[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
IRS: REVIEWING ITS LEGAL OBLIGATIONS, DOCUMENT PRESERVATION, AND DATA
SECURITY
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
SECOND SESSION
__________
FEBRUARY 11, 2016
__________
Serial No. 114-93
__________
Printed for the use of the Committee on Oversight and Government Reform
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.fdsys.gov
http://www.house.gov/reform
_____________
U.S. GOVERNMENT PUBLISHING OFFICE
22-591 PDF WASHINGTON : 2016
_______________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM
JASON CHAFFETZ, Utah, Chairman
JOHN L. MICA, Florida ELIJAH E. CUMMINGS, Maryland,
MICHAEL R. TURNER, Ohio Ranking Minority Member
JOHN J. DUNCAN, Jr., Tennessee CAROLYN B. MALONEY, New York
JIM JORDAN, Ohio ELEANOR HOLMES NORTON, District of
TIM WALBERG, Michigan Columbia
JUSTIN AMASH, Michigan WM. LACY CLAY, Missouri
PAUL A. GOSAR, Arizona STEPHEN F. LYNCH, Massachusetts
SCOTT DesJARLAIS, Tennessee JIM COOPER, Tennessee
TREY GOWDY, South Carolina GERALD E. CONNOLLY, Virginia
BLAKE FARENTHOLD, Texas MATT CARTWRIGHT, Pennsylvania
CYNTHIA M. LUMMIS, Wyoming TAMMY DUCKWORTH, Illinois
THOMAS MASSIE, Kentucky ROBIN L. KELLY, Illinois
MARK MEADOWS, North Carolina BRENDA L. LAWRENCE, Michigan
RON DeSANTIS, Florida TED LIEU, California
MICK MULVANEY, South Carolina BONNIE WATSON COLEMAN, New Jersey
KEN BUCK, Colorado STACEY E. PLASKETT, Virgin Islands
MARK WALKER, North Carolina MARK DeSAULNIER, California
ROD BLUM, Iowa BRENDAN F. BOYLE, Pennsylvania
JODY B. HICE, Georgia PETER WELCH, Vermont
STEVE RUSSELL, Oklahoma MICHELLE LUJAN GRISHAM, New Mexico
EARL L. ``BUDDY'' CARTER, Georgia
GLENN GROTHMAN, Wisconsin
WILL HURD, Texas
GARY J. PALMER, Alabama
Jennifer Hemingway, Staff Director
David Rapallo, Minority Staff Director
Henry Kerner, Deputy Director of Oversight and Investigations
Jack Thorlin, Counsel
Sharon Casey, Deputy Chief Clerk
C O N T E N T S
----------
Page
Hearing held on February 11, 2016................................ 1
WITNESSES
Mr. Terence Milholland, Chief Technology Officer, Internal
Revenue Service, Washington, D.C.
Oral Statement............................................... 9
Written Statement............................................ 10
Mr. Jeff Tribiano, Deputy Commissioner, Operations, Internal
Revenue Service, Washington, D.C.
Oral Statement............................................... 14
Mr. Edward Killen, Director of Privacy, Governmental Liaison, and
Disclosure, Internal Revenue Service, Washington D.C.
Oral Statement............................................... 15
APPENDIX
2016-04-07 Mr. Tribiano IRS re: Hearing Follow-up Responses...... 52
IRS: REVIEWING ITS LEGAL OBLIGATIONS, DOCUMENT PRESERVATION, AND DATA
SECURITY
----------
Thursday, February 11, 2016
House of Representatives
Committee on Oversight and Government Reform
Washington, D.C.
The committee met, pursuant to call, at 1:02 p.m., in Room
2154, Rayburn Office Building, Hon. Jason Chaffetz [chairman of
the committee], presiding.
Present: Representatives Chaffetz, Mica, Jordan, Walberg,
Amash, DesJarlais, Gowdy, Massie, Meadows, DeSantis, Buck,
Walker, Blum, Hice, Russell, Carter, Grothman, Hurd, Palmer,
Cummings, Maloney, Norton, Connolly, Kelly, Watson Coleman,
Plaskett, DeSaulnier, Boyle, and Welch.
Chairman Chaffetz. The Committee on Oversight and
Government Reform will come to order. Without objection, the
chair is authorized to declare a recess at any time.
We are here today because the IRS' current leadership has
proven irresponsible and negligent. The IRS cannot seem to
properly preserve documents or ensure both privacy and security
in accepting electronic tax returns. The Agency is in desperate
need of new leadership to put it on a better course. There are
already a number of examples of IRS incompetence and neglect in
the past few years, but several incidents in recent weeks have
made it clear for the need for further serious oversight and
meaningful reform.
As millions of individuals and companies prepare to file
tax returns, the IRS must ensure its data systems are secure.
Last summer, the IRS suffered a massive hack, leaving the tax
information of 300-plus thousand individuals exposed. The
hackers used that information to file fraudulent returns
totaling something in the neighborhood of $50 million in
refunds before the IRS figured out what was happening. But it
has been well documented billions of dollars have
inappropriately gone out the door.
And the facts surrounding the recent events appear very
similar. On January 25th, 2016, the IRS detected unusual IP
traffic on its network. This turned out to be a coordinated bot
attack or botnet aimed at the e-file system. The hackers' goal
was to recover taxpayer e-PINs, electronic pins, which would
allow them steal refunds of innocent taxpayers. Roughly 450,000
unique social security numbers were used by hackers in at least
950,000 attempts to obtain these electronic PIN numbers. All
told, the hackers are estimated to have stolen more than
101,000 of these electronic PIN numbers.
This latest breach raises serious concerns about the
security of the system overall as well as the potential for
paying out fraudulent claims, but none of this should surprise
the IRS. In the last evaluation of the IRS' information
security, the inspector general in September of 2015
determined, ``Until the IRS takes steps to improve its security
program deficiencies and fully implement all security program
areas in compliance with FISMA requirements, taxpayer data will
remain vulnerable to inappropriate and undetected use,
modification, and disclosure.'' It probably does not get any
worse or dire in terms of a warning. This level of incompetence
is intolerable for an agency where millions of individuals file
their most personal financial information.
We are also here to discuss the failure of the IRS to
properly preserve documents subject to lawsuits, and/or
internal preservation orders, as well as FOIA requests. We take
FOIA very seriously. The Freedom of Information Act is the
public's right to know. It also allows companies and other
organizations to access data so they can defend themselves.
On January 15th of 2016, the Department of Justice
disclosed in a Federal court filing that the IRS had erased a
hard drive belonging to a former senior Agency employee named
Samuel Maruca. And if this story sounds similar to things we
have heard about with Lois Lerner and others, it is, and that
makes us sick. It is disgusting. It has to stop. We are doing
everything we can to highlight. It is inappropriate, and yet it
continues.
The hard drive contained information subject to FOIA
litigation. Despite the lawsuit, an internal preservation
order, and the legal obligation to preserve related documents
to the IRS, the IRS wiped the hard drive and scheduled it for
recycling. This involved a multibillion-dollar issue relating
to Microsoft. The hard drive likely sat in queue and was wiped
up to 4 months after the internal preservation was ordered.
Again, after. Internal preservation in place, then the wiping
of a hard drive.
We cannot say for sure to pinpoint the date because the IRS
does not know when the hard drive was wiped clean. Hard drives.
You go to Best Buy, you can buy them for less than a hundred
bucks. In a multibillion-dollar situation, this is what we are
talking about, but, again, this continues to be familiar.
In March of 2014, the IRS destroyed backup tapes containing
Lois Lerner's emails which were subject to investigation by
Congress, the inspector general, the Department of Justice.
There were five open investigations, two duly issued subpoenas,
and the IRS wiped the data. Here we have another case where
people properly filed FOIA requests, and they wiped it again.
This is just 1 month after the Agency learned that a
significant portion of the Lerner emails were missing, and,
again, it happened. As it turns out in the Maruca case, the
IRS, by sheer luck, already copied the hard drive because of a
different lawsuit. It was not because of competence. It was
just sheer luck.
So if you look at the IRS, they have roughly $2.4 billion
they spent on IT, and it is worthless. Absolutely worthless. 60
to 70 percent of those funds are spent on legacy systems,
preserving old things like COBOL and other types of things, but
there are still billions of dollars in fraud running through
the system.
We have a situation we are going to talk about today where
there was a reported hardware failure. The story we got is that
there was a power outage, but then the redundant power, the
backup power, it also went out. How does that happen? Why do
you have redundant power if it also goes out? When we asked
through questioning about a breach, I put out a tweet pretty
quick and said, you know, this so-called hardware failure maybe
was a breach. We start to go and probe and have an
investigation. We have a bipartisan staff talking to the IRS,
and then they say, oh, we should probably tell you about the
breach. What breach?
If you look at the timeline of this, let us go through this
because this is just days ago. Our committee, Oversight and
Government Reform, a week ahead email to the press confirmed
that there would be a hearing on February 11th relating to IRS
document destruction and data security. On February 8th,
majority and minority committee staff has a call with the IRS
regarding the e-filing outage and the status of the Maruca hard
drive. The IRS gives an update on how it planned to recover the
hard drive and confirmed it had been wiped. After that date,
our staff asked about the breach referring to the e-filing
issue. Mr. Milholland, who is here with us today, begins
describing the previously unreported and undisclosed breach.
The IRS legal staff intervened and said that he was talking
about a different event, so we asked for more information about
that.
The next day, February 9th, miraculously in the Wall Street
Journal, the IRS releases further details regarding the breach
in another phone call with the majority and minority committee
staff, and shortly thereafter the IRS releases a statement to
the Wall Street Journal regarding the breach. If we had not
been asking about another incident, we would not have known
about this incident, and it affects over 100,000 people.
This is a recurring theme. It is totally unacceptable. We
look forward to peppering you with questions, and we expect
answers.
With that I will yield back, and now recognize the ranking
member, Mr. Cummings.
Mr. Cummings. Thank you very much, Mr. Chairman. I always
try to start out hearings by stating what I think we can all
agree on. Today I think we can agree that the IRS should have
strong systems in place to properly preserve Federal records
and to protect its computer systems from cyberattacks. I think
we can agree on that, and those are valid goals, and I know
that the IRS agrees with them.
However, I do not believe this committee has been serving
its intended purpose when it comes to the IRS generally.
Unfortunately, Republicans have become obsessed with
investigating any and every allegation relating to the IRS, no
matter how small. I believe this is because Republicans were
not able to find any evidence to support their baseless
accusations that the White House conspired with Lois Lerner to
target conservative groups for political reasons. They also
were not able to identify any evidence that Commissioner
Koskinen or any IRS employees destroyed evidence in order to
obstruct our investigation.
For the record, this is our 23rd hearing on the IRS. The
23rd. 23rd. That is amazing. We have now interviewed 54
witnesses. The IRS commissioner has testified six times, more
than any other agency has over the past 3 years. The IRS had
produced more than 1.3 million pages of documents from 88
custodians in response more than 80 requests for documents. Yet
despite this exhaustive multi-agency, multi-committee,
multiyear investigation, this wild goose chase continues, and
it has come up empty.
Last year, the inspector general issued his report and
identified no evidence to substantiate Republican claims of
political motivation by the White House or intentional
destruction of evidence. Specifically, the report found, ``No
evidence was uncovered that any IRS employee had been directed
to destroy or hide information from Congress, the DOJ, or
TIGTA.''
The Justice Department also conducted an investigation and
concluded that, ``Not a single IRS employee reported any
allegation, concern, or suspicion that the handling of tax
exempt applications or any other IRS function was motivated by
political bias, discriminatory intent, or corruption.'' The
Justice Department also found, ``no evidence that any official
involved in the handling of tax exempt applications or IRS
leadership attempted to obstruct justice, and no evidence of
any deliberate attempt to conceal or destroy information.''
Amazingly, none of these findings stopped the Republicans from
trying to impeach the IRS commissioner, despite the fact that
there is no evidence that he intentionally obstructed our work
or destroyed documents.
The problem now is that our committee is in a mindset where
we are just trying to get the IRS, and unfortunately the public
does not always get a complete or accurate picture as a result.
For example, the impetus for today's hearing was a press report
that an IRS employee, who was leaving the Agency, had his hard
drive erased in violation of a court order. However, we
received a letter from the IRS last week explaining that, in
fact, the IRS copied this employee's hard drive first. Another
example is the outage the IRS experienced last week. The
chairman stated that his gut reaction was that the outage was,
``It really does smell like a hack.'' However, the IRS has now
briefed our committee that, in fact, it was due to a mechanical
device failure, and there is, ``zero percentage chance that
this was a cyberattack.''
Yet another example Republicans have focused on is the
incident involving PIN numbers that occurred in January. What
is not mentioned is that, in fact, the IRS successfully blocked
the IP addresses from which this attack was initiated. As a
result, this week the IRS confirmed, ``No personal taxpayer
data was compromised or disclosed by our IRS systems.'' These
are critical facts, and I hope that the public understands them
and any press that are here will repeat them. As I said
earlier, this is our 23rd hearing on these types of allegations
against the IRS.
Imagine instead if we had held 23 hearings on the issue
that actually matters to the American people. Imagine if we had
held 23 hearings where we brought in drug company officials to
explain their skyrocketing prices. Now, that is something that
we could really help our fellow citizens on and would make a
big difference. Going forward, I hope we will use the resources
and the authority of this great committee to serve the
interests of our constituents.
I want to thank our witnesses for being with us today. I
look forward to your testimony. And with that, Mr. Chairman, I
yield back.
Chairman Chaffetz. I thank the gentleman. I will now
recognize Mr. Jordan of Ohio as the chairman of the
Subcommittee on Healthcare Benefits and Administrative Rules,
and recognize him for 5 minutes.
Mr. Jordan. Thank you, Mr. Chairman. The ranking member
said Republicans have had 23 hearings where they are ``trying
to get the IRS.'' We are not trying to get the IRS. The IRS is
trying to get conservative Americans who are exercising their
1st Amendment free speech rights. 23 hearings is a pretty small
price to pay when you are trying to protect fundamental
liberties in the Constitution, for goodness sake. So I want to
thank the chairman for this hearing on document preservation,
data security. If anyone needs it, certainly the IRS needs a
lesson in how to preserve documents.
Let me give you a quick little history here. Several years
back, Brian Downing orders destruction of documents that TIGTA
needs in their audit. The person who was ordered to destroy the
document comes forward as we want whistleblowers to come
forward when something wrong is going on, comes forward and
tells Stephen Whitlock, the then acting director of the Office
of Professional Responsibility, and he says just keep
destroying the documents.
Fast forward to 2013. Again, the IRS gets caught with their
hand in the cookie jar. Lois Lerner's now famous speech, May
10th, 2013, where she goes to the Bar Association, lies to the
American people, says it was not us, it was just those folks in
Cincinnati. Complete lie. It was folks in Washington
orchestrating this targeting against conservative groups. Later
that year, later in 2013, Mr. Koskinen is brought in to clean
up the mess. In fact, the President himself said, ``He's the
expert at turning around institutions.''
So what has the turnaround been? The chairman just talked
about it, right? What has the turnaround been? We had this case
with Microsoft where an IRS employee, Sam Maruca, his hard
drive is wiped clean when there is a preservation order in
place not to destroy any records relative to that court case
and that investigation. And, of course, the one that I think is
most important, Mr. Koskinen, brought in as the turnaround
expert, learns that Lois Lerner's hard drive has had problems.
He waits 2 months before he tells Congress and the American
people, and, more importantly, under his watch, 422 backup
tapes are destroyed after there are three preservation orders.
Three orders, one from Mr. Milholland himself, do not destroy
anything. And what does the IRS do? Three preservation orders,
one from the IRS themselves, one from TIGTA, one from the
Justice Department doing a criminal investigation, and two
subpoenas from this committee, what does the IRS do? They
destroy 422 backup tapes containing potentially 24,000 emails
relevant to a congressional investigation and a criminal
investigation. So there is a pattern here.
Now, finally, Mr. Chairman, just to add insult to injury,
guess what the Internal Revenue Service did? That very first
example I gave you about Mr. Whitlock who said, no, keep
destroying the documents that the whistleblower came forward
and said we are doing. Guess what happens? I guess at the IRS
if you destroy documents, you get a promotion. Mr. Whitlock was
just named head of the Office of Professional Responsibility.
So to the ranking member, I think a 24th hearing with that
kind of history at this organization is more than warranted,
for goodness sake. There is a pattern of destroying records, a
pattern of destroying documents, and, frankly, a pattern of
destroying records and documents when you have been told not
to. Preservation orders and whistleblowers coming forward, and
yet it continues, and when that happens, some people get
promoted at the IRS. Of course we need this hearing, and I look
forward to hearing from our witnesses.
Chairman Chaffetz. I thank the gentleman. I will now
recognize the gentleman from Virginia, Mr. Connolly, for 5
minutes.
Mr. Connolly. Thank you, Mr. Chairman, and thank you, Mr.
Ranking Member. 23 hearings on the IRS. You know, when you
cannot prove it, charge it anyhow. Repeat it. Do it louder. Try
to suborn the TIGTA to make sure that his audit is limited with
direct advice from you and your staff. Accuse people without
facts. Hammer it home on your favorite network, and hopefully
it will sink in and become true even if the facts belie it.
Chairman Chaffetz. Will the gentleman yield?
Mr. Connolly. No. I am tired of these hearings. I am tired
of insinuation. I am tired, frankly, of what looks to a lot of
people like demagoguery.
Chairman Chaffetz. Will the gentleman yield?
Mr. Connolly. No, Mr. Chairman, sadly I will not. I will
finish my statement. We need the IRS. We need it to be
functional. The same people that want to pillory you here today
for your performance do not want to take responsibility for the
fact they have starved the beast. They have cut a billion
dollars from the IRS budget, degrading service, making it very
difficult for the IRS to actually do its job. We leave $350
billion on the table every year, taxes owed, but not collected.
That could make a big dent in the debt. We could reduce the
debt over 10 years by $3 and a half trillion without raising
anyone's taxes and without cutting any essential services, but
we do not want to do that.
We do not want to do that because illogically the IRS is
such a juicy target for our base and making the case that you
represent the hard knell booted government on our necks. And
why in the world would we want to do anything to strengthen
you? And as a result, we have IT systems, according to John
Koskinen, that go back to the Kennedy Administration. That is
53 years ago. And we wonder why things are not totally
functional? We wonder why IRS is not fully efficient? We wonder
why hard drives crash when the average age of a computer at IRS
with 91,000 employees is 7 years plus. In the private sector it
is 2 to 3 years.
So to archive stuff, we have to print and save because we
cannot trust aging legacy technology systems, and this Congress
will not reinvest in you to bring you up to the 21st century
because that would make you more efficient. That actually might
make you be able to better do your job, and dysfunctionality
serves our purposes illogically and politically.
So, yeah, that is why we have 23 hearings, and we demonize
people, and we deny them their 5th Amendment rights, and make
charges that turn out to be without foundation. It does a
disservice to this committee, in my opinion, and I have sat
through every one of these hearings.
And I began truly concerned. Was this, in fact, going on?
Did IRS, in fact, target a particular group or philosophy? As
the ranking member said, all of the facts tell us no. Was there
ineptitude? Was there political tone deafness? Yes. Was there a
deliberate attempt by a Federal agency to target a particular
political group or set of groups because of their political
philosophy? No. And you can charge to the contrary all you
want, but the evidence trail does not tell us that. But it
makes for good television, and it riles up the base, and it
probably raises money, but it is not worthy of the Oversight
and Government Reform Committee.
And as the ranking member said, had we spent 23 hearings
looking at price gouging on pharmaceuticals, we actually might
have improved someone's life. We might have actually helped
some seniors better afford the drugs they need. We might have
made a contribution to bettering government. But this is a
charade. This is not about making government better, and it is
not even really about holding you accountable. I wish it were.
It is to pillory you for political purpose, and I regret that.
Now, Mr. Chairman, I do yield.
Chairman Chaffetz. For you to suggest and try to assign a
motivation to our attempt here to get at the truth is beneath
the gentleman from Virginia. Name one thing that I said in my
opening statement that is not true. Name it. You do not have
anything.
Mr. Connolly. You do not have anything, Mr. Chairman.
Chairman Chaffetz. Yes, I do.
Mr. Connolly. I reclaim my time.
Chairman Chaffetz. Will the gentleman yield?
Mr. Connolly. No.
Chairman Chaffetz. I have a point I want to make about IT.
Mr. Connolly. The chairman can use his own time because he
has got plenty of it, and he is more than prepared to use it. I
reverse it. I echo what the ranking member said. I do not think
you have proof.
Chairman Chaffetz. The gentleman's time has expired. The
gentleman's time has expired.
Mr. Connolly. Okay, thank you.
Chairman Chaffetz. With the concurrence with the ranking
member, I would like to make a point about IT because I think
that is part of the heart of why we are here today. Is the
gentleman okay with that?
Mr. Cummings. Go ahead.
Chairman Chaffetz. I was elected at the same time as
President Obama, so use that as a marker. The Federal
government has spent more than $525 billion on IT, and it is
worthless. One of the questions I have here with an operating
budget for the IT sector roughly $2.4 billion a year, why is it
that we have such poor systems? Why is it that we have DOS, and
COBOL, and other things? We have got good hardworking,
patriotic people that work at the IRS. We have 4,000 of them in
the State of Utah, and they are using an old dilapidated
system. I do not know how they do it. They try to patch and
Band-Aid this thing together, and they cannot seem to have
enough resources.
The President puts out a thing saying I need $3 billion
more? We were only $3 billion short? What happened to the other
$525 billion? That is a legitimate bipartisan question. It is
part of the reason I am here today. How is it that the IRS goes
via the Department of Justice and tells a judge that they do
not have these records? And it is not until this committee in a
bipartisan way with the staff says where is this information
that miraculously they said, oh, we actually do have it.
That is a legitimate question. It is why we have another
hearing. I did not even start the week before last thinking we
were doing an IRS hearing. I yield to the gentleman from
Maryland.
Mr. Cummings. Questions have been raised by the chairman. I
would hope that you would address those. One of the things that
all of us, and I know the gentleman from Virginia is one who is
an expert in IT and has spent a phenomenal amount of time
trying to make sure our government properly functions
effectively and efficiently. And the question that the chairman
just raised with regard to the use of old systems when we
should be in the modern age are questions that, I think, are
legitimate questions.
And so, I look forward to your responses. Does the
gentleman ----
Mr. Connolly. I would just add to my friend from Maryland,
I could not agree more that those are legitimate lines of
inquiry, but they have to be balanced with what has happened to
your budget so that you can make those investments. Has it gone
up or down? Has Congress shown a commitment to try to modernize
your IT systems so that we do not have this kind of problem?
Presumably we could find common ground. That is non-partisan
agreement.
Chairman Chaffetz. It is in my set of questions and why we
are having this hearing today.
Mr. Connolly. Except that it is not.
Mr. Cummings. Reclaiming my time, Mr. Chairman, I yield
back.
Chairman Chaffetz. I just have to say, and I will give you
equal time here. For the gentleman to suggest those are not my
questions and to impugn the motive of any member is totally
inappropriate.
Mr. Connolly. I would simply say I did not impugn anybody's
motive. I characterized this hearing and this process, and if
the gentleman wishes to take exception to that or offense by
that ----
Chairman Chaffetz. Oh, I take deep exception to it.
Mr. Connolly. Well, I regret ----
Chairman Chaffetz. It is bipartisan. We get equal time, and
there is a legitimate reason to understand why they go to the
Department of Justice, represent that they do not have the
documents. We ask for them, and then they miraculously say, oh,
yes, I guess we do have them.
Mr. Connolly. I think that the chairman can certainly
appreciate questioning the process and the 23rd hearing on the
IRS without necessarily personalizing it. The chairman knows I
do respect him, and I certainly made no attempt to try to
personalize it. But would I characterize this process
negatively? Yes. I have made no secret of that, and I do not
apologize for it, and I do not retract it.
And it is not impugning you or any other individual to call
into question that process. That is my right as a member of
this committee, and I will not be silenced by deliberating
trying to personalize it so that the critique somehow is
diluted. The critique stands. You do not have to agree with it,
Mr. Chairman.
Chairman Chaffetz. I do not.
Mr. Connolly. But I stand by it.
Chairman Chaffetz. Let us move on. Let us move on.
Mr. Connolly. Fine, let us move on.
Chairman Chaffetz. I am pleased to welcome Mr. Terry
Milholland, chief technology officer at the Internal Revenue
Service, Mr. Jeff Tribiano, deputy commissioner of Operations
at the Internal Revenue Service, and Mr. Ed Killen, Director of
Privacy, Government Liaison, and Disclosure at the Internal
Revenue Service. I appreciate you all being here today.
If you will, please rise and raise your right hands.
[Witnesses rise.]
Chairman Chaffetz. Do you solemnly swear or affirm that the
testimony you are about to give will be the truth, the whole
truth, and nothing but the truth, so help you God?
[Chorus of ayes.]
Chairman Chaffetz. Thank you. You may be seated. Let the
record reflect that the witnesses all answered in the
affirmative.
In order to allow time for discussion, we would appreciate
it if you would limit your oral presentation to 5 minutes. Your
entire written statement will be made part of the record. Mr.
Milholland, you are now recognized for 5 minutes.
WITNESS STATEMENTS
STATEMENT OF TERENCE MILHOLLAND
Mr. Milholland. Chairman Chaffetz, Ranking Member Cummings,
members of the committee, my name is Terence Milholland. I am
the IRS chief technology officer and chief information officer.
I appreciate the opportunity to testify today.
In my role at the IRS, I'm responsible for all aspects of
the systems and data that operate our tax infrastructure. We
have a 7,000-person information technology organization that
maintains 500-plus systems and data, and supports the
processing of 200 million tax returns annually.
Before joining the IRS 7 years ago, I spent 3 decades in
the private sector and held a number of information technology
leadership positions. My experiences included as executive vice
president and chief technology officer of Visa International. I
was also the chief information officer and chief technology
officer for Electronic Data Systems Corporation, and before
that the chief information officer for the Boeing Company.
It is an honor for me to serve the public as the IRS CTO,
and to support the tax system by helping the Service modernize
its IT systems.
This concludes my opening statement, and I'd be happy to
take your questions.
[Prepared statement of Mr. Milholland follows:]
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Chairman Chaffetz. I thank the gentleman. Mr. Tribiano, you
are now recognized for 5 minutes.
STATEMENT OF JEFF TRIBIANO
Mr. Tribiano. Chairman Chaffetz, Ranking Member Cummings,
and members of this committee, my name is Jeff Tribiano, and I
am the deputy commissioner for Operations Support for the IRS.
I appreciate this opportunity to testify today.
In my position at the IRS, I oversee internal operations,
which includes information technology, human capital, finance,
privacy, procurement, planning, facilities, and security. Prior
to joining the IRS in June of 2015, I served as the associate
administrator and chief operating officer of the Department of
Agriculture's Food Nutrition and Consumer Services. And prior
to joining the Federal government in 2010, I held a number of
key leadership positions with Fortune 500 companies. In
addition, for more than 22 years I have served and continue to
serve our country as a captain in the United States Navy
Reserves, to include three mobilizations and deployments to the
Middle East.
My experiences in the public sector, private sector, and
military have given me a deep understanding of the importance
of public service. I'm especially proud to be part of the
leadership team at the IRS and to work for an agency with such
an important mission. In my 8 months at the Agency, I have
found this team to be an amazing organization filled with
dedicated and talented people, and I'm privileged to work
alongside of them.
Turning to the subject of today's hearing, the IRS has been
working for more than a year to modernize our records
retentions practices in regard to emails and other electronic
records. We are implementing the National Archives and Records
Administration's Capstone approach to managing email, and are
working towards full implementation by the end of Calendar Year
2016. At that point, our systems will permanently preserve the
email records of all employees in electronic format.
Our ultimate goal is to end the reliance on computer hard
drives of individual employees as an archive records store, and
instead use network databases to preserve all records that are
electronically generated by the workforce. As we make these
improvements for the long term, we recognize we need additional
interim measures to ensure we are doing everything possible to
retain official records until a more comprehensive solution is
in place.
This need became apparent when an issue arose in connection
with the Service's collection and production of documents
related to a Freedom of Information Act case captioned
Microsoft v. the IRS. In January of this year, the IRS advised
the Court that we had discovered an issue regarding the
computer hard drive of Samuel Maruca, a former IRS employee who
we identified in a litigation hold effort undertaken in
December of 2014 in connection with the case.
Shortly after Mr. Maruca left the Service on August 1st,
2014, his hard drive was designated for erasure so it could be
securely reused or scrapped in line with the standard IRS
procedures. Because Mr. Maruca's hard drive was designated for
erasure before the issuance of the litigation hold, the hold
did not prevent the erasure of this hard drive, which occurred
in late 2014 or in early 2015.
However, we do believe the erasure of Mr. Maruca's hard
drive will have minimal effect on our ability to complete
document production in this instance. We know that Mr. Maruca's
hard drive was copied on July 16th, 2014 in connection with the
document collection being undertaken for a separate litigation.
We have, therefore, determined that the data stored on his
computer hard drive up to July 16th, 2014 has been preserved.
We also have emails copied on Mr. Maruca's network account in
July of 2014, and if necessary, we also can access our backup
tapes or disaster recovery tapes in order to produce documents.
Even so, we recognize the situation will reflect a
shortcoming in our document controls. Therefore, pending
further review of the IRS' litigation hold procedures, the
Commissioner has ordered a halt to the erasure and recycling of
employees' devices, including computer hard drives and mobile
devices, for all departing employees. We'll now copy material
off the hard drive of every employee who leaves the Agency, and
store that information in a digital format in addition to
retaining the physical hard drive.
We are also broadening our litigation hold procedures to
ensure that hold instructions are provided not only to the
pertinent employees, but also to the employee's supervisor.
We'll also update our procedures for processing employees who
leave the Service to ensure that appropriate personnel are
advised of pending litigation holds and document collection
efforts involving the records of custody for departing
employees.
In closing, I want to assure the committee that the IRS is
committed to building on these efforts and to make further
improvements, and continue focusing on serving the Nation's
taxpayer.
This concludes my statement, and I'll be happy to answer
any questions.
Chairman Chaffetz. Thank you. Mr. Killen, you are now
recognized for 5 minutes.
STATEMENT OF EDWARD KILLEN
Mr. Killen. Chairman Chaffetz, Ranking Member Cummings, and
members of the committee, my name is Edward Killen, and I am
the director of Privacy, Governmental Liaison, and Disclosure
at the IRS. I appreciate the opportunity to testify today.
In my role at the IRS, I represent the Agency's interests
in multiple aspects, including records management, information
protection, disclosure, data sharing, and combatting identity
theft. My office manages relationships with Federal, State, and
local agencies by facilitation and oversight of various data
sharing programs and initiatives. We also work to ensure the
protection of Federal tax information in the custody of our
data exchange partners.
The bottom line for my office is that we're working every
day to protect taxpayers, safeguard their personal data, and
promote both privacy and transparency principles, including the
appropriate availability of Agency records.
I've spent my career in public service, beginning as a
presidential management fellow with an appointment to the
Social Security Administration. In 2003, I joined the IRS as a
policy analyst in our Wage and Investment Division. Since then,
I've had the opportunity to carry out a wide range of
assignments in different areas at the Service, including
leadership positions as the director of Governmental Liaison,
Disclosure, and Safeguards, and senior advisor to the deputy
commissioner of Operations Support. I have also engaged in
numerous and diverse detail assignments across the IRS,
including stints within our Chief Counsel's Office and the 2008
economic stimulus team.
I'm proud of the years I've spent in public service and
grateful for the chance to continue to serve the American
taxpayer.
This concludes my statement, and I would be happy to take
your questions.
Chairman Chaffetz. Thank you. You all seem like decent
individuals. The question is, why do we have to keep coming
back and asking for the same basic information? The IRS advice
to individuals in businesses is that they should hold their own
personal business and tax information for how long? How long
are you supposed to hold onto your own personal information?
Mr. Tribiano?
Mr. Tribiano. Sir, that is not my area. I am with
Operations Support, so I ----
Chairman Chaffetz. Mr. Killen, how long? How long does the
IRS advise you to hold onto your own personal information?
Mr. Killen. Well, I think it would depend on the particular
circumstances. But, you know, as a general matter, probably 7
years or so is probably ----
Chairman Chaffetz. 7 years. I mean, that is what I have
generally heard as well, 7 years. So how long does the IRS hold
onto its own data and information? Mr. Maruca leaves the
employment. Why the swift erasure of everything that he has?
Why does that happen? Mr. Killen?
Mr. Killen. Well, I think in the particular case of Mr.
Maruca, as the written testimony shows and as I think we will
probably talk through the day, that was largely a factor of
sequencing and of particular circumstances. But I think the
thing that I would reiterate about that is that essentially we
have found the file, the data ----
Chairman Chaffetz. Okay, but, yes, you did find the file
because we pushed the issue, forced the issue. But on January
15th of this year, the Department of Justice on the behalf of
the IRS actually filed a notice with the Federal court that
they had erased Mr. Maruca's hard drive.
Here is the fundamental problem. You require us, the
people, to hold onto their information for 7 years. The IRS
erases their information. There is no consequence. Nobody is
held accountable. There was an internal preservation order, but
it was ignored, and there is no consequence for that, right?
Who issued the internal preservation order?
Mr. Tribiano. That came from our legal department.
Chairman Chaffetz. How does that process not hold that
information?
Mr. Tribiano. The internal preservation order came, it was
actually a litigation hold order, came after Mr. Maruca left
the Agency.
Chairman Chaffetz. What originally happened is Microsoft
filed a Freedom of Information Act request. That was not
complied with, so they had to go to court and wait to get a
court date, and then get to the court to try to say where is
this information, and you had already erased it in less than a
year. I do not understand why the IRS asks us to hold
information or 7 years, and you do not even hold it for 7
months. How does that happen? Why does that happen?
Mr. Tribiano. Well, Mr. Chairman, it was a timing issue.
Again, Mr. Maruca left the Agency on August 1st.
Chairman Chaffetz. But if we have to hold our information
for 7 years, how come the IRS does not have to hold its
information for 7 years?
Mr. Tribiano. The information from Mr. Maruca's system is
backed up with our backup tapes. It is just harder to get into
that system, and Mr. Milholland can walk through that. It is
the hard drive that is easier to access, and that ----
Chairman Chaffetz. Right now today, how long does the IRS
preserve its own internal documents? How long?
Mr. Tribiano. It depends on the documents. Mr. Killen can
walk you through that.
Mr. Killen. That is true. You know, there are various
records, disposition schedules for different types of records,
both across the Federal government as a general matter, but
certainly within IRS, so it is largely fact dependent. But ----
Chairman Chaffetz. Give me a range. What is the shortest
amount of time, what is the longest amount of time.
Mr. Killen. Oh, it can really vary.
Chairman Chaffetz. You have a $1.7 billion dispute, and you
have the person who is working on the issue, they leave
employment for whatever reason. I am sure it was a legitimate
reason. But why is all that information suddenly erased, and
how do you go in front of a judge and say we no longer have
that information? How does that happen?
Mr. Killen. Well, I mean, so certainly we ----
Chairman Chaffetz. Because neither--sorry--neither of those
things were true, right? Neither of those things were true. You
actually did have the information, but you represented to the
Department of Justice that you did not have it. But it was
erased even though there was an internal preservation order.
Mr. Tribiano. At the time that the Department of Justice
was notified, we thought that there was information saved. When
we went back to take a look at it and to go through the
records, we found that we did back it up for another litigation
hold up through July 16th of 2014. Mr. Maruca left the Agency
on August 1st.
Chairman Chaffetz. Can you help detail for us, and you are
not going to be able to get through it verbally now. My time
has expired. I have two things that I would love to understand.
How do preservation orders internally work, and why are they
not adhered to because we had that happen in the Lois Lerner
case. We have that happening in the Microsoft case. How does
that happen? And then the second thing is I would like to know
what documents you do and do not retain and for how long? And I
fundamentally do not understand why it is not the same for the
IRS as it is for the American people.
Could you between the three of you get back to the
committee on those two topics? Is that fair?
Mr. Tribiano. Yes, sir.
Chairman Chaffetz. Let the record reflect all three of them
thought it was fair. All right.
Chairman Chaffetz. My time has expired. I will now
recognize the gentleman from Virginia, Mr. Connolly, for 5
minutes.
Mr. Connolly. And let the record show this member has felt
the chairman has always conducted himself fairly. We do not
always agree, but I think he has always been fair.
I want to talk a little bit about investments and capacity.
Mr. Tribiano, is it true that the Agency's inflation-adjusted
budget has been cut by 17 percent since 2010?
Mr. Tribiano. Yes, sir.
Mr. Connolly. Is it further true that by Fiscal Year 2015
we whittled down your funding and your budget to the lowest
level in 5 years?
Mr. Tribiano. Yes, sir.
Mr. Connolly. Is it also true that, in effect, when you
count inflation, that means that your budget has the buying
power of the budget of 1998?
Mr. Tribiano. Yes, sir.
Mr. Connolly. That is a long time ago. The reduction has
been about $1.2 billion?
Mr. Tribiano. Yes, sir.
Mr. Connolly. And in Fiscal Year 2015 alone, the budget was
cut another $346 million from the previous year funding. Is
that correct??
Mr. Tribiano. Yes, sir.
Mr. Connolly. Well, let me see. Because of these cuts, as I
understand it, the workforce has been cut by 17,000 since 2010.
Is that correct??
Mr. Tribiano. Yes, sir.
Mr. Connolly. Two-thirds of your top managers have left in
the last 5 years. Is that correct??
Mr. Tribiano. Yes, sir.
Mr. Connolly. 40 percent of your workforce, by the way, on
top of that is eligible to retire by 2019 largely because of
the baby boom generation. Is that correct?
Mr. Tribiano. Yes, sir.
Mr. Connolly. Well, do these cuts and reductions have an
impact on productivity, customer service?
Mr. Tribiano. Yes, sir, it has a direct impact.
Mr. Connolly. Does it impact your audit capability?
Mr. Tribiano. It impacts our audit capability and our
revenue collection of capability as well.
Mr. Connolly. Well, Mr. Milholland, do these cuts have any
impact at all on the IT budget?
Mr. Milholland. Yes, sir.
Mr. Connolly. How so? Do you want to elaborate a little?
Mr. Milholland. It affects people, processes, and
technology. For example, in the people area, we know that we
have 67 people who are the single points of failure, so to
speak, for particular systems. If they left, we would not have
any knowledge to deal with an issue in that particular system
they support. That is how thin we have become is that we now
can identify the places where we are truly thin, so we have to
deal with risk mitigations for those particular systems.
Mr. Connolly. So Mr. Koskinen was quoted last week as
saying we have got systems that go back to the Kennedy
Administration. What was he talking about?
Mr. Milholland. What he was referring to are systems like
the individual master file or the business master file, where
these systems were literally designed and architected in the
1960s and rolled out in the 1970s. Those systems are where
literally your tax returns, the master file record of your tax
returns, are kept. We have been ----
Mr. Connolly. Let me interrupt you one second there. So my
tax returns might be kept on a system that goes back to the
1960s and 1970s?
Mr. Milholland. That was architected in the 1960s and
1970s. That is correct, sir.
Mr. Connolly. What could go wrong with that?
Mr. Milholland. Well, that is one of the many issues that
we deal with is the sustainability of those long-lasting legacy
systems so that every year we can have a smooth filing season.
Mr. Connolly. So when we talk sometimes about retrieving
information, archiving information, being able to produce
documents or evidence with respect to a court case, we are
relying in many cases on technology to be our friend that goes
back 40, almost 50 years.
Mr. Milholland. Obviously depending on the case, so to
speak, if individual taxpayer data is being accessed, that
architecture is that old. The access mechanisms might be more
current.
Mr. Connolly. Right.
Mr. Milholland. But the fundamental underlying structure is
reliant upon systems that were built in that era.
Mr. Connolly. Okay. You come from private sector?
Mr. Milholland. Yes, sir.
Mr. Connolly. You are now the CTO for a public sector
entity. Real quickly in the time I have got left, what would
you do and what would it cost to do what you do to modernize
and upgrade the IRS so it is functioning as a modern
technology-oriented entity in 2016?
Mr. Milholland. Yes, sir. I will try to be very brief. We
built a technology roadmap. We did that a few years ago and
have been executing against it for the future state; that is,
to bring the IRS so it looks like a digital company in the
financial area; that is, comparable to the way a large
financial institution would operate. That means that we have to
upgrade a number of the underlying processes which are based in
these, as I say, the 1960s architecture, bring them into a 21st
century architecture, and implement the technology that allows
that.
We have standardized on modern programming languages, for
example. All new developments since I have arrived, they are in
Java, for example, rather than the more ancient languages like
assembly language, or COBOL, or these, I will just say, simply
legacy programming languages. We have standardized on a
different operating system, in our case, Linux, for example, a
very modern operating system environment that is very common
across all of private enterprise.
And we have been slowly and steadily migrating new systems
of what we have had to invest in to support things like FATCA,
the Affordable Care Act, the Revenue Return Program, our fraud
detection system, all are built, I will say, the right way so
that we can slowly remove ourselves from dependencies on these
older systems.
And then the last comment I would make, we have plans to
get off, so to speak, of that dependency. The Congress has
supported us in our business systems modernization program in a
program called CADE 2, Customer Account Data Engine. The second
transition state of that is underway in which we are converting
off of that master file system into a modern relational
database program, at the same removing the financial material
weakness of the older individual master file systems.
Let me stop there because I could certainly go on and on
and on.
Chairman Chaffetz. I thank the gentleman. I would simply
ask that the digital roadmap that you are talking about, if you
could provide this committee that copy of this roadmap, I think
we would both like to look at it. When you can provide that to
this committee?
Mr. Milholland. As soon as our release mechanism allows us.
Soon if I can get away with that.
Mr. Connolly. Mr. Chairman, if we could also to that
request the cost. What would it cost?
Chairman Chaffetz. Yes, that would be great because ----
Mr. Connolly. Thank you.
Chairman Chaffetz.--the IRS has had over the last 5 years
more than $11 billion in just IT expenditures. It is a
significant amount of money. We would appreciate you sharing
that plan with us.
Mr. Milholland. Mr. Chairman, could I add one other thing?
Chairman Chaffetz. Sure.
Mr. Milholland. The roadmap does not stand by itself. It
goes along with a business plan which we call a future state
vision, in which all of the businesses as outlined, how do they
want to actually operate in the next 3 to 5 years, and then
that roadmap supports that plan. So you would actually need to
understand both.
Chairman Chaffetz. If you could provide both, that would be
appreciated.
Mr. Milholland. All right.
Chairman Chaffetz. Fair enough? And I appreciate it.
Chairman Chaffetz. I thank the gentleman for his questions,
and I am surprised after 23 hearings you still have questions.
Mr. Connolly. It was a struggle, Mr. Chairman.
Chairman Chaffetz. Yes. Yeah, you still have questions, and
so do we. We will now recognize the gentleman from Ohio, Mr.
Jordan, for 5 minutes.
Mr. Jordan. Thank you, Mr. Chairman. Mr. Milholland, in May
of 2013, the country learns that the IRS has been targeting
conservative groups. Congressional investigations are
announced. The President has a big press conference. The
Attorney General announces that there is a criminal
investigation that will be following. As the chief information
officer, did you take any action to preserve information data
and documents?
Mr. Milholland. Yes, sir.
Mr. Jordan. And what action was that?
Mr. Milholland. We issued a directive to my staffs down
through every level of management and individuals to hold onto
every piece of information.
Mr. Jordan. Was your order clear?
Mr. Milholland. I certainly thought it was clear.
Mr. Jordan. I am going to read from it. ``Do not reuse, or
refresh, or wipe information from any personal computer that is
being reclaimed, returned, refreshed, updated from any employee
or contractor of the IRS. Effective immediately, the email
retention policy for backups is to be indefinite rather than 6
months.'' Pretty clear, right?
Mr. Milholland. Yes, sir.
Mr. Jordan. You go on in that email to say this, ``In other
words, retain everything.'' Now, ``everything'' is a pretty big
universe, so I do not know how you could be more clear. So the
chairman has asked this a couple times. How in the world did
the IRS end up destroying, with that clear directive, end up
destroying 422 backup tapes that were extremely relevant to the
investigation?
Mr. Milholland. As you are undoubtedly aware having that
email, TIGTA did their report out. They looked at every step of
the process along the way of how did we end up doing that. In
fact, I think I was quoted in there when they interviewed me as
I was literally blown away by the fact that it had happened
because, again, I thought the instructions were remarkably
clear.
Mr. Jordan. So I think they are clear, too, if I could just
interrupt, Mr. Milholland. So I think they were pretty clear,
too. So did you do anything else? Did you just send this email
out or this directive out that says keep everything and then
that was it? Is that all you did?
Mr. Milholland. Within IT, the information technology
organization, we discussed it with staff and with the executive
team that we needed to do this. We were also in the midst of
consolidating all the email servers that were sitting around
the country into our two primary data ----
Mr. Jordan. Let me interrupt again. I only got 5 minutes
here. Were there other preservation orders that came to the
Internal Revenue Service, other orders to preserve documents,
not just the one you sent out internally, but were there others
that come in from the outside?
Mr. Milholland. I really do not know. You would have to ask
the chief counsel about that.
Mr. Jordan. Yeah, well, there were two, right? There was
one from the Justice Department and one from TIGTA that said,
hey, they want to just reinforce and preserve documents. So did
you take any action relevant to those other orders to preserve
all information?
Mr. Milholland. I do not recall seeing those orders, so --
--
Mr. Jordan. When the legal staff got the order from the
Justice Department to preserve all the information, they did
not say, hey, you better make sure we do not destroy anything.
They did not communicate it to you, and then you did not
communicate another email like the one we were just talking
about.
Mr. Milholland. I am totally unfamiliar with the order that
you are discussing. We always have a practice generally when a
request comes in that counsel needs us to hold onto items, they
send an email around to the responsible individuals ----
Mr. Jordan. Okay.
Mr. Milholland.--and tell them to literally--sorry. Go
ahead.
Mr. Jordan. What about the subpoenas? This committee sent
two subpoenas. Did that warrant or did that trigger you taking
any further action than this one email that you sent?
Mr. Milholland. No, sir.
Mr. Jordan. So the two subpoenas and the other two
preservation orders, the IRS chief information technology
officer, that did not trigger you to do anything else. You sent
this one email that I think is pretty clear, but that is all
you did.
Mr. Milholland. As I tried to express earlier, Congressman,
we discussed the request to hold on to all of those items that
were in that email throughout our staffs so the executive team,
the management team, would understand how serious this was.
And, therefore, to protect ----
Mr. Jordan. So there is ----
Mr. Milholland.--basically the retention of information.
Mr. Jordan. I got it, yeah.
Mr. Milholland. So it was reinforced constantly to do so.
Mr. Jordan. So then why was it not? So there are two key
questions. There are two questions, and I have got 30 seconds
here. Two questions. One, when you say ``keep everything'' and
then 422 tapes, 24,000 emails are destroyed, I want to know how
that happened and why that happened. Second, this is the
question I get all the time from folks back home. Who is held
responsible? So there is an order given from the chief
technology officer to keep everything, and it is not kept. In
fact, it is destroyed. Who was disciplined? Who was held
accountable? That is what we would like to know.
Mr. Milholland. I will answer the second question first. I
held myself accountable as it was reported in the TIGTA report
that it starts at the top. I was at the top, and, therefore,
myself and my management chain were held to be accountable.
That was part of our performance plans and such and was
discussed appropriately when we discovered this particular
incident when it happened.
Mr. Jordan. Let me just ask one other question. Did you get
a raise the last few years? Have you had a raise in your
salary?
Mr. Milholland. Because I am in the senior critical, I got
an adjustment because of this senior critical pay.
Mr. Jordan. Did your pay go up?
Mr. Milholland. Yes, it did.
Mr. Jordan. The last 2 years?
Mr. Milholland. I think only once in the last 2 years.
Mr. Jordan. Who is your direct boss? Who do you report to?
When I look at your chain of command, it looks to me like you
report to Mr. Tribiano.
Mr. Milholland. Mr. Tribiano.
Mr. Jordan. And, Mr. Tribiano, your office is a direct
report to the commissioner of the IRS. Is that right?
Mr. Tribiano. Yes, sir.
Mr. Jordan. All right. So what happened there? You find out
this guy does an order, and that is as clear as it gets, retain
everything. It is not followed. Tapes are destroyed, 24,000
emails. That information comes to you. What did you tell Mr.
Koskinen?
Mr. Tribiano. Well, sir, I was not part of the IRS during
that time.
Mr. Jordan. What did your office tell Mr. Koskinen?
Mr. Tribiano. I do not know what my office told Mr.
Koskinen.
Mr. Jordan. You come to the hearing, you know we are
talking about record retention, and you do not know what
happened?
Mr. Tribiano. I did not say that, sir. I said I was not
responsible, and I was not there.
Chairman Chaffetz. The gentleman's time has expired.
Mr. Jordan. Thank you, Mr. Chairman.
Chairman Chaffetz. We will now recognize the gentlewoman
from the District of Columbia, Ms. Norton, for 5 minutes.
Ms. Norton. Thank you, Mr. Chairman. I understand that we
are here talking about what we loosely call data preservation
and security, but we are doing so for the IRS, where the data
that we most want to keep to ourselves is to be found. I have
often wondered how the IRS is able to attract the advance
technical professional employees to do what needs to be done.
You know, it is easy enough for us to tell you what you should
do.
So I am interested in exploring what we can do to make it
possible for you to do what you are supposed to do. Now, what
intrigued me was this notion of critical pay authority that
allows the IRS--other agencies have it, too--to hire people who
it would be very difficult to attract to the public service
otherwise. Do I understand, Mr. Milholland, that you are a
critical pay employee?
Mr. Milholland. Yes, ma'am.
Ms. Norton. Is it fair to say that in order to come to the
IRS, you took a pay cut?
Mr. Milholland. Yes, ma'am.
Ms. Norton. Would that have been a significant pay cut?
Mr. Milholland. Yes, ma'am.
Ms. Norton. So when we look at how important this data is,
I wanted to see how many people were in this position. I
understand that you are authorized in these critical positions,
that the IRS is authorized only for 168, only for 40 at one
time. I am quite amazed at that. And even they can only serve 4
terms. You would be lucky to keep them for 4 years. You would
be lucky to keep them for 4 years when you consider how
critical these people are. We do H-B1 visas that are so
critical in our own country.
Is my information correct that here are only 19, Mr.
Milholland, of these critical technical people at the IRS at
this point?
Mr. Milholland. I can answer for the number in information
technology. There are 11. I believe Mr. Tribiano can cover the
rest.
Mr. Tribiano. Yes, ma'am, we have 14. And I would just like
to note, ma'am, that we do not have that authority anymore.
That authority expired.
Ms. Norton. Well, that was going to be my next question. I
understand that this number, since they can only stay 4 years,
that that number is depleted every time you get to the end of
the 4-year term. And that critical person, even if they have
not already left to go to some high tech company, has to go
then.
Mr. Tribiano. Yes, ma'am.
Ms. Norton. And you have had no authority for at least 2
years ----
Mr. Tribiano. Yes, ma'am.
Ms. Norton.--to hire people. That is why you are down to
19.
Mr. Tribiano. 14 in total.
Ms. Norton. 14 for you, Mr. Tribiano, and ----
Mr. Tribiano. No, 14 in total for the Agency, ma'am.
Ms. Norton. Oh, for the entire Agency out of 168 that are
authorized.
Mr. Tribiano. Yes, ma'am. We lose one this year, and then
the remaining 13 next year.
Ms. Norton. This is malfeasance it seems to me, but it is
on our part. I do not know how we could have gotten without at
least authorizing. I do not know if there is enough funds even
if authorized, but if you were able to even attract such
people, you deserve our congratulations. But if we can continue
to reprimand you for things you do not do in data collection
while we do not recognize our responsibility to authorize you
to have what I regard as a very small number of technical
professionals on board, then there is a disparity here that I
think the government has to take account of.
Chairman Chaffetz. Would the gentlewoman yield?
Ms. Norton. Yes, sir.
Chairman Chaffetz. My understanding of this process is that
the Office of Management and Budget has the opportunity to
offer 800 people within the Federal government critical pay
authority in consultation with the Office of Personnel
Management. Of the 800 available slots for critical pay
authority, they are only using 4. Not 400, 4 of the 800 that
are already ----
Ms. Norton. Where is this, in this Agency?
Chairman Chaffetz. Well, throughout government. So if the
IRS commissioner needs critical pay authority, for instance,
for IT specialists, which I would probably actually agree with,
there is already a process and authorization in place where OMB
with OPM goes and gets that authorization.
Ms. Norton. Well, I understand they do not even have to go
through OPM. Is this authority authority that you think the
Agency needs?
Mr. Tribiano. Yes, ma'am. Streamlined critical pay is very
important to us, and if we are able ----
Ms. Norton. But do you think you have the authority? The
chairman thinks you already have the authority.
Mr. Tribiano. Not under what we had before, which is
streamlined critical pay. What the chairman is referring to, I
believe, is, if I understood right, is an OMB, I mean, an OPM
process that exists for critical IT.
Ms. Norton. But the people we are talking about do not have
to go through that process, do they?
Mr. Tribiano. Streamlined critical pay, no, ma'am. We would
recruit directly from the private sector into the top IT
positions.
Chairman Chaffetz. If the gentlewoman would yield, if the
IRS has a case, the mechanism that Congress previous to me had
set up is that they make the case to the Office of Personnel
Management or through the OMB. In concurrence, they can grant
that all within the executive branch without having to come to
Congress.
Ms. Norton. But it expired 2 years ago.
Chairman Chaffetz. No. Well, I will work with the
gentlewoman to help clarify this, but I do believe it is
currently available. The gentlewoman's time has expired, but I
will work with the gentlewoman on this topic.
Ms. Norton. I wish you would because the testimony has been
pretty direct here that it has expired, and our own research
shows it has expired.
Chairman Chaffetz. Okay. Well, again, we will be happy to
work with you. We now recognize the gentleman from Michigan,
Mr. Walberg, for 5 minutes.
Mr. Walberg. Thank you, Mr. Chairman. And just in reference
to statements made earlier by a member of our committee
concerning several senior-level administrators leaving under
the guise of the challenges of doing the job here, remember
some of those left under a rather dark cloud pleading the 5th
under potential impeachment, et cetera. So we do not need to
forget that also.
Mr. Milholland, you mentioned that when finding out that
your direct orders for preservation were disregarded, you were
blown away. Coming from your experience in the private sector,
extensive experience and background in the private sector, I
would assume that orders like that would not have been
disregarded clearly without significant consequence. So I do
want to go back to a question made by a colleague of mine, Mr.
Jordan, and just get a more direct answer. Do you know of
anyone who was reprimanded for not following the preservation
notice? Reprimanded or worse.
Mr. Milholland. The way we handled the situation was
waiting until the TIGTA report was in where basically, as I
say, the TIGTA concluded there was no criminal wrongdoing,
which was peace of mind. Someone did not deliberately set out
to do this. And then, in reading through their report, what
conclusion do you come to?
As I say, management--me--took accountability for our
management chain's failure to see that the instruction was
followed. That then was dealt with through performance reviews
and feedback to people for their whole entire performance
through the appropriate chain and such. We did not penalize or
punish anyone on the floor because they thought they were doing
what they were supposed to do. They had received instructions.
They were following a process, and ----
Mr. Walberg. But the leadership team, any one reprimanded?
Mr. Milholland. In the sense of in their performance review
feedback, yes.
Mr. Walberg. But no other consequences beyond that.
Mr. Milholland. No other consequences, no, sir.
Mr. Walberg. I doubt that in the private sector it would
have been as simple as that. Let me move on. Let me move on.
The taxpayer advocate recently released a report on the IRS
future state plan that stated the IRS's intent to move all
taxpayer filing and help systems to an online platform.
In the last 9 months, the IRS has experienced at least two
electronic data breaches surrounding taxpayer P-2s. This
includes the May 2015 breach that exposed more than 100,000
taxpayers' sensitive information. The taxpayer advocate also
found that roughly 1 in 5 taxpayers who were victims of
taxpayer identity theft had their IRS files closed. Despite
unresolved issues remaining, taxpayers, in other words, still
had to wait an average of 6 months before the negative impact
of taxpayer identity theft was addressed.
Mr. Tribiano, in light of these breaches, why does IRS feel
that now is the best time to roll out a more expansive and
pervasive online tax system?
Mr. Tribiano. Well, sir, if I can just add one thing to
that. We are not abandoning and going everything to digital or
to online. We still have to take care of the taxpayers that
still want to file paper returns and go that route. But the
customers in this case, the taxpayers, have advocated for us,
or for the IRS, to operate more as a large multinational type
of bank to be able to do things online. As you can imagine,
they would rather deal with us online more so than deal with us
in person, so we are shifting.
It is a 3- to 5-year process to go to where we want to go,
what we call future state. And that is to be able to have
interactions with the taxpayers electronically the way they are
asking for it.
Mr. Walberg. How do you propose to protect them, though,
online?
Mr. Tribiano. As we build out the technology, we are
changing and adapting it, and I think Mr. Milholland can walk
you through some of the things ----
Mr. Walberg. Walk me through that, some of the means by
which you can stop the breaches that could very clearly come
that has taken place in person, but it could take place
extensively online.
Mr. Milholland. Yes, sir. We have an initiative we call the
eAuthentication Authorization and Access Initiative. The first
part of this is what we are doing to get transcripts back
online. If you recall, with that original issue from last May
and June, we took it offline until we could get it right; that
is, the underlying authentication. Can we really identify that
the individuals coming in are who they say they are. That work
is underway. We hope to roll that application back up some time
this spring.
But we also have done other things that we started changing
the way that we handle, I will say, the online environment. The
particular technologies we, in fact, deployed as a result of
the ``Get Transcript'' incident were, in fact, what allowed us
to stop this bot attack from 2 weeks ago explicitly. The
ability to capture and see that this attack was ongoing is a
direct result of us improving that environment.
A number of other tools and such are built into our cyber
investment plan. It is what we are going to use some of the
monies that are now made available to us from the Congress
through an extra $290 million. About $100 million of that has
been assigned to IT specifically for cyber. That is where the
investments will be made. The President has certainly
recognized it in his Fiscal Year 2017 budget submission for
what he wants to do across the Administration. And then part of
those monies will be used to improve aspects of the IRS online
presence.
There are a number of specific tools I could talk about
here, Congressman. I do not know exactly ----
Mr. Walberg. I appreciate this getting on record of what
you are doing, and that down the road we will not be blown away
by mistakes that come, but I want to make sure that this is
taken care of. That is part of our oversight, and we want to
make sure that you are doing oversight as well. I yield back.
Chairman Chaffetz. The gentleman's time has expired. If Mr.
Milholland can continue to provide the committee with what they
are doing in that regard, we would appreciate it.
I will now recognize the gentlewoman from New Jersey, Ms.
Watson Coleman, for 5 minutes.
Ms. Watson Coleman. Thank you, Mr. Chairman. Mr.
Milholland, it has been almost 4 years since the committee
launched its investigation of the IRS, and to date IRS has
produced more than 1.3 million pages of documents from 88
custodians in response to over 80 document and information
requests. According to the information I have, on June the 3rd,
2015, the IRS' senior privacy official testified before this
committee. Is that you, Mr. Killen? Is that you?
Mr. Killen. Not at the time.
Ms. Watson Coleman. Okay, thank you. Well, let me read to
you what was said. ``More than 250 IRS employees have spent
more than 160,000 hours working directly on complying with
investigations at a cost of $20 million, which also includes
the cost of adding capacity to our limited information
technology systems to accommodate the voluminous information
requests.'' And that figure does not include that at least $2
million additional have been spent by the inspector general.
Mr. Milholland, what sort of capacity has been added to the IRS
information technology system in order to accommodate this
information and this investigation?
Mr. Milholland. There is an investment plan to build out
the entire process of record retention. This ranges from saving
all of the email and all of its attachments, the archiving of
information that are on hard drives in turn being saved. And
the first elements of this, if we are able to complete our
project, would start to roll out at the end of December,
beginning of January.
Ms. Watson Coleman. Do you have the resources and the
personnel to be able to accommodate this effort?
Mr. Milholland. At the current moment we do not. We have
what we need to implement toward the end of this year, but for
the long-term needs of the record retention initiative, to do
everything that is being asked in the sense of build a system
that can search for anything and do it instantly, that has not
yet been, I will say, completely planned out, nor staffed, nor
resourced.
Ms. Watson Coleman. You have made some improvements because
you were able to detect some suspicious behavior most recently
in the system. And you do not have any reason to believe that
that was anything terrorist related or anything of that nature
or ----
Mr. Milholland. Ma'am, are you referring to the bot attack
that was 2 weeks ago?
Ms. Watson Coleman. Mm-hmm.
Mr. Milholland. I cannot speak to who it was. There is an
investigation going on right now by the investigative side of
TIGTA. This was done from international sites using malware
placed on individual machines and servers that attacked the IRS
attempting to get these e-file PINs, no other taxpayer data. In
fact, the e-file PIN is not taxpayer data, so I cannot
characterize who they were. They were, you know, more than
likely criminals, but I cannot really say.
Ms. Watson Coleman. After Mr. Maruca's file was detected,
after there was this belief that it did not exist and then you
found out that you had a backup to it, you all have done
something that would ensure that this problem does not occur in
the future until you can take care of it in a more
technologically savvy way? You have made decisions that no
information gets erased until after something happens, right?
Until after what happens, and when would that happen?
Mr. Milholland. Is that a question toward me? I just was
not sure.
Ms. Watson Coleman. Well, to whomever can answer it.
Mr. Milholland. I was not sure if it was to the deputy
commissioner.
Ms. Watson Coleman. Well, if the deputy commissioner is the
one that should answer it, I am fine with that. Thank you.
Mr. Milholland. Okay.
Mr. Tribiano. The answer to that, ma'am, is yes. We put a
non-destruct order in for all hard drives and devices for all
employees of the IRS when they depart the IRS, and we
immediately back up the hard drive itself electronically so we
would have two copies until we get to the long-term solution
that Mr. Milholland was talking about.
Ms. Watson Coleman. So minimally, would you say that you
have a future desire to hold this information as long as we are
responsible as citizens to hold our information at 7 years,
that incredible 7 years that we are talking about, or is there
something other that you all would be presenting?
Mr. Tribiano. Well, I think that is a question for Mr.
Killen.
Ms. Watson Coleman. Mr. Killen?
Mr. Killen. Thank you for the question. We are working
vigorously to ensure that we migrate our records management
practices from sort of the current state to where we need to
get to, you know, in the future in order to be compliant with
all of the respective guidances out there from NARA and from
OMB.
So principally, we have taken, you know, really a multi-
pronged approach at that. Mr. Milholland and Mr. Tribiano both
talked about various aspects of that, but I think, you know,
first and foremost, again, ensuring that we no longer wipe or
----
Ms. Watson Coleman. Erase.
Mr. Killen.--sanitize existing hardware, ensuring that we
have copies that are in place on the machines. But we are, in
addition to that, we have put a process in place for our
senior-most Agency officials throughout IRS at the executive
level because those are the individuals most likely to create
Federal records. And so, we have an approach that we have
implemented called the Capstone approach to ensure that we
maintain and appropriately archive those records of our senior-
most officials. At the same time, we are currently in the
process of implementing a plan for December 2016 where all IRS
employees' email accounts will be archived electronically. And
that is per directives that we have ----
Ms. Watson Coleman. Thank you, Mr. Killen.
Chairman Chaffetz. The gentlewoman's time has expired. How
convenient. December of 2016, then we will start that process.
There we go.
All right. I will now recognize the gentleman from
Tennessee, Mr. DesJarlais, for 5 minutes.
Mr. DesJarlais. Thank you, Mr. Chairman. Mr. Milholland,
did the IRS hire a new director of the Office of Personal
Responsibility in the past year?
Mr. Milholland. I actually do not know.
Mr. DesJarlais. Mr. Tribiano?
Mr. Tribiano. We transferred an individual into that
office.
Mr. DesJarlais. Who was that?
Mr. Tribiano. That is Mr. Whitlock.
Mr. DesJarlais. Mr. Whitlock. Okay. And that is basically
the director of the IRS ethics department, correct?
Mr. Tribiano. It could be categorized as that, yes, sir.
Mr. DesJarlais. Okay. Did they review this individual's
history with the Department?
Mr. Tribiano. With the Department of Treasury? I am not
aware, sir.
Mr. DesJarlais. Do you know why the individual's record
would not be reviewed prior to hiring someone for this
position?
Mr. Tribiano. Why it was not sent to the Department of
Treasury?
Mr. DesJarlais. Why they would not review his record before
hiring someone to oversee the IRS' ethics department.
Mr. Tribiano. The Executive Resources Board would have
reviewed the record before making the recommendation of the
movement of that individual into that position.
Mr. DesJarlais. Okay. Mr. Milholland, did that ring any
bells? Are you aware of Mr. Whitlock?
Mr. Milholland. Not at all, sir.
Mr. DesJarlais. No knowledge of him?
Mr. Milholland. No, sir.
Mr. DesJarlais. That was not run by you, Mr. Killen?
Mr. Killen. No, sir.
Mr. DesJarlais. No. Okay. So the IRS hires a new director
to head up their personal ethics program. And, Mr. Tribiano,
are you aware that he has a history of illegally shredding
documents?
Mr. Tribiano. Sir, well, first, let me say I cannot
discuss. There is an IG investigation. But our internal review
that was done in 2005 found that Mr. Whitlock, there was no
intent from that office, and that there was no wrongdoing in
that process.
Mr. DesJarlais. Okay. I have seen different reports. Mr.
Milholland, would you be blown away if you learned that you
hired an ethics director that had illegally shredded documents?
Mr. Tribiano. Just for the record, this position does not
report to Mr. Milholland. The position reports to the deputy
commissioner for Service and Enforcement.
Mr. DesJarlais. Okay. So you have not reviewed the TIGTA
audit of the OPR that was completed while the individual was
destroying taxpayer records, or you have not read the
investigation record, or the record destruction, or
whistleblower retaliation?
Mr. Tribiano. No, sir. What I reviewed was our internal
review of the process that happened. Again, I cannot discuss
the TIGTA investigation, and our internal review showed that
there was no wrongdoing by that individual. That individual did
not order the destruction that was done by the acting director
at that time.
Mr. DesJarlais. Okay. I guess I am just kind of shocked
that, you know, this is a person that the IRS hired to be the
head of their Office of Personal Responsibility, and he has got
this history, and no one on the panel today seems to know
anything about him.
Mr. Tribiano. He was transferred, sir. He has been part of
the IRS. He was in there as the deputy director of that office,
was transferred to head up another office for us, and then was
transferred back in.
Mr. DesJarlais. Is this typical of how the IRS handles new
hires?
Mr. Tribiano. He was a transfer, sir, not a new hire who
has been with the IRS ----
Mr. DesJarlais. So when somebody gets in trouble, they
transfer him around. Is that how it works?
Mr. Tribiano. I am not saying that, sir.
Mr. DesJarlais. Okay.
Chairman Chaffetz. Will the gentleman yield?
Mr. DesJarlais. Yes.
Chairman Chaffetz. Mr. Tribiano, you said there is a new
non-destroy policy. When did that come into place?
Mr. Tribiano. That came into place right after we found out
that we had that gap with Mr. Maruca.
Chairman Chaffetz. That you had destroyed things. So can
you give me a specific time?
Mr. Tribiano. January, sir. I do not know the exact date,
but it was in January.
Chairman Chaffetz. So just in the last 30 days?
Mr. Tribiano. Yes, sir. When we realized we had the gap
when Mr. Maruca before the ----
Chairman Chaffetz. Why did you not put this in a policy
when Mr. Milholland put this into place into 2013? Did you ever
lift that non-destruction order, Mr. Milholland?
Mr. Milholland. I have never lifted the non-destruct order
for the tapes, the backup tapes, which we were dealing with at
the time.
Chairman Chaffetz. The gentleman from Ohio.
Mr. Jordan. The chairman asked my question. When was the
order rescinded that you wrote in 2013 which says effective
immediately, email retention policy for backups is to be
indefinite? So if it is indefinite, is that still in place?
Mr. Milholland. Yes, sir. Email is saved indefinitely.
Mr. Jordan. Well, but the key question is, what about the
backup tapes. They are saved indefinitely?
Chairman Chaffetz. If the gentleman will yield, it says,
``Do not destroy, wipe, or reuse any of the existing backup
tapes for email or archiving of other information for IRS
personal computers.''
Mr. Jordan. Okay. And our question is, was that rescinded
in any way.
Mr. Milholland. If I understand your question correctly,
sir, no. What we have, we still back up email and ----
Mr. Jordan. Okay. Good.
Mr. Milholland. Excuse me. I am sorry. I am interrupting
you.
Mr. Jordan. No, if it was not rescinded, then why did you
have to issue a new order that Mr. Tribiano just referenced?
Mr. Tribiano. I believe what Mr. Milholland was saying is
that ----
Mr. Jordan. Is it so that you could have another one that
people will not follow? I mean, that is our point. If you have
one in place, obviously it was not followed. You said nothing
is being rescinded, and Mr. Tribiano said just last month we
issued a new order to preserve all documents and not destroy
anything. Why was that necessary?
Mr. Tribiano. The order that Mr. Milholland was referring
to, the one that he did that was about backup tapes and
disaster recovery tapes. What we are talking about is the
cleaning of hard drives for recycling back into the IRS system
for computers or for destruction when they go out. And the
reason that is in place is because some of those hard drives
contain 6103 data, so we cannot leave them around now for a
longer period, so we have to secure them. So now with the new
order we have to secure those hard drives, put them in a secure
location, document them, and put them away because it has
information on them.
Chairman Chaffetz. And the time has expired. We are going
to recognize Ms. Kelly here. But that is not what Mr.
Milholland's memo of May 22nd, 2013. It says, ``Do not destroy,
wipe, reuse any of the existing backup tapes or email or
archiving of other information from IRS computers. Further, do
not reuse, or refresh, or wipe information from any personal
computer that is being reclaimed, returned, refreshed, updated
from any employer or contractor of the IRS.'' I mean, it could
be not be more explicit.
Mr. Milholland. Again, Chairman, if I may, that was
referring to our backup tapes of the email systems and all the
information ----
Chairman Chaffetz. You can dance around this all the time.
You had a preservation order in place. You had a do not
destroy, and you continued to destroy them. You have
represented to the Department of Justice, and to the courts,
and to the United States Congress that you are not doing this.
This issue has never been fixed, and that is why we continue to
have these hearings.
We have gone way past your time. We will recognize the
gentlewoman from Illinois, Ms. Kelly, for 5 minutes.
Ms. Kelly. Thank you, Mr. Chairman. Mr. Killen, I wanted to
talk about what the IRS is doing to ensure that document and
preservation measures are being implemented so that we do not
end up here again, which no one wants. It seems strange that we
are having a full committee hearing because of one employee's
hard drive, especially since all but 2 weeks of his emails were
preserved. What is the current IRS policy with respect to
document preservation for departing employees, and how long are
their emails kept?
Mr. Killen. Thank you for the question. As I stated a
little earlier, we have essentially a multi-pronged strategy
and approach that we are taking with respect to email. First
and foremost, we have implemented the Capstone approach, which
is an approach that has been developed by National Archives
that is focused on your role within the organization, because
you want to ensure that the senior-most officials in an
organization who are most likely to create records, that those
records are preserved.
And so, about a year ago we implemented that process across
IRS to ensure that our senior executives all across IRS, that
we had the appropriate electronic preservation of those emails.
And so, that has been in place for the last year, and that was
really one of the significant early pieces of the strategy.
Ms. Kelly. And how long are they kept?
Mr. Killen. They will be kept, there are ranges. But for
our most senior executives, they will be kept permanently. For
sort of our second tier of executives on down, they will be
kept for 15 years. And that is very consistent with a role-
based approach because you want to ensure that you have the
preservation of records, you know, in the most appropriate
fashion.
So the second piece of that strategy related to email is
that by the end of this calendar year, by December 2016,
consistent with the directives that we have received from OMB
that applies across the government, not just to IRS employees,
we will ensure that all of our employee email is available in
an electronically accessible environment. And then we are also
taking a variety of other steps to shore up our other processes
and procedures with regards to records retention for separating
employees and for, you know, an entire gamut of issues that we
are working towards. So we are making significant progress.
Ms. Kelly. Okay. What is the IRS doing right now to ensure
that an instance such the Maruca case does not occur again?
Mr. Killen. Thank you for that question. So, again, as part
of sort of the multi-pronged strategy that we have, because,
you know, the key issue with Mr. Maruca is he separated from
the Service.
Ms. Kelly. Right.
Mr. Killen. And so, we have a process in place now where if
an employee separates from the Service, we are ensuring that we
do not wipe the machine. In addition, we are making the copies
of the machine. So really, you know, our whole approach around
records management and retention is first and foremost ensuring
that we follow the relevant guidance and directives that are
out there. But then secondly, trying to, you know, build in
multiple layers of redundancy so that we do what we can to
reduce, you know, the likelihood of the human element where
people make mistakes as well.
Ms. Kelly. So would you look at this as your longer-term
solution, or do you have other long-term solutions as it
relates to hard drive inventory management?
Mr. Killen. There is a very long-term solution because, you
know, you can imagine the volume of records, and particularly
as just in all walks of life, as we move more towards a digital
environment. And so, you know, our first focus and emphasis is
on email. We have paper records, as you might imagine, that we
do a pretty good job of maintaining, but we have improvement
opportunities there as well. But longer term, you know, there
is guidance that talks about by 2019 the Federal government
should be able to migrate to a place where all records are
stored in that, you know, accessible electronic medium. Our
focus is initially on email, but that will extend to, you know,
all of the various avenues of record creation towards that 2019
directive.
Ms. Kelly. And once you get there, this will allow you to
answer inquiries from Congress faster or FOIA requests? Do you
feel like you will be faster at that?
Mr. Killen. It will certainly help. It will certainly help
because, you know, the first thing is that the documents have
to be available certainly. But when you get beyond the actual
availability of the documents, and when you talk in terms of
document production, you also need to have the ability to
search. And ideally you would want to have the ability to do
key word searches because those are things that allow you to
have, you know, very efficient document production.
So my answer to your question is that having the
documentation retained is a necessary predecessor first step,
but there is also the need to have the ability to do, you know,
adequate search, find, and redaction capability. And that will
be a separate effort, but it certainly is one that we have our
eye on as well.
Ms. Kelly. I am out of time. Thanks.
Chairman Chaffetz. I thank the gentlewoman. I will now
recognize the distinguished and always dapper gentleman from
South Carolina, Mr. Gowdy, for 5 minutes.
Mr. Gowdy. Chairman Chaffetz, I appreciate your leadership
on this issue as I do Chairman Jordan's. And for that reason, I
would like to yield to the gentleman from Ohio, Mr. Jordan.
Mr. Jordan. I thank the gentleman. Mr. Milholland, who told
you to issue the May 22nd, 2013 order, or I think ``directive''
is what you called it.
Mr. Milholland. The email we talked about earlier, sir?
Mr. Jordan. Preserve all documents. In other words, retain
everything. That email.
Mr. Milholland. That was a request that came from Chief
Counsel's Office, and the way to do it was to send an email out
as quick as we could to the people involved dealing with the
backup tapes and such.
Mr. Jordan. And when you did that, did you like have just a
couple people you were sending it to, or was it like send to
everyone, send all?
Mr. Milholland. Principally directed to the operations team
who deal with the backup tape processes and such, but the IT
staffs all knew about it.
Mr. Jordan. And the chart that I see, you got five agencies
or five groupings that answer to Mr. Tribiano. Were the heads
of all five of those groupings sent your email plus all your
staff, or just within your area?
Mr. Milholland. It was just within IT.
Mr. Jordan. Okay. Okay. I just want to be clear. And do you
know if the commissioner at the time, Commissioner Werfel, knew
about your directive to preserve all documents?
Mr. Milholland. I am pretty sure he did because this was
one of the subjects we were talking about, how we were going to
protect ----
Mr. Jordan. Okay. And then when Mr. Koskinen came on board,
do you know if he knew about the directive that was in place
and, as you have testified today, still in place? Did Mr.
Koskinen know about that, and does he know that it is still in
place today?
Mr. Milholland. I cannot testify to that, but can I add one
correction to my earlier statement?
Mr. Jordan. Sure.
Mr. Milholland. Okay. As I tried to say earlier--I may not
have been very clear--that was intended to cover backup tapes
for email and anything to do with anyone's information that
dealt with attachments, calendars, and such. At the same time,
we also were not allowing hard drives to go anywhere. We, in
fact, locked up all of the TEGE employees' hard drives in a
cabinet, so to speak, so they would not go anywhere and such.
During the Windows 7 implementation 2 years ago and such,
basically because of budgetary problems, we went and asked,
hey, if we copy all the hard drives we have been saving, can we
now reuse them so that we can implement Windows 7. And we got
permission to do that, so in that sense those non-TEGE hard
drives were reused. So in that sense, they were rescinded. I
hope that is clear.
Mr. Jordan. I mean, it is not, a lot of the stuff you said
there. But nowhere in there did you talk about still how the
backup tapes, which you said your order applied to, were
actually ultimately destroyed. So that did not cover what he
just described, at least I did not think so.
Mr. Milholland. No, sir. I responded earlier describing how
that happened through employee mistakes.
Mr. Jordan. Okay. Well, we obviously know there were
mistakes because you gave an order, and it was not followed,
and tapes were destroyed, and information and data that is
important to the investigation was lost. I am going to go back
to the question I asked you in the first round. I want to be
clear. So you received a bonus this year and last year?
Mr. Milholland. No, sir.
Mr. Jordan. You said your pay went up. So it was not a
bonus?
Mr. Milholland. I am capped salary wise. I do not receive a
bonus.
Mr. Jordan. How about this management team you referred to
when I asked, you know, how this could happen that tapes were
destroyed in light of your order, in light of your directive?
Anyone on your management team, did they receive a bonus this
past 2 years?
Mr. Milholland. Yes, sir.
Mr. Jordan. They did?
Mr. Milholland. Yes, sir.
Mr. Jordan. And do you okay that, or does that go up
through Mr. Tribiano and then up to the commissioner?
Mr. Milholland. It certainly comes through me. I believe it
goes to a committee Mr. Tribiano sits on called the Executive
Review Board.
Mr. Jordan. Mr. Tribiano?
Mr. Tribiano. Yes, sir. It starts at the division head
area, so Mr. Milholland would gather up performance awards, not
bonuses, and they would make those recommendations coming
forward. I would get them. Either I agree or disagree.
Mr. Jordan. Performance awards. If you get a performance
award, that results in additional pay?
Mr. Tribiano. It results in a performance awards, so, yes,
sir, your pay. Not your pay salary pay, but your cash.
Mr. Jordan. You get more money.
Mr. Tribiano. Yes, sir, but it is not on a continuous
basis. It is a one-time performance award.
Mr. Jordan. Mr. Milholland said he takes responsibility for
the fact he was blown away when this happened after his
directive. His pay is topped out. He cannot go any higher. And
the people on his management team who were responsible for the
directive not being carried and for the backup tapes being
destroyed all got performance pay increases. Is that accurate?
Mr. Tribiano. I have to ask Mr. Milholland if he put them
forward in that fashion.
Mr. Milholland. Not all the managers and executives who
report to me got pay increases or bonuses. I do not recall
explicitly in the chain that led down to where this incident
occurred what the actuals were.
Mr. Jordan. But many of them did.
Chairman Chaffetz. Will the gentleman ----
Mr. Milholland. Probably, but I really do not know, sir.
Mr. Jordan. I would be happy yield back.
Chairman Chaffetz. The gentleman's time has expired. Will
you provide that to this committee, Mr. Milholland?
Mr. Milholland. If I am allowed to legally. I do not know
if I am allowed to release personal information.
Chairman Chaffetz. Well, when the United States Congress
asks you, you have legal authority to provide that information
to Congress. There is nothing classified about people's
compensation and bonuses. Would you agree?
Mr. Milholland. Not to me, sir, but I am not a lawyer, so.
Chairman Chaffetz. Well, there are some positive qualities.
I appreciate that. That is a real plus in your column. I get
it. I am asking you all to provide this information to this
committee.
Mr. Milholland. Yes, sir.
Chairman Chaffetz. Thank you.
Chairman Chaffetz. I will now recognize the gentlewoman
from New York, Ms. Maloney, for 5 minutes.
Ms. Maloney. I thank the gentleman for yielding. And I
would like to talk about another outage that was treated
differently than one recently at the IRS, and that was one that
many New Yorkers were concerned about. It concerned the New
York Stock Exchange on July 9th of 2015, and a number of my
constituents work there and suffered an outage that completely
suspended all of financial trading for roughly 4 hours. And
this committee sent letters to the SEC and to the Stock
Exchange trying to understand the circumstances surrounding the
outage. And they briefed our staff in July, and they told us
that a software problem--it was basically a glitch--caused them
to go offline in order to respond and to solve the problem.
Now, the Department of Homeland Security in response to
questioning by this committee reported that there was no
suspicious activity, and the FBI saw absolutely no reason for
any type of enforcement action. And since the committee
received those briefings, we saw no reason to hold a public
hearing or to hold an investigation since everybody involved
said that it was merely a glitch.
Yet we are going after the IRS today for a similar
temporary and subsequently resolved website outage. And I just
feel that there is a little bit of an unequal treatment, and I
think we should not have unequal treatment. I mean, I will not
suggest that the New York Stock Exchange should come in for a
hearing. I am suggesting that we should not be having a hearing
on a technical outage for any organization, and the IRS seems
to be getting a little unequal treatment on this.
And I would like to elaborate, Mr. Milholland, to ask you
about an incident earlier this month when portions of the IRS
website were shut down for roughly 30 hours. And I understand
that some members of Congress thought, and questioned, and
rightfully so, I think, in the world we live in that it was a
cyberattack. But the IRS briefed our staff earlier this week,
and they told us that this was definitely not a cyberattack.
They told us, in fact, that it was just a mechanical hardware
failure similar to what happened at the Stock Exchange, a
glitch, a hardware failure.
Now, is my description of what happened to the IRS somewhat
correct?
Mr. Milholland. Yes, ma'am.
Ms. Maloney. So this was not a failure of an IRS
information system, but just the failure of a singular piece of
mechanical equipment, correct?
Mr. Milholland. That is correct, ma'am.
Ms. Maloney. And can you describe what sort of hardware we
are talking about?
Mr. Milholland. Yes, ma'am. Our Enterprise server is the
primary engine for processing tax returns. It is made up of
various components, including a storage subsystem, which has
voltage regulators in it. Now, while the root cause analysis is
still underway, it was those voltage regulators that failed.
They are mechanical components that are under somewhat high
stress conditions when the computer is operating. And over
time, one of the modules that held the voltage regulators
literally said I'm failing, called for an alert to the
mechanic--that is, the technician--to come and fix it.
During the process of attempting to fix the mechanical
device, the redundant voltage regulator module also failed.
Then it took time to restore the equipment to its natural
state, bring the system back up so tax returns could be
processed. Total outage time was roughly about 30 hours.
No software was involved. No micro code. This was with
absolute certainty not a cyberattack. It was a failure of
mechanical device. What we are most interested is the root
cause analysis as to why did the two fail relatively close
together. That work is going on. I expect to have the root
cause analysis, you know, within a week. I have a draft root
cause analysis now, but it is not done. We have working
questions with the supplier on this. But no question that this
was a mechanical failure.
Ms. Maloney. So mechanical failure, such as what the IRS
experienced, is not unique to the IRS. It happens to many
organizations. In fact, there was a highly publicized
mechanical failure with the New York Stock Exchange which was
similar. They went offline for a while to repair it. So I feel
that there is a little bit of an unfair or unequal treatment,
and maybe a little bit of a major focus on the IRS and
questioning of the IRS for a long time that is not the same
treatment that other organizations that handle a great number
of filings experience. So I just wanted to point that out. The
failures were very similar for the Stock Exchange and the IRS
of mechanical equipment failure.
In any event, my time has expired, and thank you for your
testimony today.
Chairman Chaffetz. Thank the gentlewoman. We will now
recognize the gentleman from North Carolina, Mr. Walker, for 5
minutes.
Mr. Walker. Thank you, Mr. Chairman. Thank you, Panel. I
appreciate you being here today.
I want to go back to something that I heard a little bit
earlier. First of all, I want to talk about something that
Commissioner Koskinen has said repeatedly. His quote says, ``I
believe that the underfunding of the Agency is the most
critical challenge facing the IRS today.'' He has made this
comment pretty much in several different speeches whether it is
the Tax Policy Conference or other places where he is pretty
adamant that that is a major issue.
But something said earlier by one of my colleagues, I want
to go back talking about the systems that you said that were
dating back to John F. Kennedy time, I believe was the comment.
It was not so much the application as it was the system. Would
you repeat a little bit earlier and go into that for me just a
minute?
Mr. Milholland. Certainly. What they built back in the
1960s for implementation in the 1970s was a system designed
based around the technology that was available to them then.
Mr. Walker. Sure.
Mr. Milholland. That design still exists. Even though we
are running the application now with much more modern
underpinning--that is, this Enterprise server that we just
discussed with the congresswoman ----
Mr. Walker. Sure.
Mr. Milholland.--the actual design of the application is
still built upon that 1960s approach.
Mr. Walker. And I appreciate you clearing that up, but that
is not what Commissioner Koskinen said. What he said in his
ploy to try to get more funding, more than the $11 billion
already, he said, ``We have many applications that were running
when John F. Kennedy was president.'' Is that an untruthful
statement?
Mr. Milholland. No, I think that is true. The application,
individual master file, and the business master file, and a
number of those other clearly legacy applications, while some
of the platforms they run on have changed and the code has been
updated numerous times due to legislation, the programming
language is still the one that we had then.
Mr. Walker. Well, he seems to be disagreeing with you on
the code as well because he said, ``The code has been out of
date so long, it has the unintended effect to keep hackers from
hacking in.'' So is that just something he is not
technologically current with that? I mean, are you running code
from John F. Kennedy because it seems 50-something years ago we
are still running those kinds of systems, and we are still
operating with that code? Is that correct?
Mr. Milholland. There are elements of the code that exist
back that far, but the ----
Mr. Walker. COBOL? FORTRAN? What are we talking about here?
Mr. Milholland. COBOL, yes. COBOL programming language
code. Assembly language code is the principle engine. While we
have modified it numerous times with particularly legislation,
the fact of the matter is that system was designed and built in
the 1960s to start running in the 1970s. And so, you know, I
believe that the commissioner is correct.
Mr. Walker. Okay. Let me transition while I have got some
time left. I am going to go back to Form 3210 that was filled
out authorizing the destruction of Mr. Maruca's hard drive. If
so, if that was ordered, who authorized the destruction of that
hard drive?
Mr. Milholland. What would have happened would be that--I
must say ``presumed happened''--was whoever was checking out
Mr. Maruca from the IRS would have called the IT organization,
filled out a request to say take his IT assets and follow the
normal disposition procedures.
Mr. Walker. Did you assume that would have happened? Why
was Mr. Maruca's hard drive not covered by the litigation hold
the IRS put in place? Why did that not cover that?
Mr. Milholland. At the time, I mean, he had left before
that particular litigation hold was put into place.
Mr. Walker. Well, did he take his stuff with him? Did he
take the information with him?
Mr. Milholland. It had already been entered into the
process of disposition.
Mr. Walker. Well, so what happens when he leaves? When an
employee leaves, do their records get destroyed like this? I
mean, what happened? Who made the decision? Who authorized
that, to destroy what he was working on?
Mr. Milholland. I am sorry. I really am not understanding
your question.
Mr. Walker. His hard drive, okay?
Mr. Milholland. Pardon me?
Mr. Walker. Mr. Maruca's hard drive.
Mr. Milholland. Yes, sir.
Mr. Walker. Who destroyed it? Who authorized it?
Mr. Milholland. That would have followed the normal IT
process of dispositioning of old equipment. And in that sense,
the authorization is the IRS process.
Mr. Walker. Is there a timeline for how long an employee
leaves that hard drives are destroyed? Is there a standard on
it?
Mr. Milholland. No, there is not. It follows ----
Mr. Walker. So it is up to discretion.
Mr. Milholland. There is a lot discretion. There are a
number of steps that are followed as to where it goes. Because
we have had shortfalls in our staffing, oftentimes machines can
sit around before they are disposed of. They may oftentimes
even get so stacked up until someone gets to it.
Mr. Walker. But his did not get stacked up. Mr. Chairman,
my time has expired.
Chairman Chaffetz. I thank the gentleman. I recognize the
gentleman from Alabama, Mr. Palmer, for 5 minutes.
Mr. Palmer. Mr. Chairman, I only have one question.
According to a September 2015 inspector general report, the IRS
spent $139 million in 4 years on upgrading its workstations
from the outdated Microsoft XP to Windows 7, but you still
missed the Microsoft April 2014 end of life deadline. I think
you understand that using a supported version of Windows is
critical to securing data. Yet according to a TIGTA report from
September 28th, 2015, you have got approximately 1,300
workstations that you either cannot locate or you confirmed are
running an old operating system.
My question is, where are you on locating those
workstations and getting them updated?
Mr. Milholland. I think there are a number of questions in
your statement, sir, and I will try answering each one.
Mr. Palmer. Well, just answer the one where you are on the
status of locating those workstations and updating the
software.
Mr. Milholland. We got support from Microsoft to go beyond
the original expiration of XP so we were not taking a risk with
those particular workstations. Second, we took them off the
network so they would be isolated, and would not, therefore, be
possible to hack into them through, I will say, anyone having
access to the network. Where we are with the actual remaining
numbers, if I recall correctly, we are complete. I would have
to double check that, sir, if I can get back to you.
Mr. Palmer. Could you inform the committee where you are on
that, and I would like to have that answer in 7 days. Can we do
that?
Mr. Milholland. Sure.
Mr. Palmer. Mr. Chairman, I will yield the balance of my
time to the chair.
Chairman Chaffetz. I thank the gentleman. Mr. Milholland
and Mr. Tribiano, it is May 2013. TIGTA issues its audit, and
you issue an internal preservation order that is extensive. It
is capped with ``in other words, retain everything to do with
email or information that may have been stored locally on a
personal computer.'' It is pretty broad, but also very
definitive. Did you ever rescind that order? That is a yes or
no question. Did you ever reverse that order?
Mr. Milholland. I changed the order with, as I tried to
explain earlier with a TEGE situation where we had to start
using some of the hard drives that we were saving ----
Chairman Chaffetz. Can you provide that ----
Mr. Milholland.--in order to implement Windows ----
Chairman Chaffetz. Can you provide that to this committee?
Mr. Milholland. Provide which list, sir?
Chairman Chaffetz. When you rescinded that, send that to
this committee. Fair enough?
Mr. Milholland. I will, yes.
Chairman Chaffetz. Thank you.
Mr. Milholland. Yes, sir.
Chairman Chaffetz. Mr. Tribiano, did the IRS ever change
that or rescind the order that Mr. Milholland put out to
preserve?
Mr. Tribiano. Not to my knowledge, sir.
Chairman Chaffetz. After the issuance of that audit, did
the IRS put any new procedures or policies in place regarding
the preservation of emails, hard drives, or anything to do with
people's interaction with the computers?
Mr. Tribiano. That was during the time period where we
initially started the Capstone Project, sir.
Chairman Chaffetz. Okay. You started a project, but was
there any change to the internal functionality of the
preservation of computers, hardware, emails, that sort of
thing? What changed?
Mr. Tribiano. Sir, I was not there. I would have to go back
and look at ----
Chairman Chaffetz. Mr. Killen, what changed?
Mr. Killen. So, following those events, again, in late
calendar year 2014, early calendar 2015, we implemented the
Capstone approach for our senior-most Agency officials. And so,
that ----
Chairman Chaffetz. All government records. You do not have
to be a senior-most official at the IRS to generate a record
that needs to be in compliance with the Federal Records Act or
to be in compliance with FOIA. I want to know after TIGTA had
issued their report in May of 2013, what did the IRS do
internally to preserve and protect the records that they should
have been protecting in the first place?
Mr. Killen. Well, Mr. Chairman, I think that does represent
a fairly substantive change, and ----
Chairman Chaffetz. What does?
Mr. Killen. Well, first of all, implementing the Capstone
approach, you know. We had significant consultation with the
National Archives ----
Chairman Chaffetz. Do you feel it was fully implemented?
Mr. Killen. The Capstone process that we initiated with our
senior officials, yes, that has been fully implemented.
Chairman Chaffetz. If the policy is in place, why was Mr.
Maruca's information destroyed?
Mr. Killen. Fair question. It is an issue of timing because
we implemented the Capstone approach in actually late December
2014. Mr. Maruca had already left the Service by that point.
Chairman Chaffetz. So it takes you more than a year and a
half to implement a new policy. How hard is it to just save a
hard drive? I mean, how hard is that? How expensive is that?
How much does a hard drive cost, do you know?
Mr. Killen. I will defer to Mr. Milholland on that.
Chairman Chaffetz. How much is a hard drive? You want two
gigs.
Mr. Milholland. $100 to $250, depending on the ----
Chairman Chaffetz. Yeah, we are talking about a hundred
bucks here. You got a $1.7 billion issue with Microsoft, and
you all went out and destroyed something that is maybe a
hundred bucks. Mr. Tribiano, you had to issue a new policy in
2016, correct?
Mr. Tribiano. A new policy was issued in 2016.
Chairman Chaffetz. What does that policy do?
Mr. Tribiano. We will not destroy any hard drives or mobile
devices for any departing IRS employees, and we will copy the
hard drives digitally to a server.
Chairman Chaffetz. Congress has been investigating the IRS
since 2011, and you are just now getting the memo to start
preserving things in 2016? Why does it take almost 5 years to
get the message that you should not be destroying things? Why
does it take so long?
Mr. Tribiano. Well, sir, I mean, we have a records
retention policy ----
Chairman Chaffetz. Yeah, but you did not follow it. You did
not follow it. Mr. Maruca's stuff was destroyed, and it should
not have been. And you are misstating the facts, by the way,
because there was another case that they actually copied Mr.
Maruca's, and then they happened to find that. I mean, I find
it totally unbelievable. It truly is an unbelievable set of
circumstances. 24 to 48 hours after this committee issues a
bulletin that we are going to have a hearing, and then suddenly
you find the information?
And the Department of Justice had gone to the courts and
said this stuff had been inadvertently destroyed, but then you
actually did find it. Do you see why we have zero confidence in
the record retention policy and the ability to execute on it?
Mr. Tribiano. Well, sir, you said that I misled you, and if
that is the case, that was not the intent, so I just want to
clarify that. We did find those records, and we found it
because of another litigation hold. I thought I made that clear
in my opening statement. It was not because there was some
other thing. It was pure coincidental that we had another
litigation, and we ----
Chairman Chaffetz. And coincidental and 24 hours after I
issue a notice that you are going to have to come appear here,
suddenly you do find them. That is what is unbelievable. You
had gone to the courts via the Department of Justice and put it
on the record that you did not have them. That was not true,
was it?
Mr. Tribiano. At that time that, that was true, yes, sir.
Chairman Chaffetz. It was not true.
Mr. Tribiano. Well, in hindsight it is not, but at the time
that we went to them and said we might have an issue, it was
true. When it was found that we did copy it for another
litigation hold, we corrected it. We found that there was
another litigation hold.
Chairman Chaffetz. Okay. The gentlemen's time has expired.
I now recognize myself or recognize Mr. Carter for 5 minutes.
Mr. Carter. Thank you, Mr. Chairman. Mr. Milholland, help
me out here. I am just trying to educate myself. What is the
timeline between when an employee leaves the IRS and when their
hard drive is erased?
Mr. Milholland. Yeah, that timeline can vary from immediate
to 6 months.
Mr. Carter. What determines that? What determines the
variation?
Mr. Milholland. Where the person is when they leave. For
example, if you are in ----
Mr. Carter. I mean, what hallway they are in?
Mr. Milholland. What office they are in. For example, the
equipment, if it is picked up by IT, has to be shipped to
another location. But if you are in the D.C. area, for example,
it might happen very quickly and such. We typically send these
devices to a particular data center for the degaussing once we
separate the hard drive from the rest of the PC.
Mr. Carter. Okay. When was Mr. Maruca's hard drive erased?
What day?
Mr. Milholland. The deputy commissioner can answer the
details, but ----
Mr. Carter. Okay.
Mr. Tribiano. Well, we do not know the date, and I think
that is what the problem is. We know we sent it or consolidated
it on August 5th. We picked it up from the manager. We
consolidated it with other hard drives and other laptops, and
we sent it to our Memphis facility. It arrived in ----
Mr. Carter. Now, where was Mr. Maruca because you said, Mr.
Milholland, that it depended on what office he was in. Which
office was Mr. Maruca in?
Mr. Tribiano. Go ahead.
Mr. Milholland. He was in D.C. as I ----
Mr. Carter. He was in D.C. So you just said if he is in
D.C., it ought to be pretty quick.
Mr. Milholland. It could be depending, again, on the
process being followed and the staff that we have to do that
work. If there was an intent that we say, hey, we could reuse
this device very quickly, then at that point we would separate
the hard drive from the rest of the platform and put a new hard
drive in.
Mr. Carter. But in the case of Mr. Maruca, you do not know
what day it was destroyed?
Mr. Tribiano. No, sir. It was sent down to the Memphis
facility, and it was stored down there with other laptops and
other computers that were marked for disposal.
Mr. Carter. Okay. So where it was sent down to, do they
have a record of it? Can you call them and find out? I mean,
surely they keep a record to tell you, okay, we destroyed this
hard drive this day, this one this day.
Mr. Milholland. No, sir. What we keep a record of is the
asset. Once we separate the hard drive from the rest of the
computer, the rest of the computer is sent off for salvage by
an outside contractor.
Mr. Carter. I am not worried about the rest of the
computer.
Mr. Milholland. Yeah, you are saying ----
Mr. Carter. I am worried about what gets erased. It would
just occur to me or it would appear to me that you would have a
day on there, somebody would keep a day that said that this is
the day it was erased.
Mr. Milholland. Not necessarily, sir, because we do not
view it as a major asset at that point. Its disposition, we
have flagged for destruction. It is sent into the system. Okay,
this ----
Mr. Carter. Do you ever consider it to be an asset, an
important asset?
Mr. Milholland. Once it is flagged for disposition to be
destroyed, no.
Mr. Carter. Okay. And this is even after we have had the
experience with Ms. Lerner and with her hard drive being
destroyed and being wiped out. Even after that we still do not
have in place when exactly we destroyed it. We still do not
know. So you are telling me that is a matter of policy?
Mr. Milholland. It is a matter of the workload and the
resources we have to do that task.
Mr. Carter. The workload and the resources.
Mr. Milholland. Yes, sir.
Mr. Carter. So everything is determined by the workload and
the resources, not by its importance.
Mr. Milholland. Well, the importance is that we had already
decided that this particular drive could be, in fact, be
destroyed. At that point it is deemed worthless, so it is
stacked up with other hard drives.
Mr. Carter. I just find it to be a very poor excuse about
resources. I mean, it would seem to me like that you would have
been really on your toes, especially in light of what has
happened in the past. It would seem to me that you would want
to absolutely know when a hard drive was destroyed or wiped
out. I mean, you see where I am going here.
I am just getting the impression from where I am sitting,
it looks like the IRS is just taking the attitude, hey, we are
above the law here. I mean, that is what it looks like to me,
and I can imagine what it looks to a regular citizen who is
being audited by the IRS. It is really confounding to me that
we do not keep better records than this. It would appear to me
the IRS, in light of everything that has happened in the way of
hard drives being wiped out, that your policy would be better
and that you would be keeping better records. So you can
understand why the general public thinks, well, they think they
are above the law here.
I am just flabbergasted by this. Mr. Chairman, I do not
know what to say except that I hope that you will take it as a
lesson and understand that, you know, there are people out
there who are being audited by the IRS who feel like they are
being targeted, feel like they are being treated unfairly, and
feel like the IRS thinks they are above the law. And in
instances like this, you can understand why they feel that way.
This is unacceptable.
Mr. Chairman, I yield back.
Chairman Chaffetz. I thank the gentleman. Myself and Mr.
Jordan have just a couple of other questions, and we are going
to wrap up the hearing. And members are advised we have votes
on the floor soon.
Since when has the IRS preserved all of its internal
emails? When did they start to do that?
Mr. Killen. So our internal email, again, there are nuances
to it. So ----
Chairman Chaffetz. You are either saving them all or not.
Do you save all the emails?
Mr. Killen. All our internal emails--all--are not being
saved, but we have the plan in place in order to get there. All
of our emails for our senior-most officials are saved. We have
actually had substantial interaction with NARA, so I do want to
get this point across that NARA ----
Chairman Chaffetz. Hold on. I want to get to this point.
You still to this day do not preserve all of the IRS emails
internally. You do not save those.
Mr. Milholland. May I answer that question, Mr. Chairman?
Chairman Chaffetz. Yeah.
Mr. Milholland. The answer is we save them on our backup
tapes and have since that original email that Representative
Jordan was referring to.
Chairman Chaffetz. Then why did Mr. Killen just tell me
that we do not do that?
Mr. Milholland. I think he was referring to all the ----
Chairman Chaffetz. No, no. He can tell you what he is
referring to.
Mr. Milholland. I am sorry, sir.
Chairman Chaffetz. Mr. Killen, you just told me that they
do not preserve all the emails.
Mr. Killen. I think there is a distinction between what we
have preserved on the network and what we have preserved via
backup and disaster recovery process. And I think that is the
distinction that Mr. Milholland was going to make.
With respect to, because I do want to be clear about this
point. The directive that we are under is that all email should
be in an electronically accessible format by the end of
calendar year 2016. That is the plan that we have implemented.
That is the plan that we are on a trajectory to meet. But in
the interim, and, again, this has all been a process that we
have worked with NARA on. In the interim, our senior-most
Agency officials' emails are being preserved, and that is sort
of, I talked about this multi-pronged approach that we have
implemented. That is ----
Chairman Chaffetz. Is there anything, Mr. Milholland, that
you would disagree with that he just said?
Mr. Milholland. No, sir. We are going to be NARA compliant.
Chairman Chaffetz. Here is the problem, okay? Here is the
problem with the testimony. This is testimony from John
Koskinen of June 23rd, 2014, and here is what he says: ``I
would note, however, since the investigations into the
application process for 501(c)(4) organizations began in May of
last year, the IRS''--here it is--``the IRS has saved backup
tapes for all emails on the IRS' servers, which includes tapes
for the 6 months preceding May of 2013.'' And you are telling
me that is not true, and that is why we keep coming after the
IRS, and that is why we are not going to let go of this.
I recognize the gentleman from Ohio.
Mr. Milholland. Sir, could I make one statement, please?
Chairman Chaffetz. The gentleman from Ohio.
Mr. Jordan. If I could, Mr. Chairman, this will be my third
time, and the right fine gentleman from North Carolina has not
went. I just have two questions anyway, Mr. Chairman.
Mr. Meadows. I will yield to the gentleman from Ohio for
two questions, and then take up the balance. How about that?
Mr. Jordan. Okay. So, Mr. Milholland, on March 4th when you
discovered the tapes are destroyed, March 4th, 2014, the backup
tapes are destroyed. You testified in the TIGTA investigation
that you were blown away by the fact that your directive was
not followed. What did you do then? And I guess specifically
what I am asking is, did you have any conversations with your
direct report, Mr. Tribiano's office, or the person who runs
Mr. Tribiano's office, and/or Mr. Koskinen?
Mr. Milholland. At that particular time, the TIGTA
investigation was still going on, so I was not allowed to talk
about the conversation I had with TIGTA until after the report
was released.
Mr. Jordan. Okay. So when you learned that the tapes had
been destroyed, your directive was not followed, you had no
conversation with the commissioner?
Mr. Milholland. No.
Mr. Jordan. Subsequent to when it became public, have you
had conversations with the commissioner?
Mr. Milholland. Yes, sir.
Mr. Jordan. About this specific issue.
Mr. Milholland. The general conversation around backup
tapes, yes, sir, and that is what I was trying to correct
earlier. We have retained backup tapes for indefinitely since
that email was issued. Those are off of the exchange system,
which is the primary email system of the Enterprise.
Mr. Jordan. I get that, but I am asking more specific. Did
you have a conversation with Mr. Koskinen and say, look, I gave
a directive. It was not followed. 422 backup tapes were
destroyed. We no longer have those records at all. Did you have
that conversation with Mr. Koskinen?
Mr. Milholland. No, I did not specifically.
Mr. Jordan. Okay. One final one here. In your opening
statement, this is Mr. Maruca's situation. His hard drive was
designated for erasure before the issuance of the litigation
hold. Is that right?
Mr. Tribiano. Yes, sir.
Mr. Jordan. Okay. Yet you said later that his data was, in
fact, though, backed up because you had another litigation
hold.
Mr. Tribiano. Yes, sir.
Mr. Jordan. So why didn't the previous litigation hold
prevent you from destroying the hard drive?
Mr. Tribiano. Because the data was backed up, and it was
sent to the digital. What happens is when the attorneys request
the information, it goes into their--I might be calling it the
wrong thing--their e-Discovery system where they can access the
data and do whatever they need to do for discovery purposes.
Mr. Jordan. And just to be clear, a litigation hold does
not trigger preservation of hard drives. That only triggers it
goes to a backup?
Mr. Tribiano. No, sir. It preserves the records for use in
the litigation.
Mr. Jordan. And the best record would be the hard drive,
not the backup. But under this situation, you did not do that.
Mr. Tribiano. The records are what was on the hard drive
and backed up at that point in time.
Chairman Chaffetz. Will the gentleman yield?
Mr. Jordan. Sure.
Chairman Chaffetz. Then why did the Department of Justice
on behalf of the IRS go to the court and say these records had
been destroyed?
Mr. Tribiano. Because at that time that we notified the
Department of Justice, we did not know that we had the backup
of that hard drive for that other litigation. So we told the
Department of Justice that we did not have the hard drive.
Chairman Chaffetz. And you have no records of what you
destroy and when you destroy it, correct?
Mr. Tribiano. That is correct. What we know is that on 10/
27, it was received in Memphis, and between that period and the
period of April 16th, I believe, when the shell of the computer
was delivered to the third party vendor, it was during that
time period.
Chairman Chaffetz. How convenient. You have no records of
what is destroyed and when, and yet you require every American
to keep all their records. That is what so fundamentally wrong
and screwed up with the IRS. That is just wrong. And there a
lot of good people that work at the IRS, but you know what? You
go after Americans, but you do not take care of business at the
IRS. It is just wrong. It is just wrong.
And it causes mess. We are talking about a $1.7 billion
case, and you guys cannot keep track of what you destroy and
when you destroy it. How hard is it to put a log in there,
``destroyed this one at this time?'' How long does that take? I
mean, you can go to Best Buy and buy something off the shelf
for like 50 bucks. I just do not understand that. Do you have
an answer for that?
Mr. Tribiano. I do not think it would be that difficult,
sir.
Chairman Chaffetz. Then why is it not done?
Mr. Tribiano. I can turn that over to the Mr. Milholland
who runs the IT shop and runs those procedures, and ask what
that would mean from a staffing perspective and from a
documentation perspective. But I think what Mr. Milholland
alluded to was that it is an asset, and it is kept into the
assets, and it is kept into the system up to the point where it
is marked for disposal. And at that point it stops.
Chairman Chaffetz. I yield back to the gentleman from North
Carolina.
Mr. Meadows. Thank you, Mr. Chairman. Mr. Milholland, let
me tell you the issue that most Americans have with this.
Storage is cheap. I mean, we have gotten to a point where even
storage of millions of records is really cheap. We have gotten
to a situation where it would have been so much easier when the
first hearing happened, not 24 hearings later, but the first
hearing, to say, you know what? Gosh, we are going to have this
problem. We had better preserve everything. What precluded you
from doing that, from preserving everything at that point? When
Lois Lerner first came in here and took the 5th, what stopped
you from saying let us just preserve everything?
Mr. Milholland. I cannot recall the subject ever coming up,
sir.
Mr. Meadows. Now, you cannot recall the subject coming up.
It was in the headlines, I mean, almost every major newspaper,
and the subject did not come up about keeping it? And yet your
testimony today says that you are NARA compliant. Would you
care to revise your statement, because I do not believe that
you are NARA compliant at this point. Having the National
Archives underneath my subcommittee, I would probably beg to
differ with that. So would you like to revise your ----
Mr. Milholland. I would ask that Mr. Killen to respond to
whether or not we are NARA compliant since that is his area of
expertise.
Mr. Meadows. All right. So are you NARA compliant?
Mr. Killen. We are generally NARA compliant.
Mr. Meadows. No, there is a ``yes'' or ``no.''
``Generally'' is if I am speeding and I generally go below the
speed limit I do not get a ticket. But only those couple of
times that I go beyond the speed limit I actually do get a
speed limit ticket. Tell me, are you compliant or not?
Mr. Killen. Well, I have to speak to the wording of the
report, I mean, because we have had NARA reviews. And so,
certainly we have opportunities for improvement, and ----
Mr. Meadows. Then you are not NARA compliant.
Mr. Killen. But on the whole, NARA has opined that we are
generally ----
Mr. Meadows. You are making progress I think is what they
are saying.
Mr. Killen. We are certainly making progress, and we have
opportunities ----
Mr. Meadows. But today you are not NARA compliant, which
means that all communication would be preserved, would it not?
Mr. Killen. We certainly have work to do.
Mr. Meadows. Okay. So if you have work to do, then you can
revise your statement that you are NARA compliant because
obviously you are not.
Mr. Milholland. In that sense, you are correct, sir.
Mr. Meadows. All right. So let me go a little bit further,
and I am going to piggyback on what the chairman talked about.
Mr. Killen, why is it taking so long? I mean, why is this
taking so long for us to get it right? Why December of 2016?
Mr. Killen. Well, I think that the 2016 date is predicated
on the OMB directive. That does not extend to just IRS.
Mr. Meadows. So it is OMB's fault.
Mr. Killen. No, no, it is not an issue of fault. It is an
issue of what is the origin of the December 2016 date. And the
origin of that December 2016 date is the OMB directive that
says that all Federal agencies should have email in an
electronically accessible format.
Mr. Meadows. So it would not have anything to do with the
change of Administration.
Mr. Killen. I could not speak on that. I do not ----
Mr. Meadows. Well, do you not find it curious that December
2016 and Administration change would happen within 20 days of
that date?
Mr. Killen. I really cannot speak on that.
Mr. Meadows. Okay. All right. So let me go on a little bit
further because part of this whole hearing process has been
other types of communications. And you all have been very
careful to say ``email communications,'' but there are a number
of other electronic communications that go on the system and go
back and forth. Is that correct, Mr. Milholland?
Mr. Milholland. Are you referring to instant messaging,
sir?
Mr. Meadows. Yeah. I mean, do you not have substantial
communications among some senior-level people at the IRS that
happens outside of email?
Mr. Milholland. Yes, sir. There are obviously phones. There
are ----
Mr. Meadows. Okay. How about on text messages or instant
messaging?
Mr. Milholland. Actually I do not actually ----
Mr. Meadows. You do not. Does anybody there use instant
messaging?
Mr. Tribiano. I do not, sir. It is on our system.
Mr. Meadows. Yeah. You know, our gray hair probably throws
this away, but I will go to the end. Mr. Killen, I am sure you
do, do you not?
Mr. Killen. I certainly do.
Mr. Meadows. I figured you would, so it may be a general
thing. But, Mr. Killen, do you use that instant messaging to do
anything more than ``is it time to go to lunch or a coffee
break?'' I mean, do you conduct business on instant messaging?
Mr. Killen. Generally speaking, I do try to be careful
about what I ----
Mr. Meadows. Has there ever been a case where you have used
instant messaging for business?
Mr. Killen. I am sure there probably has been.
Mr. Meadows. Yeah. And so, here is the issue, Mr.
Milholland, and I am going to finish with this. Storage has
become cheap. Backup tapes are becoming a thing of the past. I
remember backup tapes, and I do not understand why with the
amount of money that we are spending that we are still using
backup tapes, unless they are just such legacy programs that we
have to use the backup tapes for storage.
We are committed to providing the resources. What we have
not seen is the commitment to really get serious about
preserving everything like Commissioner Koskinen has said he
would do. And until we see that, we are going to take issue.
Does that make sense?
Mr. Milholland. I understand you, sir.
Mr. Meadows. All right. I will yield back.
Chairman Chaffetz. I thank the gentleman. The committee
stands adjourned.
[Whereupon, at 3:18 p.m. the committee was adjourned.]
APPENDIX
----------
Material Submitted for the Hearing Record
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]