AIIM Open Forum

 View Only

Clinton Email Kerfuffle: Call for Cabinet-level Information Governance

By Robert Smallwood posted 03-19-2015 11:14

  

Egregious Email Non-Compliance Requires Strong Action

 

NOTE: This blog post is in no way a political one that takes sides, rather it deals with the policy and technology issues around Hillary Clinton’s recent email kerfuffle.

The Clinton email story has been all over the media the last couple of weeks. The scenario involves a number of interrelated issues: information technology, privacy, information security, records management (RM), legal issues, risk, and business issues.

Guess what?

These all happen to be components of the Information Governance Reference Model. What the whole modern world is talking about are Information Governance (IG) issues. This is an IG practitioner’s dream: IG has been elevated to the world stage. Except that most people don’t know what IG is, or how to implement it.

"Information governance is security, control, and optimization of information.”

In other words, IG is about maximizing information value while minimizing its risks and costs.

This isn’t the first federal records scandal. Poor record keeping has been a pattern in the federal government that has allowed corruption, wrongdoing, and ineptness to go unpunished, and has deprived the American people of a preserved record of their governmental leaders' actions on their behalf.

In fact, poor record keeping and information controls plague all levels of our government, and it has been going on for decades. A 2001 study prepared for the National Archives and Records Administration (NARA) found that most federal employees did not understand the concept of a ‘record’ and were unclear about retention requirements, that record keeping was inconsistent across agencies, that government employees did not know how to handle e-records, that integration of record keeping with business processes was lacking, and that records management was a low priority based on budget, staffing, and training levels.

Obviously, nothing has changed.

It is time to bring IG to the forefront of the conversation. Historically, RM has been pushed aside in budgets and priorities in government and has not had a seat at the C-level table in business. Keeping accurate records has been a problem for a long time in government (and business) at all levels so it is time to do something about it on the federal level.

The Inspector General function in the various agencies simply has not been effective in focusing on records or Information Governance issues—they just do not have the toolset or mandate to carry it out. At the State Department the Inspector General investigation found that only 61,000 of the 1 billion or more emails sent in 2011 were preserved. Are we really to believe that only .0061% of the email communications at the State Department that year were actually official business? That more than 99.99% of their email communications did not qualify as a federal record?

Just look at the track record of the federal government: We have continued to have RM failures and missing records.

Here are some clear examples of the impact of poor record keeping at the federal level:

  • On September 10, 2001, Secretary of Defense Donald Rumsfeld stated in a speech that the Pentagon, “… cannot track $2.3 trillion in transactions. The following day most of the records were destroyed or damaged and dozens of civilian accountants, bookkeepers, and budget analysts in that department were killed. Proper recordkeeping procedures and off-site backup records storage would have assured that records were maintained for auditing and historical purposes;
  • Gulf War veterans have had difficulty in filing medical claims due to poor record keeping procedures and unauthorized purging of files. Proper record keeping procedures and controls would have assured that vets received the medical treatment and benefits they deserved. Some of them died waiting on treatment due to lost records;
  • During an investigation of the dismissal of eight U.S. Attorneys, it was found that the George W. Bush administration used a private email server “gwb43.com” which was set up at the Republican National Committee (RNC) headquarters. In 2007, the Bush Administration admitted it may have lost 5 million emails, which by 2009 was revised to “as many as 22 million.” Later, a report by the House Committee on Oversight Government Reform found that ZERO records of 51 of the 88 White House officials who were issued email addresses from the gwb43.com domain were preserved. Proper record keeping procedures and vigilant enforcement would have prevented this.
  • In the 2013 IRS targeting scandal, Lois Lerner of the Exempt Organizations Unit at the IRS claimed critical emails were lost. In 2014 the IRS informed Congressional investigators that it "could not recover" two years of Lerner's emails since backup tapes were overwritten and Lerner's computer hard drive crashed. Lerner refused to testify so the email messages are the only record of what transpired. Then, in late 2014 the Inspector General discovered disaster recovery tapes that contained over 30,000 of Lerner's emails, but they have not been sorted through or analyzed yet. Proper record keeping, email archiving, and backup procedures would have prevented the delay and allowed the IRS to produce the requested email messages for Congress in a timely manner.

 

Many instances can be cited. Many more. The current system in place is not effective in enforcing the records laws that are on the books. The regulations and laws need to be strengthened and tightened and enforcement needs to be assured. One example of poor regulatory guidance is where federal employees are allowed to use personal email accounts for government business. Federal employees must never use personal email accounts to conduct the public’s business. Any government business or personal emails sent through a government email account should be preserved using NARA’s Capstone Approach to start. In Capstone, all email messages for those ranking above a certain level in an agency are preserved, and those below that level are preserved for a specified time, typically seven years. It is a crude classification system but it is meant to be a bridge to a more sophisticated and comprehensive one, according to its chief architect, Jason Baron, the former Director of Litigation at NARA.

The IG community needs to endorse and advocate for a cabinet-level agency with the legal authority to implement IG. This would include overarching authority over all information systems planning and architecture including information security, privacy, risk, records management, and legal retention and reporting requirements.

The “Department of Information Governance” needs to be created with the mandate to not only control and secure records, but to harmonize and streamline a cross-agency effort to capture and maintain federal records. That means simplified and standardized retention schedules and the integration of IG and particularly information security and RM functions into day-to-day business processes. It must be an ongoing “evergreen” program.

The U.S. has 15 executive departments with the Department of State headed by the Secretary of State being closest and most important in the line of succession after the Vice-President, and then including Treasury, Defense, Justice, Interior and so forth. There are additional cabinet-rank positions including the Chief of Staff and Office of Management and Budget (OMB).

Government and businesses run on information. Information forms the basis for management decisions and policy. It is preposterous that we have a federal government structure that does not value information, which has become in many ways, “the new oil.” We have a Department of Energy so why nothing for Information? The time has come.

Politicians and government bureaucrats have been relying on vague laws and regulations and exploiting exceptions and loopholes to muddy the waters and withhold information. They realize that something they might have stated in an email may become a political liability later. It is time to put a stop to the disregard for federal records regulations and lack of transparency.

This edict must come from the top down. We have seen this failure in private sector IG programs as a result of a weak or nonexistent executive sponsor. They lose steam and fade out. It is a key IG Best Practice to have a strong executive sponsor with clear business objectives driving the program. In this case that sponsor must be the President of the United States and he must sign an executive order to initiate action.

It is long past time to implement a Chief IG Officer role in the government and for the person who heads that agency to have the legal standing to implement controls and to report violations that may carry criminal penalties. It is critical to maintaining a record of public servants’ work on the citizens’ behalf.

How would that work? What about the overlapping responsibilities of the National Archives and Records Administration (NARA)? I say bring NARA to the cabinet level too. It is long past due. Their focus at the executive level will be to advise agency heads on RM regulations and policy issues, and to advise the federal Chief IG Officer (whose responsibilities would be much broader).

What about the overlapping responsibilities of the Office of Management and Budget? Aren’t they supposed to be handling some IG-related tasks?

“The Deputy Director for Management (DDM) also serves as the nation’s first Federal Chief Performance Officer (CPO). The DDM/CPO develops and executes a government-wide management agenda that includes information technology, financial management, procurement, performance, and human resources.”

In my opinion, the OMB’s CPO should report to the federal Chief IG Officer who heads the Department of IG. At the very least there should be a dotted line reporting structure.

To coordinate efforts that may affect the security of the U.S., a representative of the Department of Homeland Security should be on the Department of IG staff, or at least have a dotted line reporting relationship.

To assist in investigations by providing effective law enforcement tools and techniques the federal Chief IG Officer role should also have a representative of the Department of Justice on their staff, or at least have a dotted line reporting relationship.

Information Risk and Security

There are various information security threats, which have been increasing. “From 2009 to 2013, the number of reported breaches just on federal computer networks — the .gov and .mils — rose from 26,942 to 46,605, according to the U.S. Computer Emergency Readiness Team .[In 2014] US-CERT responded to a total of 228,700 cyberincidents involving federal agencies, companies that run critical infrastructure and contract partners. That's more than double the incidents in just four years. And, of course, the level of incursions keeps rising.

The Chief IG Officer would be held accountable to implement baseline security measures across all federal agencies. They would make sure that, for instance, the ISO 27001 standard for information security (infosec) management is implemented, that infosec training is implemented regularly, that no one had a personal email server, and that technologies like encryption, data loss prevention (DLP), and information rights management (IRM) are deployed to secure confidential email messages and attachments.

Maximizing Information Value

Then there is the looming value proposition. A big part of IG is maximizing the value of information. All that information the federal government creates and uses, if organized and harnessed, can improve operations and effectiveness. New tools and techniques in Big Data are going to be able to be leveraged to assist government planners and managers in making decisions. They can go far beyond using analytics to “relieve traffic congestion, monitor public utilities, evaluate and predict crime, follow education trends, and keep tabs on public resources.”

These new Big Data insights can only be found if good clean data is housed and its integrity and authenticity can be verified. Stated succinctly, to avoid the timeless maxim, “garbage in equals garbage out.” Data governance and data quality are key aspects of a strong IG program. But this job calls for much more than a Chief Data Officer.

It calls for the Chief IG Officer to report directly to the president, as a part of his cabinet. The rank of the Chief IG Officer should be equivalent to the Chief of Staff, only without any political considerations. It should be a standing appointment that crosses executive branch administrations.

Information Governance concerns are center stage. Information is the lifeblood of our society, business, and government. It is time for a new Department of Information Governance. The American people deserve it and it is an increasingly important element for Homeland Security, transparency in government, operational effectiveness, and preserving our historical records.

Robert Smallwood is Managing Director of the Institute for IG at IMERGE Consulting, which can be found at www.IGTraining.com. He teaches comprehensive courses on IG and E-records management for corporate and public sector clients. He is the author of 3 leading books on Information Governance: Information Governance: Concepts, Strategies. and Best Practices (Wiley, 2014); Managing Electronic Records: Methods, Best Practices, and Technologies (Wiley, 2013); and Safeguarding Critical E-Documents (Wiley, 2012).

Follow Robert on Twitter @RobertSmallwood and if we are not connected - please feel free to reach out!

0 comments
53 views

Permalink