The agency reported that, in November 2015, a former employee downloaded over 10,000 records onto two thumb drives before retiring. The breach was first detected in September 2016 during an internal review of employee downloads. Following investigation, the agency determined that the breach was a “major incident” requiring reporting to Congress under the Federal Information Security Modernization Act of 2014 (FISMA).
Under FISMA, as clarified by the October 30, 2015 Office of Management and Budget (OMB) Memorandum 16-03, a federal agency is required to notify Congress within 7 days of discovery of a “major” security incident. Per OMB Memo 16-03, a “major incident” is one which:
1) Involves information that is classified or otherwise protected under certain categories; and
2) Is not recoverable or not reasonably recoverable; and
3) Has some functional impact to the mission of an agency; or
4) Involves exfiltration, modification, deletion or unauthorized access to either:
a) 10,000 or more records or users affected; or
b) any record of special importance.
OCC determined that the breach in question was a “major incident” because it involved protected information that was not recoverable, and the unauthorized removal involved a large number of files, exceeding 10,000.
Currently, there is no indication that the information involved included any non-public personally identifiable information, or that it has been disclosed to the public or otherwise misused in any way. Notice of the breach was also given to the Director of the Office of Management and Budget, the Secretary of Homeland Security, and the head of the Government Accountability Office. The important lesson for government agencies is to understand the parameters of FISMA, and the reporting requirements when a major incident has occurred.