Way back in 2013, it came to light both to Congress and to the American people that the IRS might have been targeting certain political groups and delaying or denying them 501(c)(4) tax exemption status due to their beliefs. The truth of the matter lay in approximately 30,000 emails sent to and from then- director of the Exempt Organizations Unit of the U.S. Internal Revenue Service, Lois Lerner, which the IRS claimed were lost.
Lerner has since retired, and in 2014 federal investigators recovered most, if not all, of the emails in question. While this discovery sets off another round of fireworks among the nation’s opposing political parties, there are.
What Training Do IT Asset Managers Need?
When Lerner and her organization informed Congress that the emails were unavailable, they claimed that her computer had crashed in 2011, destroying all evidence of the emails. Yet good asset management policies, along with a well-trained IT asset manager, would never allow this to happen. Asset managers are charged with assuring that critical information is backed up and recoverable.
Additionally, a well-trained asset manager would have thoroughly documented the destruction of important documents as well as any hardware where sensitive or critical information has been stored. Lesson number one from Lerner’s emails: make sure your IT managers have the training they need to safeguard data that might be needed later for litigation, audits, hearings, and the like.
Not only can lost data cost you when you need it and don’t have it; failure to safely and securely destroy data and hardware that houses sensitive data can lead to the information landing in the wrong hands. This is prime ground for targeting by cyber terrorists, those who engage in corporate espionage, and by identity thieves.
What Are the Correct Policies and Procedures for Hardware and Records Destruction?
Some data needs to be kept for a certain number of years, such as data relative to tax filings. Other data needs to be kept indefinitely, and some data needs to be disposed of regularly. A strong IT asset management program has solid policies and procedures regarding what data needs to be stored, how, and for how long. Also, policies governing how, when, and by whom data destruction takes place are crucial. Not only is data destruction important, but servers, hard drives, and other storage devices used to house sensitive information needs to be disposed of properly, including accurate, complete, and verifiable records of when, where, and how the hardware was destroyed.
How Can Outside Vendors Be Helpful?
Many asset managers depend on outside vendors for the physical destruction of records and hardware. This serves two purposes: first, highly trained IT asset managers aren’t out back burning discs or taking hammers to hard drives. But more importantly, the vendor keeps additional records of the destruction, which serves as a second layer of verification if the disposal of the data comes into question, such as with Lerner’s emails.
Do You Have a Solid Disaster Recovery Plan in Place?
Most asset managers rolled their eyes when Lerner and her IT managers claimed the data was unrecoverable, because the majority of organizations are keenly aware of the importance of disaster recovery plans. Hard drives crash. Buildings burn. Offices flood. These things can happen. Smart businesses have important data backed up, and have a tested and proven plan to recover the data in place in case one of these — or any other unforeseen event — renders computers, hard drives, servers, or the entire IT department useless.
How Can Mobile Devices Serve as an Important Backup Plan?
The last question knowledgeable and experienced asset managers wanted to ask was, “What on earth happened to Lerner’s Blackberry?” Most executives (if truth be told, most people nowadays) keep copies of their emails on their smartphone. Even if her computer crashed, the data was not backed up, and there was no recovery plan in place — there still should have been at least a partial copy of those emails on Lerner’s Blackberry.
By asking these questions, and having sound policies around the answers, IT organizations can do their part to help avoid the same embarrassment and scrutiny the IRS underwent following the Lois Lerner scandal.