Federal technology division accidentally erased a full year's worth of texts from the ex-chair's mobile device, as reported by the SEC.
On Wednesday, the Office of Inspector General (OIG) published a report detailing the erasure of text messages from former Securities and Exchange Commission (SEC) Chair Gary Gensler's government-issued phone.
The trouble started on July 6, 2023, when Gensler's phone lost its connection with the SEC's mobile device management system. Some of the recovered text messages were about an enforcement action against a crypto platform, a possible settlement with a global financial services firm, and the appointment of a new commissioner.
The SEC's Office of Information Technology (OIT) did not collect or maintain necessary log data, preventing the determination of why Gensler's device stopped communicating with the SEC's mobile device management system. A partial review of Gensler's missing text messages found that approximately 38% of them were "mission related and concerned matters directly involving SEC senior staff and/or Commissioners at the time, making them records."
The OIG could not review the missing text messages to definitively determine their status as records, but surmised that many, if not most, would be records. On Aug. 10, 2023, the SEC's OIT launched a policy to remotely wipe any SEC-issued mobile devices that hadn't linked with the device management system for 45 days or more.
The new policy was based on the assumption that such devices were not in use, potentially lost or stolen, and could no longer connect to the SEC's network. When Gensler noticed SEC apps were gone from his phone on Sept. 6, 2023, OIT personnel performed a factory reset, resulting in the permanent deletion of the device's data, including text messages.
The text messages deleted between October 2022 and September 2023 involved Gensler and more than 20 other senior SEC officials, whose communications might qualify as government work records. The cost of the incident report exceeded $50,000.
An incident report revealed that the SEC's mobile device vendor knew of a 'bug' in prior versions of its operating system that could break the connection between a mobile device and a mobile device management system, which might have caused Gensler's initial phone troubles. Had OIT or Gensler known about the phone being wiped due to the new policy, the messages could have been recovered.
The OIG reported that inadequacies in their report impacted its reliability and usefulness. The SEC's IT was criticized for poor change management with regard to the wiping policy, not properly maintaining its mobile device inventory, not identifying inactive devices, and not effectively reviewing and escalating relevant system-generated notifications.
The SEC concurred with all five of the OIG's recommendations aimed at better mobile device management practices and pledged to complete the tasks within the next six months. In response to the incident, the SEC disabled text messaging across the agency, with some exceptions, and alerted the National Archives and Records Administration of the change.
The erasure of these text messages could impact the regulator's responses to some Freedom of Information Act requests. The SEC has not yet commented on the potential implications for ongoing investigations or enforcement actions.
