort of boggles the mind that somebody 
could go in and download an entire disc or all the information 
that the FDIC has on record about companies and individuals.
    Mr. Gross. Well, sir, I arrived at FDIC in November. As you 
see from my resume, I've been in federal service to this 
country for 39--actually, it'll be 40 years in July. I'm an IT 
professional, and there were several areas that I focused on 
immediately upon arriving, one of which was removable mobile 
media, as well as the elimination of the need for being able to 
do that as a common business practice.
    Mr. Beyer. Great. Great. Well, thank you very much, Mr. 
Gross. Mr. Chairman, I yield back.
    Chairman Loudermilk. Thank you, Mr. Beyer.
    Being 30 years in the IT world, I find it very 
disheartening that you give someone who is not computer 
proficient access to such sensitive data. Maybe someone will 
address that.
    I now recognize Mr. Posey, the gentleman from Florida.
    Mr. Posey. Thank you very much, Mr. Chairman.
    Mr. Gross, you and I are just viewing this incident from 
completely different perspectives. You make it sound like this 
is a very friendly termination from an employee, she 
accidentally took personal information about 160,000 or more 
citizens, and then gladly gave it back, just for one example. 
And the staff kind of tells me it didn't really work out that 
way all the time, that there was some defiance there, some 
refusal.
    You mentioned there was no evidence that she kept any of 
the information. Actually, there's no evidence that she didn't 
keep the information. One went to work for a foreign financial 
institution that could benefit greatly from mining that kind of 
data, we know that.
    And, you know, I'm amused by the term--the whole issue. We 
call it a data breach. You know, where I'm from we'd call it a 
theft. If you take something that's not yours, that's called a 
theft. We don't call it a data breach back home. Maybe just 
because we're talking about electronic records, we're no longer 
going to call it a theft, we're going to call it a data breach. 
But the fact is tens of thousands of American citizens are 
compromised because of this.
    And my question for you, Mr. Gibson, in your testimony you 
stated that ``If the threshold for criminal investigation is 
not met, the responsibility lies with the FDIC to pursue the 
civil and administrative remedies.'' Could you expound upon 
what these remedies could potentially be? Surely there will be 
clear punitive measures for the perpetrators of such a breach. 
Are there--any of these former employees currently on 
administrative leave, getting a full paycheck, receiving a 
pension like the IRS people were? There needs to be 
consequences for these actions.
    Mr. Gibson. Sir, as a former employee, they're not on 
payroll, and I do not believe that any of these individuals 
have retired or are receiving pensions, but I don't know for 
sure. I believe that they all left for other employment 
opportunities in other places.
    With respect to the FDIC's remedies, both administratively 
and civilly, the FDIC can pursue the return of information. The 
FDIC could take actions to enjoin an individual from using, 
disseminating, taking any action with respect to that 
information. The FDIC could undertake administrative actions 
within the FDIC in order to tighten up its security protocols 
or other situations. There's a number of things they can do in 
the absence of criminal activity, and that's what I'm really 
referring to.
    Mr. Posey. Okay. But just on a practical basis, you know, 
somebody walks into a retail store without the owner's 
permission and steals 160,000 items, the store owner comes back 
and figures out somebody stole this, went to them, they say, 
oh, okay, well, I'll give you back these particular items is 
all I'm going to admit that I accidentally took from your 
store. That doesn't eliminate the fact that there was a theft 
from the store just because they gave back at least some of the 
items that they illegally took. Do you see any similarity to 
the example I'm drawing and what happened here?
    Mr. Gibson. Well, sir, I understand the example that you're 
using, and I would agree in that particular situation. I mean, 
the fact that somebody robs a bank and gives the money back 
doesn't mean that they didn't rob the bank. That's absolutely 
right.
    For us to pursue a criminal case, however, one of the 
things that we're going to have to be able to establish in 
connection with our case is specific intent on that person's 
part. If the material was removed inadvertently, which is the 
FDIC's conclusion with respect to that, we have a bar right up 
front to being able to pursue a criminal case in the face of 
that determination. I'm not saying that we can't, but we're 
going to need some facts that get us over that and allow us to 
be able to pursue that sort of a case.
    Mr. Posey. Have you exhausted the questioning of the people 
involved? Have they voluntarily come forth? Do you need to 
depose them? Are you in a position to--you could depose them 
and ask the kind of questions you'd like to see answers to and 
I'd like to see answers to?
    Mr. Gibson. Sir, we--when we conduct a criminal 
investigation, we do so when we have probable cause to believe 
that there's been a crime that's been committed. Prior to that 
time, we conduct something called an inquiry. And the methods 
that we use in conducting that are somewhat less intrusive than 
the methods that we would use to conduct an investigation.
    When information comes to us where we are able to open an 
investigation, we do. And in one of these cases, we have. If 
additional information were to come forward to us that would 
enable us to open a case, we certainly would be asking those 
questions. We try and develop it as best we can, and that's the 
way in which we're pursuing it.
    Mr. Posey. Thank you for your frank answers. I see my time 
is up. I thank you, Mr. Chairman.
    Chairman Loudermilk. The Chair recognizes the gentlewoman 
from California, Ms. Lofgren.
    Ms. Lofgren. Thank you, Mr. Chairman.
    I understand from your testimony that in some instances the 
Data Breach Management Team recommends that individuals or 
financial institutions be notified of the breach of personally 
identifiable information and then credit monitoring can be 
offered and that that has not been done in this case or in the 
five other major breaches. Mr. Gross, can you explain why that 
hasn't happened, what was the thinking here, and are 
individuals adequately protected without this credit monitoring 
opportunity?
    Mr. Gross. We evaluated each of the cases and determined 
because there was low risk of harm that there were no 
individuals that were affected or impacted adversely as a 
result of the downloading of the information. So as a result of 
the lack of impact to the individuals, it was deemed that 
credit monitoring was not warranted.
    We have in other cases where the information has been taken 
and we know it was a known adversary or someone with adverse 
intent where they may break in an employee's car and steal 
records, we know that that individual had ill intent by 
breaking in the car. That information, regardless of the number 
of records that may have been exposed, in those cases we would 
have offered credit monitoring, as we've done in the past.
    Ms. Lofgren. But we don't have digital rights management on 
these files at this point, do we?
    Mr. Gross. We don't have digital rights management deployed 
across the FDIC at this moment. It is one of the 60-day 
response activities that I've laid out for the IG.
    Ms. Lofgren. So we don't know for sure whether this 
information that was taken was not in fact further copied 
because there was no DRM to prevent it?
    Mr. Gross. Well, we have the signed affidavit from the 
employees a----
    Ms. Lofgren. Right.
    Mr. Gross. --and each of these employees----
    Ms. Lofgren. Well, technologically, we have no assurance of 
that?
    Mr. Gross. Technologically, no, ma'am.
    Ms. Lofgren. I'm interested in the DRM response that you're 
recommending. I'm interested in what is the timeline. And also, 
did you--what process was used to determine what DRM response 
would be--did you do an RFP, was it sole-source, did you do 
market research? How did you select which DRM solution and 
what's the timeline for implementation?
    Mr. Gross. I'm working very aggressively to implement it. 
This is something that we're just beginning to pursue. I don't 
have the specifics for you at this moment. I could come back to 
you with a more detailed plan.
    Ms. Lofgren. Oh, so you haven't actually begun that?
    Mr. Gross. We have begun the process of identifying the 
technology from the standpoint that we think that the right 
tool for protecting the data is DRM. What solution set and the 
timeline for implementing it, we have not identified that as 
yet. We've looked at two technologies. We didn't put that in 
the report. We didn't want to advocate for any specific vendor, 
but we are looking at two right now as the potential tools that 
we would employ.
    Ms. Lofgren. Well, I'm interested in whether you might 
conduct a pilot with different offerings. I mean, this is an 
important decision for the agency.
    Mr. Gross. Absolutely, it is. And one of the things that we 
have to look at is we want to make sure that we don't break the 
business, that means we have to do this focused on the data 
that is the most sensitive and work our way out. So yes, we are 
not going to do this as a wholesale change across the 
organization because it's--not only do we have to evaluate if 
there's any internal impact, we have to evaluate is this going 
to create an impact with the businesses that we have to work 
with in the conduct of the mission.
    Ms. Lofgren. Just a final note, I was interested in your 
comment that employees that are leaving are permitted to 
download their personal information on their computer. And my 
suggestion would be there shouldn't be any personal information 
on the government computer.
    You know, people do dumb things. I--we once had a young 
person who downloaded BearShare who migrated all kinds of 
sensitive information unwittingly. You should create 
technological barriers to doing that, and if someone manages to 
subvert that, they should lose their personal information.
    I'm just sort of interested in what technological methods 
have you deployed to prevent the migration of potentially 
harmful data from outside of your system.
    Mr. Gross. Ma'am, I've arrived at FDIC in November, and I 
can assure you that there are several things that we've already 
begun to implement, but there are several other things that 
we'll be looking at implement going forward.
    One of the messages to my staff is that security is not 
something that we bolt on after the fact. It's something that 
we include as part of the process from implementation moving 
toward. So I've identified a number of things in the 60-day 
plan, but I can assure you that those are immediate actions 
that we need to take because of these incidents that we've 
seen, but there are others that I'm fully looking to employ 
based on the years of experience knowing that it's about 
protecting the data and that we do have individuals that may do 
things mistakenly and we have to manage that. But we also have 
to manage for external adversarial threats as well. So I can 
assure you this is just the beginning of some of the things 
that will be implementing.
    Ms. Lofgren. I see my time is expired, Mr. Chair.
    Chairman Loudermilk. The Chair recognizes the gentleman 
from Illinois, Mr. LaHood.
    Mr. LaHood. Thank you, Mr. Chairman. And I want to thank 
the witnesses for being here today.
    I would just say at the outset, it is troubling to me to 
hear your response to Mr. Beyer's questions, almost a 
dismissive nature of these breaches and kind of the nonchalant 
answers that you've given, particularly with the backdrop of 
cyber attacks on this country.
    We hear every week in this Committee about the 
cybersecurity and how, at the highest levels of our government 
and in the private sector, computers are compromised every 
single day. And you look at--whether it's Chinese entities or 
Russian mob or domestic enterprises in the United States, I 
don't think anybody has any confidence that we have this under 
control. And it leads to a lot of uncertainty about how we 
tackle this issue.
    And so when I hear about an agency, the FDIC, and the 
information that you control, it's concerning to me that you 
don't highlight this as an important breach and further 
investigation to find out what's at stake here. That's really 
concerning to me to hear that today.
    Let me ask some specific questions here. Mr. Gross, in your 
opening statement you state that the downloading of the 
personal identifiable information in all the breaches FDIC 
reported to Congress was ``inadvertent'' and ``non-
adversarial.'' Is that accurate?
    Mr. Gross. That's correct, sir.
    Mr. LaHood. I want to direct your attention to Exhibit one, 
which is a document sent by the FDIC legal department to one of 
the former FDIC employees who left the agency with unauthorized 
materials on a portable storage device. According to this 
document, which is dated December 2, 2015, when asked about her 
actions, she said ``she would never do such a thing.'' And that 
it would be against FDIC policy and that she knows the policy. 
When asked if she owns an external hard drive, she said she did 
not know what an external hard drive is. And she stated that 
``in any event, she does not own such a device.''
    Now, Mr. Gross, do you stand by your statement that this 
person is non-adversarial?
    Mr. Gross. Sir, if I could, one, I'd like to draw the scale 
because in your opening comment you mentioned the difference 
between the current incidents and if we had a third-party bad 
actor in our system. And I don't want to be dismissive. Any 
loss of information, regardless of how that information is 
lost, is significant. It's important, and we need to pay 
attention to it.
    I think what we have to do is to draw to scale, though, the 
different incidents that we have. If there was a third-party 
actor in my system today, the way the policy is currently 
constructed, unless that third-party has taken an amount of 
records, it may not meet the criteria of a major, but I can 
assure you, if there was a bad actor in our system today, it 
would be reported as a major, especially if I know that they're 
adversarial in nature and they intend to do harm to the 
organization or the agency. I could care less if they were 
reading the menu for the FDIC. If it's a bad actor and they're 
in our system today, it is reported, and it falls into the 
major category.
    These incidents where we had employees that left had 
multiple years of faithful service to the FDIC. These are 
different circumstances.
    Mr. LaHood. I understand that, Mr. Gross. My specific 
question that I asked you, I--the exhibit that's up there, I 
mean, do you stand by the statement that this person is non-
adversarial?
    Mr. Gross. I do. And let me give some context. When the 
employee departs the FDIC, they sign a document indicating that 
they have not taken any information with them. When we go back 
to that employee and we have proof, because of our DLP 
capabilities, that in fact they have downloaded information, at 
that instance that conversation is an employee who now realized 
I've made a mistake. And as a result of that, that relationship 
has to be managed from the standpoint of a trusted employee who 
now realizes that they inadvertently took information, and now 
they're caught misrepresenting the truth.
    So I do stand by that from the standpoint is I believe that 
the employee inadvertently took the material and now they find 
themselves in an awkward situation where their closing 
statement doesn't match the actual facts.
    Mr. LaHood. Yes. Well, I understand your statement, what 
you're saying there. I mean, this is not a foolproof system. It 
clearly is not. And the nature of the world we live in now with 
cyber attacks and foreign entities and what's out there, that's 
what's, I guess, concerning about the protocol that you went 
through here.
    Let me follow up. So was she telling the truth when she 
said ``she would never do such a thing''?
    Mr. Gross. I believe she, on the surface, was telling the 
truth, but I don't think she really understood that she had 
taken--one, I think she realized she took her personal data. I 
don't believe she realized she took FDIC-specific data. And in 
each of these cases, these are all referred to the IG's office. 
Every one of these cases we had asked the IG if they were going 
to investigate the case. The response we received is that there 
was no criminal activity; therefore, it did not warrant any 
further action on their part.
    Mr. LaHood. Mr. Gibson, let me ask you. Do you agree with 
Mr. Gross that this person was non-adversarial?
    Mr. Gibson. So I really need to take a look at this set of 
facts. Offhand, I'd say that there are different 
interpretations of these facts. Non-adversarial, I mean, it 
seems to me that you could interpret these facts to suggest 
that she is adversarial. You could certainly interpret these 
facts to suggest that she's being less than candid or truthful.
    Mr. LaHood. And so you don't necessarily agree with that 
statement and they have a different opinion, is that fair to 
say?
    Mr. Gibson. Sir, I don't agree with that statement, and I 
may have a different opinion.
    Mr. LaHood. I see my time is expired. Let me just ask 
another question here.
    I'm going to refer to Exhibit number two. Mr. Gross, this 
is an email dated April 28, 2016, to you from the acting Chief 
Information Security Officer at the FDIC. The message says, 
``We were notified of the $10,000 record count of these 
incidences on April 27, so the seven-day reporting requirement 
will be on May 4, 2016.'' Mr. Gross, what incidents is the 
acting Chief Information Security Officer referring to?
    Mr. Gross. I'm not really sure from just looking at this 
document, but I believe what he's talking about are one of the 
incidents that we retroactively went back and looked at.
    Mr. LaHood. And you understood the seven-day reporting 
period, correct?
    Mr. Gross. Actually, this may have been an incident that 
was reviewed by the DBMT and already deemed as closed. Without 
actually looking closer at the document and getting the other 
information, I'm not sure of that. But we went back 
retroactively, and some of the incidents that we reported, they 
had already been reviewed by the DBMT and it had been deemed a 
breach but a low-risk breach.
    Mr. LaHood. Did you report the incident to Congress by May 
4, as required by the law?
    Mr. Gross. I don't know if this incident was reported by 
May 4. I believe it was reported in the recent report where we 
provided five different incidents to the Congress.
    Mr. LaHood. Yes. I mean, in looking at what the--
information I have, it was not reported within the seven days, 
and actually, it appears on May 9 it was reported, so it was 
outside of that window. Do you disagree with that?
    Mr. Gross. I don't agree or disagree without looking at--
but I believe this was included in the report for all of the 
incidents. My question would be is was this incident previously 
closed by the DBMT and deemed as a low-risk? So therefore, the 
seven-day clock would have actually started long before we 
completed the record count. It would have been back when the 
incident may have been initially reviewed.
    Mr. LaHood. Well, when I look at this document, it looks 
like this--I mean, clearly, in that quote that I sent to you, 
you're notified of the incidents on April 27 and told that it 
has to be done by May 4. It appears that it's outside that 
window. I guess it just as a follow-up, Mr. Gibson, should 
incidents such as this that we're discussing today be reported 
to Congress within a timely manner?
    Mr. Gibson. Sir, I think that when the waterfall 
requirements of 16-03 are triggered, I think that there's an 
obligation to report in 7 days from the time that the agency 
has a reasonable basis to believe that a major incident has 
occurred. That's what the law says.
    Mr. LaHood. It appears from this document in Exhibit two 
that that was the case and it wasn't done within the seven-day 
period.
    Mr. Gibson. So it could. I haven't--I'm not familiar with 
the incidents that that's referring to and, you know, to answer 
that conclusively, I want to review that. But, you know, it 
certainly could indicate that, yes.
    Mr. LaHood. Thank you. I went over my time.
    Chairman Loudermilk. The Chair recognizes himself for 
questions.
    Mr. Gross, the Florida incident, is that one of the 
incidents that Mr. LaHood was referencing that you believed was 
inadvertent?
    Mr. Gross. I believe all of the incidents that have been 
reported were identified where the individual inadvertently 
downloaded the material.
    Chairman Loudermilk. And how many incidents has that been?
    Mr. Gross. I believe we've reported seven.
    Chairman Loudermilk. Seven and they were all accidental?
    Mr. Gross. Out of the seven, we had--I believe it was five 
individuals that were retiring, and I believe the other 
individuals were term employees and they were coming to the end 
of their term.
    Chairman Loudermilk. Were all seven of these those that you 
described as not very computer literate or----
    Mr. Gross. Yes, sir, I would say that these individuals 
downloaded the information in an attempt to take their personal 
information prior to departure.
    Chairman Loudermilk. But they had access to sensitive 
information even though they were not ``computer literate''?
    Mr. Gross. Well, the information they had legitimate access 
to was required for them to perform their day-to-day duties. 
Their duties continued up until the day they left employment 
with the FDIC.
    Chairman Loudermilk. So it's common practice to allow 
personnel to download information from the FDIC official 
server?
    Mr. Gross. Prior to my arrival, we did utilize mobile 
media, and individuals could download information to those 
devices. We've since put into place capability to prevent the 
downloading of information to mobile devices.
    Chairman Loudermilk. So is it accepted practice to allow 
personal use of the government computers? If they were taking 
personal information, then obviously they're allowed to use 
them for personal----
    Mr. Gross. Policy does allow de minimis use of the personal 
computer, yes, sir.
    Chairman Loudermilk. Does--do any of the employees in the 
FDIC, yourself or any others, use personal email to conduct 
official business?
    Mr. Gross. No, sir, not that I'm aware of.
    Chairman Loudermilk. None at all. Regarding the Florida 
incident, the Data Breach Management Team, did they give you a 
recommendation on whether this was a breach?
    Mr. Gross. The Data Breach Management Team is a group of 
representatives across the organization. The Inspector General 
sits on that group. It's not a voting body. It's a consensus 
body, and they do provide a recommendation. And I believe from 
the Florida incident that they did recommend that it was a 
breach, but we did also indicate it was a low-level breach.
    Chairman Loudermilk. Okay. Well, let me read from you an 
email which you were just provided a copy. This was from the 
former CIO Christopher Farrow to you, and--regarding the 
Florida incident and just item number seven, ``Only you can 
declare this incident a breach. You have not done so. The DBMT 
has only recommended that this is a breach. We're waiting on 
you to declare this a breach.''
    I'm bringing attention to this email that was provided to 
us by the IG, and it was sent to you on November 30, 2015. And 
in the subject line it refers to the October 2015 Florida 
incident that you informed this Committee of. And the subject 
line says ``action required, Florida incident.''
    As we've discussed here, the body of the email concerns the 
handling of the incident completely within the scope of the 
documents requested by this Committee. The IG provided us this 
document, but you did not, sir. Now, how is not including this 
email with the documents you provided us being responsive to 
the Committee's request?
    Mr. Gross. Sir, I believe every effort was made to be 
responsive to your request. If there's needs for additional 
information, as I said, I stand ready to do so. I believe this 
document right here is summarized in our response in the 
incident management.
    Chairman Loudermilk. But, sir, did the Committee's request 
ask for summaries or did it ask for the documents? I believe 
our request was for all documents, not summaries of documents, 
but documents.
    Mr. Gross. Sir, I believe our response to the Committee's 
request was comprehensive. We made an active effort to provide 
a comprehensive response to this Committee.
    Chairman Loudermilk. But evidence that you have in front of 
you is that it was not comprehensive.
    Mr. Gross. I don't know for sure if this was included in 
the overall submission to the Committee, sir.
    Chairman Loudermilk. It was not, but the IG did provide 
this to us.
    Are you aware, sir, that actively--by not providing this, 
you are actively obstructing this Committee's investigation?
    Mr. Gross. Sir, I believe our submission to you was 
comprehensive. Every effort was made for it to be 
comprehensive.
    Chairman Loudermilk. But, sir, it wasn't comprehensive if 
we're receiving documents from the Inspector General that are 
clearly relating to these incidents that we are investigating 
but you did not provide them.
    Mr. Gross. Well, I didn't provide all the documents that 
you received, sir. These documents came from a variety of 
different offices within the Corporation.
    Chairman Loudermilk. But, sir, you are the addressee on the 
email with this document, so clearly you did have this 
document. And it would have been your responsibility to provide 
this in response to our request for all documents.
    Mr. Gross. I believe that this would have been included in 
the incident response because this document speaks to what's 
summarized in the incident report.
    Chairman Loudermilk. But again, sir, the Committee did not 
ask for summaries; we asked for documents. And are you aware 
that obstructing Congress is a violation of federal law?
    Mr. Gross. I'm fully aware of that, sir. I'm a prior law 
enforcement officer.
    Chairman Loudermilk. Okay.
    Mr. Gross. As I said, we made every effort to be 
responsive. I believe what we provided was a representation of 
the production. We made every effort to be quite exhaustive in 
our response to this Committee. As I said, I--we stand ready to 
provide any additional information that you deem warranted.
    Chairman Loudermilk. Well, I thank you for that, but I 
would prefer that we get these initially and not have to go 
back and get--let me read directly from the correspondence this 
Committee sent to you. It says, ``All documents and 
communications referring or relating to the security 
incident.'' All documents and communications. We didn't ask for 
summaries; we asked for all documents and communications, which 
you failed to provide.
    Let me ask you another question. We'll shift our direction 
of questioning here. Sir, if a bank were to have the incidents 
happened to them, an employee walks out with a USB drive 
containing 10,000 pieces of PII of their customers, and they 
followed the same procedure that you followed by not reporting 
it to the FDIC, what would the FDIC's actions be to that bank?
    Mr. Gross. I can't speak to that, sir. That's speculative. 
I----
    Chairman Loudermilk. I would like to get the answer to that 
because I don't think it would be following the same procedures 
that you're holding yourself accountable to.
    Maybe, Mr. Gibson, do you know what action would be taken 
to a bank?
    Mr. Gibson. Sir, I think that question would need to be 
answered by the supervisors.
    Chairman Loudermilk. Okay.
    Mr. Gibson. I'm afraid I can't.
    Chairman Loudermilk. I did pose that to--a question to a 
banker yesterday, and I will get a formal response of what he 
believes would have--the action that would have been taken.
    Mr. Gross, it appears the FDIC has a history of cyber 
security breaches that goes beyond what has been made public to 
date. I personally have a problem after 30 years of being in 
the information systems business that seven repeated incidents 
are all inadvertent.
    But let's move on to other incidents. Is it true that an 
``advanced persistent threat'' was able to penetrate the FDIC 
computer systems in August 2011?
    Mr. Gross. I believe that's correct, sir.
    Chairman Loudermilk. Okay. Is it true that FDIC employees' 
computers were accessed by a foreign entity without their 
knowledge?
    Mr. Gross. I believe you're speaking from an Inspector 
General report, sir, and that, I think, would be best discussed 
by the Inspector General. That document has sensitive 
information in it.
    Chairman Loudermilk. Mr. Gibson, do you have any 
information that you can share with us?
    Mr. Gibson. If you want to ask me a question, let's see.
    Chairman Loudermilk. Is it----
    Mr. Gibson. I don't see why not.
    Chairman Loudermilk. Is it true that FDIC employees' 
computers were accessed by a foreign entity without their 
knowledge----
    Mr. Gibson. Sir----
    Chairman Loudermilk. --dating back to August 2011?
    Mr. Gibson. That is my understanding, yes, sir.
    Chairman Loudermilk. Okay. Thank you. Mr. Gross, is it true 
that the Chairman of the FDIC's own computer was accessed by 
this foreign entity?
    Mr. Gross. Sir, I have reviewed that document. I believe 
what you're stating is included in the report, but I just 
became familiar with that document yesterday. I think Mr. 
Gibson would be best positioned to respond.
    Chairman Loudermilk. Mr. Gibson, can you respond? Is it 
true that the Chairman of the FDIC's own computer was accessed 
by this foreign entity?
    Mr. Gibson. Sir, that's my understanding.
    Chairman Loudermilk. That's your understanding. And again, 
this is in an IG report?
    Mr. Gibson. Sir, there are actually--well, there is--I 
believe the document that you've got is an IG report.
    Chairman Loudermilk. Okay.
    Mr. Gibson. That document was produced to address the 
FDIC's handling of the incident internally. It's not a 
technical report.
    Chairman Loudermilk. Okay.
    Mr. Gibson. The technical reports would have been prepared 
by an FDIC contractor that was brought in to study the specific 
situation. The question is a technical one. Our report really 
doesn't get to that. It gets more to the issue of reporting of 
the incident and the FDIC's handling of the incident than it 
does the technical aspects.
    Chairman Loudermilk. Okay.
    Mr. Gibson. But in so far as--you know, yes, the answer to 
the questions that you're asking is yes, but I don't know the 
technical details----
    Chairman Loudermilk. Okay.
    Mr. Gibson. --behind some of that.
    Chairman Loudermilk. Mr. Gross, is it true that the foreign 
entity was China?
    Mr. Gross. Sir, I don't know that to be correct. I can only 
tell you what I've read in the report. The details surrounding 
the report, it happened prior to my arrival.
    Chairman Loudermilk. I understand.
    Mr. Gross. I can assure you that if that was to happen 
today under my watch, I'm a prior military person and I believe 
in the command structure, so if there's an incident that occurs 
in my organization, one, it's my boat. I'm responsible for 
making sure it's reported and addressed.
    Chairman Loudermilk. Well, I understand that and I 
appreciate your response there. But in the report, does it 
identify anywhere--Mr. Gibson, in the report does it identify 
that the foreign entity was indeed China?
    Mr. Gibson. No, sir, it is not.
    Chairman Loudermilk. It does not.
    Mr. Gibson. We are not authorized to make a specific 
attribution to any particular actor.
    Chairman Loudermilk. Okay. Thank you.
    Mr. Gross, regarding this particular incident where 
supposedly China had access to FDIC computer systems for over a 
year, which I think would be a very significant issue to maybe 
have more information on than what we're sharing here today, 
according to the materials provided to the Committee, the FDIC 
chose to intentionally violate its own policies and procedures 
and did not notify CSIRT, the central national authority 
responsible for tracking, analyzing, and coordinating responses 
to computer security incidents that attack U.S. Government 
systems. Is this true?
    Mr. Gross. Sir, as I said, I've reviewed that report, and 
it's actually great to kind of draw that to scale. When you 
look at the APT that you're mentioning here versus an incident 
where we have trusted employees that left the organization, you 
can see why we drew the fact that the risk of harm to 
individuals were low. In this instance, if there was an APT in 
our environment, we would be taking active steps to address it.
    But I would have to defer to Mr. Gibson on the specifics 
that might be contained in the report as to who might have been 
penetrated or the extent of the penetration into the 
environment.
    Chairman Loudermilk. Mr. Gibson, can you provide any more 
enlightenment in whether they followed proper procedures by 
notifying a foreign entity?
    Mr. Gibson. They did not.
    Chairman Loudermilk. They did not. Thank you.
    Mr. Gross, it's my understanding that one of the steps 
taken by the FDIC to prevent further breaches was to shut off 
the use of USB drives on the computers at the FDIC. What 
percentage of the FDIC employees roughly still have access to 
their USB drives?
    Mr. Gross. I believe we've reduced that number down to 
probably less than 50 percent. We still have a significant 
number. Our goal is zero. As I said, I've come from other 
federal agencies, so my goal is to reduce that down to zero. 
However, we have to work through different business processes 
that still require the use of that, and what I mean by that is 
our examiners have a need to exchange information with their 50 
different counterparts that they work with in the field. So I 
can't immediately drive down to zero, but I can assure you and 
the Committee my goal is to get to zero on use of mobile media 
within the organization.
    Chairman Loudermilk. So with the 50 percent that you have 
disabled, were those the employees that have access to the type 
of the information that was breached, or are those the 50 
percent still remaining to be blocked?
    Mr. Gross. The 50 percent that we had are primarily 
examiners that work out in the field and other components of 
the organization that still have an express business 
requirement for that. The goal, as I said, is zero. In our 
examiner area, we are actually rolling out technology right now 
which we call our ETS system.
    Chairman Loudermilk. Right.
    Mr. Gross. As we roll that out, we will begin to be able to 
have larger numbers of those groups no longer have a need for 
the use of mobile media. So we're going to do this over time in 
specific business areas to be able to get to that zero 
threshold.
    Chairman Loudermilk. So if you had these 50 percent--let me 
ask it this way. If the 50 percent you have blocked now was 
done six months ago, would it have prevented these incidents?
    Mr. Gross. I can't say that for certain, sir, because these 
individuals were in various different parts of the 
organization. And even, as I said, it was an inadvertent 
download of the data.
    Chairman Loudermilk. What have you done to prevent it from 
happening other than the USB drives?
    Mr. Gross. Actually, what we've done to prevent it is 
we've, one, eliminated the use of mobile media across the 
organization only to those individuals that require it in order 
to complete their business processes. In order for those 
individuals to be able to use the removable media, it requires 
the approval of their division director.
    Chairman Loudermilk. Okay.
    Mr. Gross. The--in addition to that, what we're also 
putting in place is encryption--is that any device that's 
placed into the machines, once that device is placed in the 
machine, it will automatically be encrypted. So those mobile 
devices that we do have in the environment would in fact have 
encryption, which would enhance their--the security on those 
devices if they're lost.
    Chairman Loudermilk. But it would not have prevented these 
actions from taking place?
    Mr. Gross. I don't believe it would have.
    Chairman Loudermilk. Mr. Gross, it's interesting that some 
of these breaches were retroactively reported to Congress. It's 
clear that the OMB guidance and FISMA state anything over 
10,000 instances of PII is to be reported to Congress. We have 
systems in place to trigger awareness at various government 
levels. If I go to the bank and withdraw $10,000 of my own 
money, that is immediately going to be reported, but certain 
employees at FDIC can download 10,000 individual PIIs and it's 
not flagged. Is that a double standard?
    Mr. Gross. Well, actually, sir, it is flagged. I think we 
have a best practice in the fact that we're using DLP to 
identify those instances. Prior to DLP, we would have been 
unaware that the employees were downloading that information.
    Chairman Loudermilk. But there was 10,000 that were 
breached that were disclosed or taken but you did not report 
those within the seven-day window.
    Mr. Gross. Sir, it's--we don't have relief in reporting. I 
want to be--I want to go back to that in that it's not a 
question of whether or not if it's going to be reported. All 
incidents within the FDIC are reported. The question is, is it 
reported within 7 days, 30 days, or is it reported in an annual 
FISMA report.
    So I want to make sure that it's understood is that there's 
no question about our transparency in reporting. It was in 
which time frame. And we wanted to draw to scale--we wanted to 
focus on, is this major? Is this an APT? Is this someone in our 
system? If we report on incidents that we have deemed as non-
major, then we're reporting on everything. And then when we 
have an APT or a significant event, the risk you run is that 
these incidents are then lost in the noise. And I would hate to 
classify any incident as just noise. But we want to make sure 
that we're focusing our energies and our time around those 
incidents that pose significant risk of harm to individuals or 
the organization.
    Chairman Loudermilk. Okay. I have been very lenient with my 
time, and I will do the same to my good friend from Virginia, 
Mr. Beyer, who is now recognized.
    Mr. Beyer. Thank you, Mr. Chairman.
    Mr. Gibson, in your testimony you said that the memorandum 
that you had prepared on February 19 this year to the Chief 
Information Officer was marked privileged and for official use 
only, and it was later leaked, which is how come we know about 
it. Why wasn't it public in the first place? And what's the 
argument for keeping something like that from the public?
    Mr. Gibson. Sir, it's not our responsibility to report; 
it's the FDIC's responsibility. We prepared that document in 
the middle of an audit, actually planning for an audit. We had 
not completed our work at that point in time. At the time that 
our work is completed, we would have made some public 
disclosure of it. There are other points at which public 
disclosure might have occurred, depending upon the FDIC's 
response to that memorandum. When they responded by determining 
that they would disclose the incident, then there was no need 
for us to make it public ourselves.
    Mr. Beyer. In the seven incidents we're talking about that 
the FDIC and the CIO have all determined were inadvertent, does 
the decision--or the determination of inadvertency make it more 
difficult for you to pursue criminal charges?
    Mr. Gibson. Well, sir, it could. It's a fact that you'd 
have to consider as you evaluate the case. When we have a 
statement from the government that says that something's 
inadvertent then you have to establish that there's specific 
intent to violate the law. Now, if I was a defense lawyer, 
that's probably the first document that I would wave around. 
That doesn't mean we can't, but it does mean that it can 
increase the bar; it can increase the level of difficulty that 
we have.
    Mr. Beyer. Great. Thank you.
    Mr. Gross, one of the things I want to be clear about, too, 
because you've mentioned a number of times your distinguished 
39-year career in the military and the federal office, and we 
thank you for that and thank you for your service. But I just 
want to also clarify that the hearing is not about your 
remarkable career but rather about what's going on with the 
FDIC right now.
    In your attempt to remove the mobile media devices down to 
50 percent and rolling out ETS, how then will examiners share 
data if the mobile devices are gone?
    Mr. Gross. We're identifying technology solutions that will 
allow them to exchange information. As I said, since arriving, 
I've been looking at the business practices that we have within 
the organization trying to identify other solutions that will 
allow us to conduct our business without exposing the data.
    Mr. Beyer. Which will include not being able to email the 
data back and forth?
    Mr. Gross. That's correct. We currently monitor email, and 
we have the ability to manage or prevent email exchange. But in 
the case of mobile media, it--just as it says, the ability for 
a person to move it from point A to point B is quite easy.
    Mr. Beyer. I want to clarify one thing you said earlier, 
and I'm confused. So in the OMB guidance, on the one hand, if 
it affects more than 10,000 records, it triggers the 7-day 
response. You also said that it's your classification, major, 
minor, intermediate, that determines 7-day, 30-day, annual 
disclosure. Are those in conflict? Do you really have the 
discretion as CIO to determine what's major and what's not 
major and therefore what--or, to be specific--because something 
released 11,000 records and you still determine it not major?
    Mr. Gross. Actually, sir, in the incidents that we've 
reported, we have several in there that just barely meets the 
bar. I believe there's a couple that are 13,000 records. The 
policy is a--it provides some guidance to the agency to 
consider in making a determination of, one, the significance of 
an event. So you can have an incident and it's not considered a 
major in that the surrounding issues around the incident 
doesn't warrant the 7-day reporting.
    Mr. Beyer. Even though it has more than 10,000 records?
    Mr. Gross. In----
    Mr. Beyer. Is the 10,000 records threshold not de facto 
sufficient----
    Mr. Gross. I----
    Mr. Beyer. --for the 7-day reporting?
    Mr. Gross. I believe it draws a bright line, and that 
bright line is that--is what we're following now. But I believe 
what happens is it creates an environment where you're 
reporting everything and--as a major, and then you run the risk 
that if you have a significant event, it would be--it may be 
overlooked. But the policy clearly says it leaves to the 
discretion of the agency if there's significant enough 
information to warrant reporting as a major.
    Mr. Beyer. Okay.
    Mr. Gross. But I want to be clear, there's not a question 
of if the incident is reported. It is reported. The question is 
in what time frame is it reported.
    Mr. Beyer. Well, and I--I'd ask you, please, to listen 
carefully to this, too, because if anything over 10,000 
constitutes so many reports that it's noise, we have a much 
bigger problem. We should have very few incidents ever that 
have more than 10,000 records.
    Mr. Gross. I would hope, sir, that we get to zero. My goal 
by removing the mobile media where we have seen these incidents 
occur is that we have better management of control of our data. 
But as you--if you read through the incidents, our employees 
are fully aware of their requirements of reporting, so we're 
focused today on removable media.
    But on a day-to-day basis, you may have employees that may 
inadvertently have access to information that was unintended. 
That could be they saw--they looked at a file share that was 
online where the permissions may not have been removed. Is that 
a major? Well, there may be 10,000 records in that file share 
that they inadvertently saw during that period of time, but was 
it during the normal course of their business so it's not 
reported as a major, but we still report it as an incident in 
our FISMA report.
    Mr. Beyer. You say that in determining whether major, minor 
incident, that you used their signed statements, their 
affidavits to determine that the information has not been 
disseminated. That seemed to put an awful lot of trust into one 
signed statement. Are there any other steps you did, tests to 
see whether any of these records had leaked out, had been sold, 
had been contacted? For example, the FEC assaults its FEC 
reports with fake names so they can determine whether somebody 
else has pulled it off the internet and used it 
inappropriately.
    Mr. Gross. We do have a forensic review that we conduct on 
the device once it's returned. One, we can identify if the 
device that was returned is in fact the device that was used to 
make the copy. We can also examine the files that are on the 
document to ensure that we've in fact recovered all of the 
information that was exfiltrated onto the device originally. 
But in addition to that, we can determine the last time the 
files were opened or accessed.
    There are limitations to what we can do with the forensics, 
but it gives us a better perspective as to what happened to the 
data from the time it was downloaded to the device to the time 
the device was returned to the organization.
    Mr. Beyer. Is there any way to determine whether that data 
was downloaded into another computer or sent to someone else?
    Mr. Gross. We have limited capabilities in our forensic 
that we can determine some things but we have to rely on the 
fact that the employee's assertion that it has not been 
disseminated beyond themselves is important.
    Mr. Beyer. Yes. Once again, I fear that that's going to be 
too low a bar. But let me move on.
    Is the--on the personal information, Ms. Lofgren from 
California pointed out how probably important it is that the 
personal information be in fact de minimis, and if it's de 
minimis, there should be very little that needs to be taken 
off.
    I served four years in State Department, and at the end 
didn't need to download a single thing. I did have to go delete 
emails to my wife as to what time I was coming home for dinner 
but nothing else beyond that. And it's sort of hard to imagine 
that I would need it--after serving four years that there--or 
even 30 years that there's much that you'd need to take off the 
computer.
    Mr. Gross. By implementing the procedures that we have in 
place for preventing the downloading of the material to mobile 
media, what that does is put us in a position that if an 
employee in fact does want to download information, we in fact 
have to intervene and do that with them on their behalf. So I 
believe we'll be able to meet that bar that she's indicated 
where we should be.
    We want to make sure that if the employee does have 
information that they may have created through de minimis use 
of the device, creating of a resume or other material, that in 
fact they can take that. But by eliminating their ability to 
download it, I believe we're in a better position to manage 
that.
    Mr. Beyer. Okay. One last question. On the October breach 
you made the determination that it couldn't be classified as a 
major incident, but you have the DBMT, the Data Breach 
Management Team. And they all have a--are they simply advisory 
or do they have a vote in determining what's a major and what's 
a minor event?
    Mr. Gross. It's not a voting body. All of the 
representatives on the group--as I said, the Inspector General 
sits on the group. We have a representative from each of the 
program areas where the incident may have occurred. They 
provide a recommendation based on the information to the CIO of 
whether or not it's a breach, but they also make other 
recommendations of things that should be considered as part of 
the review process.
    Mr. Beyer. Do you remember whether the--what recommendation 
the DBMT made in response to the October incident?
    Mr. Gross. I'm not sure the--when you say October incident, 
is that the Florida incident? That's the one we refer to as----
    Mr. Beyer. The original one, yes.
    Mr. Gross. --the Florida incident. I believe it was 
recommended that it was a breach but it was low risk.
    Mr. Beyer. Okay. Have you been in the position yet of 
having to make a determination that differed from what the DBMT 
recommended?
    Mr. Gross. No, I don't believe so. And I want to be clear 
is that the DBMT doesn't meet once. So on the surface it may 
appear that these incidents may have lingered on or we were 
nonresponsive. In fact, the DBMT meets on a number of different 
times during an incident as additional information becomes 
available, but I don't know of any incidents where I have been 
in--I've had a difference of opinion of what came out of the 
DBMT.
    Mr. Beyer. All right. Thank you, Mr. Gross. Thank you, Mr. 
Gibson.
    Mr. Chairman, I yield back.
    Chairman Loudermilk. I thank the Ranking Member for the 
line of questioning, and I thank the witnesses for their 
testimony and the other Members who were here with questions.
    We've identified several inconsistencies here today by the 
FDIC, and the Committee will continue its oversight and looking 
forward to having the FDIC Chairman here once the Inspector 
General completes its audits. We will continue looking into 
this. This is a very critical issue.
    And the record will remain open for two weeks for 
additional comment and written questions from the members.
    The hearing is adjourned.
    [Whereupon, at 11:40 a.m., the Subcommittee was adjourned.]

                               Appendix I

                              ----------                              

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]


                              Appendix II

                              ----------                              

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                                 [all]