The Fed said Wednesday that Brian J. Gross, a staff member in the Fed's congressional affairs office, accidentally released minutes of its March 19-20 Open Market committee meeting minutes Tuesday afternoon to 150 of his contacts, including Washington representatives at Goldman Sachs Group Inc., Barclays Capital, Wells Fargo & Co., Citigroup Inc. and UBS AG, reported the Wall Street Journal.
Gross was not available for comment, probably because he’s updating his resume about now.
It isn’t quite clear how the “Fed Flub” happened, which officials are at this point couching as an accident (really?) and that, apparently, nobody noticed until the next day (really??). But okay. We’ll take them at their word.
While your organization probably isn’t the Fed, and your company’s financial data probably doesn’t affect worldwide markets, nevertheless your company is likely to have data that needs to be controlled. There are two takeaways from this incident:
1. People screw up.
2. All the technology in the world can’t change Rule #1.
“Fed officials have been trying to more carefully manage the flow of information from the central bank for fear it could be used by some people for personal gain,” reported the Wall Street Journal. “In January the Fed updated its policy on external communications in which it stated that Fed staff must ‘carefully safeguard’ all confidential central bank information.”
They might want to take another stab at that. You think?
The most important aspect of any company — including IT — is process, and technology serves to support the process. Just like buying a new product doesn’t magically make your company more organized and efficient, security products don’t make your company’s data secure all by themselves. The necessary policies also need to be in place, and the technology supports those policies. You need checks and balances all along the way to make sure people aren’t sending things out they’re not supposed to — deliberately or accidentally — and you need technology to help you find out when those processes aren’t being followed.
So let’s look at how the process failed here, and how technology could have supported it.
- How did he get access to the report so early? Did he normally have access to it? Didn’t he need to check it out of a secure document repository and say what his purpose was in using it, and have someone approve that?
- How was he able to put the document in an email message? To 150 people, no less? Financial institutions that the Fed monitors routinely prevent their staff from emailing sensitive files. In this case, the minutes are normally sent to reporters one hour before their official release. Shouldn’t there have been some sort of restriction on the file, or a flag tripped when it was included in email before that time?
- How was he able to mail out the email message without some sort of alert being triggered? One could argue that the biggest point of failure here is that “Officials at the Fed didn't notice the mistake until about 6:30 a.m. Wednesday,” when another guy at the Fed, who happened to be on the distribution list, happened to spot it, according to the Wall Street Journal. Really? If somebody tries to email your most sensitive financial information, shouldn’t a bunch of alarms have gone off?
- How do we actually know that nobody read it the entire day? So far, the best evidence provided is ‘Well, it must be that nobody looked at it, because nobody traded on it,’ though the central bank has reportedly told the Fed it didn’t know whether anyone had traded on it. Really? A simple receipt flag could have established a record of when people actually read it. It’s been suggested that people didn’t read it because they were honoring the embargo on the email. That seems to put an awful lot of faith into human nature.
- How do we know that nobody forwarded it on to 150 of their friends? “It isn't clear whether the information spread further, and if not, why,” reported the Wall Street Journal. Really? There’s not a system in place at the Fed’s email system to limit how data can be forwarded?
We know that mistakes occur from time to time in this age of computers, the WSJ quoted Al Felzenberg, a spokesman for Congress's Joint Economic Committee, as saying.
The New York Times reported that “the Fed’s inspector general has been asked to review release procedures in light of the incident.” The Fed takes great pains to control risk at the banks it monitors. Maybe it’s time to take a look in the mirror.
Simplicity 2.0 is where we examine the intricate and transitory world of technology—through a Laserfiche lens. By keeping an eye on larger trends, we aim to make software that’s relevant to modern day workers, rather than build technology for technology’s sake.
Subscribe to Simplicity 2.0 and follow us on Twitter. If what we’re saying piques your interest, head over to Laserfiche.com where you’ll see how we apply the lessons learned on Simplicity 2.0 to our own processes, products and industry.