The recent news that the IRS “lost” Lois Lerner’s e-mails has been making headlines in the news media, but not so much in data protection circles. That may be because any data protection expert knows that this claim simply makes no sense. It’s either a case of extremely bad data protection procedures or a bald faced lie.
From what I have read and heard, the IRS claims that they lost all of Lerner’s emails during the time it was holding up tax exemption applications from conservative groups. When I first learned of this, apparently Lerner’s and six other employees’ hard drives crashed around the same time. My first thought was that all this email should be on a mail server. Interestingly, that server’s hard drive crashed too, and the data on all these drives can’t be recovered. Other than being incredibly convenient it leads me to believe something just doesn’t make sense here.
Bald Faced Lie?
It seems to me that the IRS is either counting on the ignorance of the public, with respect to how data protection works, or the IRS has the worst data protection policy of any government agency.
First, for this claim of lost emails to be true, seven laptop hard drives had to fail simultaneously. Second, the server “hard drive” had to fail. No mail server that I know of is running on a single hard drive. I think it is safe to assume that they had an array with at least RAID 5 protection. That means that the array had to have a double or even triple hard drive failure for data to have been lost. Third, it also means that all of the drives had to fail to the point that a drive recovery specialist could not pull data off of them. Fourth, it means that when the drive failed, the data could not be recovered from the backup system.
For all these things to have gone wrong at the same time is the mathematical equivalent of winning power ball and simply defies logic.
For its part, the IRS claims the failure was caused by a lack of an email archive, combined with a practice of erasing and reusing backup tapes every six months. To make matter worse the IRS apparently has a policy of allowing employees to decide for themselves which e-mails constitute an official agency record. In other words bad policy.
Go back and read that last paragraph and think to yourself for a minute. This is the IRS, not, Joe’s Plumbing! In fact Joe’s Plumbing, if they used the same excuse to defend themselves against an IRS audit, would be forced to close up shop for good.
The lack of policy is confusing because last year IRS CIO Terence Milholland said he was pushing the IRS toward world-class IT status. The above paragraph is not world class IT. Most small businesses do a much better job of protecting their email.
First, email backups should be retained for much longer than six months. Second, an email archiving system should be a standard requirement of any government agency. Third, not only should individual employees NOT be allowed to decide what constitutes an official agency record, the IT organization certainly should have locked down and put a legal hold on email records the moment the scandal broke.
The problem with the policy is that it is so egregious, that it holds zero credibility; which can only lead me to assume that this is a bald faced lie. It’s time for the IRS to own up to what actually happened, it purposely erased information that it felt might be damaging, this was not a failure of IT.