OCC Notifies Congress of Unauthorized Removal of Information

The Office of the Comptroller of the Currency ("OCC") notified Congress and other federal agencies of a "major information security incident," pursuant to the Federal Information Security Modernization Act.

According to the OCC, the incident "involve[d] a former employee who downloaded a large number of files onto two removable thumb drives prior to his retirement and when contacted was unable to locate or return the thumb drives to the agency." The downloads were first detected by the OCC on September 1, 2016, and the concern was immediately referred to the Treasury Department’s Office of Inspector General for investigation, and to the OCC’s Core Management Group for review.

The OCC concluded that the event met Office of Management and Budget criteria for a major incident because: (i) it involved controlled unclassified information, including privacy information; (ii) the devices containing the information are not recoverable; and (iii) the incident involved the unauthorized removal of more than 10,000 records.

Based on currently available information, the OCC further noted that there is no evidence to suggest that any non-public OCC information, including any personally identifiable information or controlled unclassified information, has been disclosed to any member of the public or misused in any way.