Egregious Email Non-Compliance Requires Strong Action
NOTE:
This blog post is in no way a political one that takes sides, rather it
deals with the policy and technology issues around Hillary Clinton’s
recent email kerfuffle.
The Clinton email story has been all
over the media the last couple of weeks. The scenario involves a number
of interrelated issues: information technology, privacy, information
security, records management (RM), legal issues, risk, and business
issues.
Guess what?
These all happen to be components of the Information Governance Reference Model.
What the whole modern world is talking about are Information Governance
(IG) issues. This is an IG practitioner’s dream: IG has been elevated
to the world stage. Except that most people don’t know what IG is, or
how to implement it.
"Information governance is security, control, and optimization of information.”
In other words, IG is about maximizing information value while minimizing its risks and costs.
This
isn’t the first federal records scandal. Poor record keeping has been a
pattern in the federal government that has allowed corruption,
wrongdoing, and ineptness to go unpunished, and has deprived the
American people of a preserved record of their governmental leaders'
actions on their behalf.
In fact, poor record keeping and
information controls plague all levels of our government, and it has
been going on for decades. A 2001 study
prepared for the National Archives and Records Administration (NARA)
found that most federal employees did not understand the concept of a
‘record’ and were unclear about retention requirements, that record
keeping was inconsistent across agencies, that government employees did
not know how to handle e-records, that integration of record keeping
with business processes was lacking, and that records management was a
low priority based on budget, staffing, and training levels.
Obviously, nothing has changed.
It
is time to bring IG to the forefront of the conversation. Historically,
RM has been pushed aside in budgets and priorities in government and
has not had a seat at the C-level table in business. Keeping accurate
records has been a problem for a long time in government (and business)
at all levels so it is time to do something about it on the federal
level.
The Inspector General function in the various agencies
simply has not been effective in focusing on records or Information
Governance issues—they just do not have the toolset or mandate to carry
it out. At the State Department the Inspector General investigation
found that only 61,000 of the 1 billion or
more emails sent in 2011 were preserved. Are we really to believe that
only .0061% of the email communications at the State Department that
year were actually official business? That more than 99.99% of their email communications did not qualify as a federal record?
Just look at the track record of the federal government: We have continued to have RM failures and missing records.
Here are some clear examples of the impact of poor record keeping at the federal level:
- On September 10, 2001, Secretary of Defense Donald Rumsfeld stated in a speech that the Pentagon, “… cannot track $2.3 trillion in transactions.
The following day most of the records were destroyed or damaged and
dozens of civilian accountants, bookkeepers, and budget analysts in that department were
killed. Proper recordkeeping procedures and off-site backup records
storage would have assured that records were maintained for auditing and
historical purposes;
- Gulf War veterans have had difficulty in filing medical claims
due to poor record keeping procedures and unauthorized purging of
files. Proper record keeping procedures and controls would have assured
that vets received the medical treatment and benefits they deserved.
Some of them died waiting on treatment due to lost records;
- During
an investigation of the dismissal of eight U.S. Attorneys, it was found
that the George W. Bush administration used a private email server
“gwb43.com” which was set up at the Republican National Committee (RNC)
headquarters. In 2007, the Bush Administration admitted it may have lost
5 million emails, which by 2009 was revised to “as many as 22 million.”
Later, a report by the House Committee on Oversight Government Reform
found that ZERO records of 51 of the 88 White House officials who were
issued email addresses from the gwb43.com domain were preserved. Proper
record keeping procedures and vigilant enforcement would have prevented
this.
- In the 2013 IRS targeting scandal, Lois Lerner of the
Exempt Organizations Unit at the IRS claimed critical emails were lost. In 2014 the IRS informed
Congressional investigators that it "could not recover" two
years of Lerner's emails since backup tapes were overwritten and
Lerner's computer hard drive crashed. Lerner refused to testify so the
email messages are the only record of what transpired. Then, in late 2014 the
Inspector General discovered disaster recovery tapes
that contained over 30,000 of Lerner's emails, but they have not been
sorted through or analyzed yet. Proper record keeping, email archiving,
and backup procedures would have prevented the delay and allowed the IRS
to produce the requested email messages for Congress in a timely
manner.
Many instances can be cited. Many more.
The current system in place is not effective in enforcing the records
laws that are on the books. The regulations and laws need to be
strengthened and tightened and enforcement needs to be assured. One
example of poor regulatory guidance is where federal employees are
allowed to use personal email accounts for government business. Federal
employees must never use personal email accounts to conduct the public’s
business. Any government business or personal emails sent through a
government email account should be preserved using NARA’s Capstone
Approach to start. In Capstone, all email messages for those ranking
above a certain level in an agency are preserved, and those below that
level are preserved for a specified time, typically seven years. It is a
crude classification system but it is meant to be a bridge to a more
sophisticated and comprehensive one, according to its chief architect,
Jason Baron, the former Director of Litigation at NARA.
The IG
community needs to endorse and advocate for a cabinet-level agency with
the legal authority to implement IG. This would include overarching
authority over all information systems planning and architecture
including information security, privacy, risk, records management, and
legal retention and reporting requirements.
The “Department of
Information Governance” needs to be created with the mandate to not only
control and secure records, but to harmonize and streamline a
cross-agency effort to capture and maintain federal records. That means
simplified and standardized retention schedules and the integration of
IG and particularly information security and RM functions into
day-to-day business processes. It must be an ongoing “evergreen”
program.
The U.S. has 15 executive departments with
the Department of State headed by the Secretary of State being closest
and most important in the line of succession after the Vice-President,
and then including Treasury, Defense, Justice, Interior and so forth.
There are additional cabinet-rank positions including the Chief of Staff
and Office of Management and Budget (OMB).
Government and
businesses run on information. Information forms the basis for
management decisions and policy. It is preposterous that we have a
federal government structure that does not value information, which has
become in many ways, “the new oil.” We have a Department of Energy so
why nothing for Information? The time has come.
Politicians
and government bureaucrats have been relying on vague laws and
regulations and exploiting exceptions and loopholes to muddy the waters
and withhold information. They realize that something they might have
stated in an email may become a political liability later. It is time to
put a stop to the disregard for federal records regulations and lack of
transparency.
This edict must come from the top down. We have
seen this failure in private sector IG programs as a result of a weak or
nonexistent executive sponsor. They lose steam and fade out. It is a
key IG Best Practice to have a strong executive sponsor with clear
business objectives driving the program. In this case that sponsor must
be the President of the United States and he must sign an executive
order to initiate action.
It is long past time to implement a
Chief IG Officer role in the government and for the person who heads
that agency to have the legal standing to implement controls and to
report violations that may carry criminal penalties. It is critical to
maintaining a record of public servants’ work on the citizens’ behalf.
How
would that work? What about the overlapping responsibilities of the
National Archives and Records Administration (NARA)? I say bring NARA to
the cabinet level too. It is long past due. Their focus at the
executive level will be to advise agency heads on RM regulations and
policy issues, and to advise the federal Chief IG Officer (whose
responsibilities would be much broader).
What about the overlapping responsibilities of the Office of Management and Budget? Aren’t they supposed to be handling some IG-related tasks?
“The
Deputy Director for Management (DDM) also serves as the nation’s first
Federal Chief Performance Officer (CPO). The DDM/CPO develops and
executes a government-wide management agenda that includes information
technology, financial management, procurement, performance, and human
resources.”
In my opinion, the OMB’s CPO should report to the
federal Chief IG Officer who heads the Department of IG. At the very
least there should be a dotted line reporting structure.
To coordinate efforts that may affect the security of the U.S., a representative of the Department of Homeland Security should be on the Department of IG staff, or at least have a dotted line reporting relationship.
To
assist in investigations by providing effective law enforcement tools
and techniques the federal Chief IG Officer role should also have a
representative of the Department of Justice on their staff, or at least have a dotted line reporting relationship.
Information Risk and Security
There are various information security threats, which have been increasing.
“From 2009 to 2013, the number of reported breaches just on federal
computer networks — the .gov and .mils — rose from 26,942 to 46,605,
according to the U.S. Computer Emergency Readiness Team .[In 2014]
US-CERT responded to a total of 228,700 cyberincidents involving federal
agencies, companies that run critical infrastructure and contract
partners. That's more than double the incidents in just four years. And,
of course, the level of incursions keeps rising.
The Chief IG
Officer would be held accountable to implement baseline security
measures across all federal agencies. They would make sure that, for
instance, the ISO 27001 standard for information security (infosec)
management is implemented, that infosec training is implemented
regularly, that no one had a personal email server, and that
technologies like encryption, data loss prevention (DLP), and information rights management (IRM) are
deployed to secure confidential email messages and attachments.
Maximizing Information Value
Then
there is the looming value proposition. A big part of IG is maximizing
the value of information. All that information the federal government
creates and uses, if organized and harnessed, can improve operations and
effectiveness. New tools and techniques in Big Data are going to be able to be leveraged to assist government
planners and managers in making decisions. They can go far beyond using
analytics to “relieve traffic congestion, monitor public utilities,
evaluate and predict crime, follow education trends, and keep tabs on
public resources.”
These new Big Data insights can only be found
if good clean data is housed and its integrity and authenticity can be
verified. Stated succinctly, to avoid the timeless maxim, “garbage in
equals garbage out.” Data governance and data quality are key aspects of
a strong IG program. But this job calls for much more than a Chief Data
Officer.
It calls for the Chief IG Officer to report directly to
the president, as a part of his cabinet. The rank of the Chief IG
Officer should be equivalent to the Chief of Staff, only without any
political considerations. It should be a standing appointment that
crosses executive branch administrations.
Information Governance
concerns are center stage. Information is the lifeblood of our society,
business, and government. It is time for a new Department of Information
Governance. The American people deserve it and it is an increasingly
important element for Homeland Security, transparency in government,
operational effectiveness, and preserving our historical records.
Robert Smallwood is Managing Director of the Institute for IG at IMERGE Consulting, which can be found at www.IGTraining.com.
He teaches comprehensive courses on IG and E-records management for
corporate and public sector clients. He is the author of 3 leading books
on Information Governance: Information Governance: Concepts, Strategies. and Best Practices (Wiley, 2014); Managing Electronic Records: Methods, Best Practices, and Technologies (Wiley, 2013); and Safeguarding Critical E-Documents (Wiley, 2012).
Follow Robert on Twitter @RobertSmallwood and if we are not connected - please feel free to reach out!