Congress has been pursuing an investigation into alleged misconduct at the IRS, and as a part of that investigation it requested emails from former IRS director Lois Lerner for the timeframe in question. The response Congress got was those emails—along with any archive or backups of those emails—have been erased and are no longer available. There are legal and compliance requirements organizations must abide by when it comes to retention of information, and the IRS apparently dropped the ball.
Dr. Barbara Rembiesa, president and founder of IAITAM (International Association of Information Technology Asset Managers), didn’t pull any punches when talking about the plausibility of the claim that the emails have been destroyed. She is quoted in an IAITAM blog post stating, “The notion that these emails just magically vanished makes no sense whatsoever. That is not how IT asset management at major businesses and government institutions works in this country.”
According to Rembiesa, there are some serious questions to be asked of how the IRS handled the situation, and the answers could prove to be a bit of a smoking gun for the larger investigation.
In a nutshell, there should simply not be any way for every trace of the email data to be gone. A business, or a government agency like the IRS, should have policies and procedures in place that dictate how data backups, data retention, and disaster recovery will be managed. The assertion that Lerner’s hard drive crashed and was subsequently destroyed would have absolutely no impact on whether or not the emails in question still exist on an email server, or on any backups of either that server or Lerner’s hard drive.
It’s worth noting that Lerner also had a mobile device, and the mobile device might—or should—have access to those “missing” emails as well.
Rembiesa stresses that proper IT asset management procedures require that there be documented records of hard drive wiping or destruction. Hard drives aren’t just tossed in the trash, and a hard drive from an organization like the IRS may contain sensitive information and must be disposed of properly. Whether the hard drive destruction occurred internally, or through an outside contractor, there should be documentation detailing exactly when and how the drive was destroyed, why it was destroyed, and who authorized it.
There is a lesson here for other businesses. IT assets have to be properly managed and maintained. There are financial and legal ramifications to the destruction of IT assets and data. Any decision to destroy hardware or erase data should be justified and thoroughly documented so there is a paper trail explaining the decision if it comes into question at a later date.
Businesses should also ensure data is properly backed up and any applicable data retention requirements are complied with. Destroying one hard drive should not, in and of itself, be sufficient for wiping the data from existence.
Congress and the IRS will have to sort out their mess, but you can learn from the apparent mistakes of the IRS and make sure you have policies and procedures in place to prevent a similar fiasco in your organization.