[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]


 IRS: REVIEWING ITS LEGAL OBLIGATIONS, DOCUMENT PRESERVATION, AND DATA 
                                SECURITY

=======================================================================

                                HEARING

                               BEFORE THE

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             SECOND SESSION

                               __________

                           FEBRUARY 11, 2016

                               __________

                           Serial No. 114-93

                               __________

Printed for the use of the Committee on Oversight and Government Reform


[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]

         Available via the World Wide Web: http://www.fdsys.gov
                      http://www.house.gov/reform
                      
                               _____________
                               
                               
                          U.S. GOVERNMENT PUBLISHING OFFICE
22-591 PDF                       WASHINGTON : 2016


_______________________________________________________________________________________  
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected]  
                    
                      
                      
                      
              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                     JASON CHAFFETZ, Utah, Chairman
JOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, 
MICHAEL R. TURNER, Ohio                  Ranking Minority Member
JOHN J. DUNCAN, Jr., Tennessee       CAROLYN B. MALONEY, New York
JIM JORDAN, Ohio                     ELEANOR HOLMES NORTON, District of 
TIM WALBERG, Michigan                    Columbia
JUSTIN AMASH, Michigan               WM. LACY CLAY, Missouri
PAUL A. GOSAR, Arizona               STEPHEN F. LYNCH, Massachusetts
SCOTT DesJARLAIS, Tennessee          JIM COOPER, Tennessee
TREY GOWDY, South Carolina           GERALD E. CONNOLLY, Virginia
BLAKE FARENTHOLD, Texas              MATT CARTWRIGHT, Pennsylvania
CYNTHIA M. LUMMIS, Wyoming           TAMMY DUCKWORTH, Illinois
THOMAS MASSIE, Kentucky              ROBIN L. KELLY, Illinois
MARK MEADOWS, North Carolina         BRENDA L. LAWRENCE, Michigan
RON DeSANTIS, Florida                TED LIEU, California
MICK MULVANEY, South Carolina        BONNIE WATSON COLEMAN, New Jersey
KEN BUCK, Colorado                   STACEY E. PLASKETT, Virgin Islands
MARK WALKER, North Carolina          MARK DeSAULNIER, California
ROD BLUM, Iowa                       BRENDAN F. BOYLE, Pennsylvania
JODY B. HICE, Georgia                PETER WELCH, Vermont
STEVE RUSSELL, Oklahoma              MICHELLE LUJAN GRISHAM, New Mexico
EARL L. ``BUDDY'' CARTER, Georgia
GLENN GROTHMAN, Wisconsin
WILL HURD, Texas
GARY J. PALMER, Alabama

                   Jennifer Hemingway, Staff Director
                 David Rapallo, Minority Staff Director
     Henry Kerner, Deputy Director of Oversight and Investigations
                         Jack Thorlin, Counsel
                    Sharon Casey, Deputy Chief Clerk
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on February 11, 2016................................     1

                               WITNESSES

Mr. Terence Milholland, Chief Technology Officer, Internal 
  Revenue Service, Washington, D.C.
    Oral Statement...............................................     9
    Written Statement............................................    10
Mr. Jeff Tribiano, Deputy Commissioner, Operations, Internal 
  Revenue Service, Washington, D.C.
    Oral Statement...............................................    14
Mr. Edward Killen, Director of Privacy, Governmental Liaison, and 
  Disclosure, Internal Revenue Service, Washington D.C.
    Oral Statement...............................................    15

                                APPENDIX

2016-04-07 Mr. Tribiano IRS re: Hearing Follow-up Responses......    52

 
 IRS: REVIEWING ITS LEGAL OBLIGATIONS, DOCUMENT PRESERVATION, AND DATA 
                                SECURITY

                              ----------                              


                      Thursday, February 11, 2016

                   House of Representatives
       Committee on Oversight and Government Reform
                                           Washington, D.C.
    The committee met, pursuant to call, at 1:02 p.m., in Room 
2154, Rayburn Office Building, Hon. Jason Chaffetz [chairman of 
the committee], presiding.
    Present: Representatives Chaffetz, Mica, Jordan, Walberg, 
Amash, DesJarlais, Gowdy, Massie, Meadows, DeSantis, Buck, 
Walker, Blum, Hice, Russell, Carter, Grothman, Hurd, Palmer, 
Cummings, Maloney, Norton, Connolly, Kelly, Watson Coleman, 
Plaskett, DeSaulnier, Boyle, and Welch.
    Chairman Chaffetz. The Committee on Oversight and 
Government Reform will come to order. Without objection, the 
chair is authorized to declare a recess at any time.
    We are here today because the IRS' current leadership has 
proven irresponsible and negligent. The IRS cannot seem to 
properly preserve documents or ensure both privacy and security 
in accepting electronic tax returns. The Agency is in desperate 
need of new leadership to put it on a better course. There are 
already a number of examples of IRS incompetence and neglect in 
the past few years, but several incidents in recent weeks have 
made it clear for the need for further serious oversight and 
meaningful reform.
    As millions of individuals and companies prepare to file 
tax returns, the IRS must ensure its data systems are secure. 
Last summer, the IRS suffered a massive hack, leaving the tax 
information of 300-plus thousand individuals exposed. The 
hackers used that information to file fraudulent returns 
totaling something in the neighborhood of $50 million in 
refunds before the IRS figured out what was happening. But it 
has been well documented billions of dollars have 
inappropriately gone out the door.
    And the facts surrounding the recent events appear very 
similar. On January 25th, 2016, the IRS detected unusual IP 
traffic on its network. This turned out to be a coordinated bot 
attack or botnet aimed at the e-file system. The hackers' goal 
was to recover taxpayer e-PINs, electronic pins, which would 
allow them steal refunds of innocent taxpayers. Roughly 450,000 
unique social security numbers were used by hackers in at least 
950,000 attempts to obtain these electronic PIN numbers. All 
told, the hackers are estimated to have stolen more than 
101,000 of these electronic PIN numbers.
    This latest breach raises serious concerns about the 
security of the system overall as well as the potential for 
paying out fraudulent claims, but none of this should surprise 
the IRS. In the last evaluation of the IRS' information 
security, the inspector general in September of 2015 
determined, ``Until the IRS takes steps to improve its security 
program deficiencies and fully implement all security program 
areas in compliance with FISMA requirements, taxpayer data will 
remain vulnerable to inappropriate and undetected use, 
modification, and disclosure.'' It probably does not get any 
worse or dire in terms of a warning. This level of incompetence 
is intolerable for an agency where millions of individuals file 
their most personal financial information.
    We are also here to discuss the failure of the IRS to 
properly preserve documents subject to lawsuits, and/or 
internal preservation orders, as well as FOIA requests. We take 
FOIA very seriously. The Freedom of Information Act is the 
public's right to know. It also allows companies and other 
organizations to access data so they can defend themselves.
    On January 15th of 2016, the Department of Justice 
disclosed in a Federal court filing that the IRS had erased a 
hard drive belonging to a former senior Agency employee named 
Samuel Maruca. And if this story sounds similar to things we 
have heard about with Lois Lerner and others, it is, and that 
makes us sick. It is disgusting. It has to stop. We are doing 
everything we can to highlight. It is inappropriate, and yet it 
continues.
    The hard drive contained information subject to FOIA 
litigation. Despite the lawsuit, an internal preservation 
order, and the legal obligation to preserve related documents 
to the IRS, the IRS wiped the hard drive and scheduled it for 
recycling. This involved a multibillion-dollar issue relating 
to Microsoft. The hard drive likely sat in queue and was wiped 
up to 4 months after the internal preservation was ordered. 
Again, after. Internal preservation in place, then the wiping 
of a hard drive.
    We cannot say for sure to pinpoint the date because the IRS 
does not know when the hard drive was wiped clean. Hard drives. 
You go to Best Buy, you can buy them for less than a hundred 
bucks. In a multibillion-dollar situation, this is what we are 
talking about, but, again, this continues to be familiar.
    In March of 2014, the IRS destroyed backup tapes containing 
Lois Lerner's emails which were subject to investigation by 
Congress, the inspector general, the Department of Justice. 
There were five open investigations, two duly issued subpoenas, 
and the IRS wiped the data. Here we have another case where 
people properly filed FOIA requests, and they wiped it again. 
This is just 1 month after the Agency learned that a 
significant portion of the Lerner emails were missing, and, 
again, it happened. As it turns out in the Maruca case, the 
IRS, by sheer luck, already copied the hard drive because of a 
different lawsuit. It was not because of competence. It was 
just sheer luck.
    So if you look at the IRS, they have roughly $2.4 billion 
they spent on IT, and it is worthless. Absolutely worthless. 60 
to 70 percent of those funds are spent on legacy systems, 
preserving old things like COBOL and other types of things, but 
there are still billions of dollars in fraud running through 
the system.
    We have a situation we are going to talk about today where 
there was a reported hardware failure. The story we got is that 
there was a power outage, but then the redundant power, the 
backup power, it also went out. How does that happen? Why do 
you have redundant power if it also goes out? When we asked 
through questioning about a breach, I put out a tweet pretty 
quick and said, you know, this so-called hardware failure maybe 
was a breach. We start to go and probe and have an 
investigation. We have a bipartisan staff talking to the IRS, 
and then they say, oh, we should probably tell you about the 
breach. What breach?
    If you look at the timeline of this, let us go through this 
because this is just days ago. Our committee, Oversight and 
Government Reform, a week ahead email to the press confirmed 
that there would be a hearing on February 11th relating to IRS 
document destruction and data security. On February 8th, 
majority and minority committee staff has a call with the IRS 
regarding the e-filing outage and the status of the Maruca hard 
drive. The IRS gives an update on how it planned to recover the 
hard drive and confirmed it had been wiped. After that date, 
our staff asked about the breach referring to the e-filing 
issue. Mr. Milholland, who is here with us today, begins 
describing the previously unreported and undisclosed breach. 
The IRS legal staff intervened and said that he was talking 
about a different event, so we asked for more information about 
that.
    The next day, February 9th, miraculously in the Wall Street 
Journal, the IRS releases further details regarding the breach 
in another phone call with the majority and minority committee 
staff, and shortly thereafter the IRS releases a statement to 
the Wall Street Journal regarding the breach. If we had not 
been asking about another incident, we would not have known 
about this incident, and it affects over 100,000 people.
    This is a recurring theme. It is totally unacceptable. We 
look forward to peppering you with questions, and we expect 
answers.
    With that I will yield back, and now recognize the ranking 
member, Mr. Cummings.
    Mr. Cummings. Thank you very much, Mr. Chairman. I always 
try to start out hearings by stating what I think we can all 
agree on. Today I think we can agree that the IRS should have 
strong systems in place to properly preserve Federal records 
and to protect its computer systems from cyberattacks. I think 
we can agree on that, and those are valid goals, and I know 
that the IRS agrees with them.
    However, I do not believe this committee has been serving 
its intended purpose when it comes to the IRS generally. 
Unfortunately, Republicans have become obsessed with 
investigating any and every allegation relating to the IRS, no 
matter how small. I believe this is because Republicans were 
not able to find any evidence to support their baseless 
accusations that the White House conspired with Lois Lerner to 
target conservative groups for political reasons. They also 
were not able to identify any evidence that Commissioner 
Koskinen or any IRS employees destroyed evidence in order to 
obstruct our investigation.
    For the record, this is our 23rd hearing on the IRS. The 
23rd. 23rd. That is amazing. We have now interviewed 54 
witnesses. The IRS commissioner has testified six times, more 
than any other agency has over the past 3 years. The IRS had 
produced more than 1.3 million pages of documents from 88 
custodians in response more than 80 requests for documents. Yet 
despite this exhaustive multi-agency, multi-committee, 
multiyear investigation, this wild goose chase continues, and 
it has come up empty.
    Last year, the inspector general issued his report and 
identified no evidence to substantiate Republican claims of 
political motivation by the White House or intentional 
destruction of evidence. Specifically, the report found, ``No 
evidence was uncovered that any IRS employee had been directed 
to destroy or hide information from Congress, the DOJ, or 
TIGTA.''
    The Justice Department also conducted an investigation and 
concluded that, ``Not a single IRS employee reported any 
allegation, concern, or suspicion that the handling of tax 
exempt applications or any other IRS function was motivated by 
political bias, discriminatory intent, or corruption.'' The 
Justice Department also found, ``no evidence that any official 
involved in the handling of tax exempt applications or IRS 
leadership attempted to obstruct justice, and no evidence of 
any deliberate attempt to conceal or destroy information.'' 
Amazingly, none of these findings stopped the Republicans from 
trying to impeach the IRS commissioner, despite the fact that 
there is no evidence that he intentionally obstructed our work 
or destroyed documents.
    The problem now is that our committee is in a mindset where 
we are just trying to get the IRS, and unfortunately the public 
does not always get a complete or accurate picture as a result. 
For example, the impetus for today's hearing was a press report 
that an IRS employee, who was leaving the Agency, had his hard 
drive erased in violation of a court order. However, we 
received a letter from the IRS last week explaining that, in 
fact, the IRS copied this employee's hard drive first. Another 
example is the outage the IRS experienced last week. The 
chairman stated that his gut reaction was that the outage was, 
``It really does smell like a hack.'' However, the IRS has now 
briefed our committee that, in fact, it was due to a mechanical 
device failure, and there is, ``zero percentage chance that 
this was a cyberattack.''
    Yet another example Republicans have focused on is the 
incident involving PIN numbers that occurred in January. What 
is not mentioned is that, in fact, the IRS successfully blocked 
the IP addresses from which this attack was initiated. As a 
result, this week the IRS confirmed, ``No personal taxpayer 
data was compromised or disclosed by our IRS systems.'' These 
are critical facts, and I hope that the public understands them 
and any press that are here will repeat them. As I said 
earlier, this is our 23rd hearing on these types of allegations 
against the IRS.
    Imagine instead if we had held 23 hearings on the issue 
that actually matters to the American people. Imagine if we had 
held 23 hearings where we brought in drug company officials to 
explain their skyrocketing prices. Now, that is something that 
we could really help our fellow citizens on and would make a 
big difference. Going forward, I hope we will use the resources 
and the authority of this great committee to serve the 
interests of our constituents.
    I want to thank our witnesses for being with us today. I 
look forward to your testimony. And with that, Mr. Chairman, I 
yield back.
    Chairman Chaffetz. I thank the gentleman. I will now 
recognize Mr. Jordan of Ohio as the chairman of the 
Subcommittee on Healthcare Benefits and Administrative Rules, 
and recognize him for 5 minutes.
    Mr. Jordan. Thank you, Mr. Chairman. The ranking member 
said Republicans have had 23 hearings where they are ``trying 
to get the IRS.'' We are not trying to get the IRS. The IRS is 
trying to get conservative Americans who are exercising their 
1st Amendment free speech rights. 23 hearings is a pretty small 
price to pay when you are trying to protect fundamental 
liberties in the Constitution, for goodness sake. So I want to 
thank the chairman for this hearing on document preservation, 
data security. If anyone needs it, certainly the IRS needs a 
lesson in how to preserve documents.
    Let me give you a quick little history here. Several years 
back, Brian Downing orders destruction of documents that TIGTA 
needs in their audit. The person who was ordered to destroy the 
document comes forward as we want whistleblowers to come 
forward when something wrong is going on, comes forward and 
tells Stephen Whitlock, the then acting director of the Office 
of Professional Responsibility, and he says just keep 
destroying the documents.
    Fast forward to 2013. Again, the IRS gets caught with their 
hand in the cookie jar. Lois Lerner's now famous speech, May 
10th, 2013, where she goes to the Bar Association, lies to the 
American people, says it was not us, it was just those folks in 
Cincinnati. Complete lie. It was folks in Washington 
orchestrating this targeting against conservative groups. Later 
that year, later in 2013, Mr. Koskinen is brought in to clean 
up the mess. In fact, the President himself said, ``He's the 
expert at turning around institutions.''
    So what has the turnaround been? The chairman just talked 
about it, right? What has the turnaround been? We had this case 
with Microsoft where an IRS employee, Sam Maruca, his hard 
drive is wiped clean when there is a preservation order in 
place not to destroy any records relative to that court case 
and that investigation. And, of course, the one that I think is 
most important, Mr. Koskinen, brought in as the turnaround 
expert, learns that Lois Lerner's hard drive has had problems. 
He waits 2 months before he tells Congress and the American 
people, and, more importantly, under his watch, 422 backup 
tapes are destroyed after there are three preservation orders. 
Three orders, one from Mr. Milholland himself, do not destroy 
anything. And what does the IRS do? Three preservation orders, 
one from the IRS themselves, one from TIGTA, one from the 
Justice Department doing a criminal investigation, and two 
subpoenas from this committee, what does the IRS do? They 
destroy 422 backup tapes containing potentially 24,000 emails 
relevant to a congressional investigation and a criminal 
investigation. So there is a pattern here.
    Now, finally, Mr. Chairman, just to add insult to injury, 
guess what the Internal Revenue Service did? That very first 
example I gave you about Mr. Whitlock who said, no, keep 
destroying the documents that the whistleblower came forward 
and said we are doing. Guess what happens? I guess at the IRS 
if you destroy documents, you get a promotion. Mr. Whitlock was 
just named head of the Office of Professional Responsibility.
    So to the ranking member, I think a 24th hearing with that 
kind of history at this organization is more than warranted, 
for goodness sake. There is a pattern of destroying records, a 
pattern of destroying documents, and, frankly, a pattern of 
destroying records and documents when you have been told not 
to. Preservation orders and whistleblowers coming forward, and 
yet it continues, and when that happens, some people get 
promoted at the IRS. Of course we need this hearing, and I look 
forward to hearing from our witnesses.
    Chairman Chaffetz. I thank the gentleman. I will now 
recognize the gentleman from Virginia, Mr. Connolly, for 5 
minutes.
    Mr. Connolly. Thank you, Mr. Chairman, and thank you, Mr. 
Ranking Member. 23 hearings on the IRS. You know, when you 
cannot prove it, charge it anyhow. Repeat it. Do it louder. Try 
to suborn the TIGTA to make sure that his audit is limited with 
direct advice from you and your staff. Accuse people without 
facts. Hammer it home on your favorite network, and hopefully 
it will sink in and become true even if the facts belie it.
    Chairman Chaffetz. Will the gentleman yield?
    Mr. Connolly. No. I am tired of these hearings. I am tired 
of insinuation. I am tired, frankly, of what looks to a lot of 
people like demagoguery.
    Chairman Chaffetz. Will the gentleman yield?
    Mr. Connolly. No, Mr. Chairman, sadly I will not. I will 
finish my statement. We need the IRS. We need it to be 
functional. The same people that want to pillory you here today 
for your performance do not want to take responsibility for the 
fact they have starved the beast. They have cut a billion 
dollars from the IRS budget, degrading service, making it very 
difficult for the IRS to actually do its job. We leave $350 
billion on the table every year, taxes owed, but not collected. 
That could make a big dent in the debt. We could reduce the 
debt over 10 years by $3 and a half trillion without raising 
anyone's taxes and without cutting any essential services, but 
we do not want to do that.
    We do not want to do that because illogically the IRS is 
such a juicy target for our base and making the case that you 
represent the hard knell booted government on our necks. And 
why in the world would we want to do anything to strengthen 
you? And as a result, we have IT systems, according to John 
Koskinen, that go back to the Kennedy Administration. That is 
53 years ago. And we wonder why things are not totally 
functional? We wonder why IRS is not fully efficient? We wonder 
why hard drives crash when the average age of a computer at IRS 
with 91,000 employees is 7 years plus. In the private sector it 
is 2 to 3 years.
    So to archive stuff, we have to print and save because we 
cannot trust aging legacy technology systems, and this Congress 
will not reinvest in you to bring you up to the 21st century 
because that would make you more efficient. That actually might 
make you be able to better do your job, and dysfunctionality 
serves our purposes illogically and politically.
    So, yeah, that is why we have 23 hearings, and we demonize 
people, and we deny them their 5th Amendment rights, and make 
charges that turn out to be without foundation. It does a 
disservice to this committee, in my opinion, and I have sat 
through every one of these hearings.
    And I began truly concerned. Was this, in fact, going on? 
Did IRS, in fact, target a particular group or philosophy? As 
the ranking member said, all of the facts tell us no. Was there 
ineptitude? Was there political tone deafness? Yes. Was there a 
deliberate attempt by a Federal agency to target a particular 
political group or set of groups because of their political 
philosophy? No. And you can charge to the contrary all you 
want, but the evidence trail does not tell us that. But it 
makes for good television, and it riles up the base, and it 
probably raises money, but it is not worthy of the Oversight 
and Government Reform Committee.
    And as the ranking member said, had we spent 23 hearings 
looking at price gouging on pharmaceuticals, we actually might 
have improved someone's life. We might have actually helped 
some seniors better afford the drugs they need. We might have 
made a contribution to bettering government. But this is a 
charade. This is not about making government better, and it is 
not even really about holding you accountable. I wish it were. 
It is to pillory you for political purpose, and I regret that.
    Now, Mr. Chairman, I do yield.
    Chairman Chaffetz. For you to suggest and try to assign a 
motivation to our attempt here to get at the truth is beneath 
the gentleman from Virginia. Name one thing that I said in my 
opening statement that is not true. Name it. You do not have 
anything.
    Mr. Connolly. You do not have anything, Mr. Chairman.
    Chairman Chaffetz. Yes, I do.
    Mr. Connolly. I reclaim my time.
    Chairman Chaffetz. Will the gentleman yield?
    Mr. Connolly. No.
    Chairman Chaffetz. I have a point I want to make about IT.
    Mr. Connolly. The chairman can use his own time because he 
has got plenty of it, and he is more than prepared to use it. I 
reverse it. I echo what the ranking member said. I do not think 
you have proof.
    Chairman Chaffetz. The gentleman's time has expired. The 
gentleman's time has expired.
    Mr. Connolly. Okay, thank you.
    Chairman Chaffetz. With the concurrence with the ranking 
member, I would like to make a point about IT because I think 
that is part of the heart of why we are here today. Is the 
gentleman okay with that?
    Mr. Cummings. Go ahead.
    Chairman Chaffetz. I was elected at the same time as 
President Obama, so use that as a marker. The Federal 
government has spent more than $525 billion on IT, and it is 
worthless. One of the questions I have here with an operating 
budget for the IT sector roughly $2.4 billion a year, why is it 
that we have such poor systems? Why is it that we have DOS, and 
COBOL, and other things? We have got good hardworking, 
patriotic people that work at the IRS. We have 4,000 of them in 
the State of Utah, and they are using an old dilapidated 
system. I do not know how they do it. They try to patch and 
Band-Aid this thing together, and they cannot seem to have 
enough resources.
    The President puts out a thing saying I need $3 billion 
more? We were only $3 billion short? What happened to the other 
$525 billion? That is a legitimate bipartisan question. It is 
part of the reason I am here today. How is it that the IRS goes 
via the Department of Justice and tells a judge that they do 
not have these records? And it is not until this committee in a 
bipartisan way with the staff says where is this information 
that miraculously they said, oh, we actually do have it.
    That is a legitimate question. It is why we have another 
hearing. I did not even start the week before last thinking we 
were doing an IRS hearing. I yield to the gentleman from 
Maryland.
    Mr. Cummings. Questions have been raised by the chairman. I 
would hope that you would address those. One of the things that 
all of us, and I know the gentleman from Virginia is one who is 
an expert in IT and has spent a phenomenal amount of time 
trying to make sure our government properly functions 
effectively and efficiently. And the question that the chairman 
just raised with regard to the use of old systems when we 
should be in the modern age are questions that, I think, are 
legitimate questions.
    And so, I look forward to your responses. Does the 
gentleman ----
    Mr. Connolly. I would just add to my friend from Maryland, 
I could not agree more that those are legitimate lines of 
inquiry, but they have to be balanced with what has happened to 
your budget so that you can make those investments. Has it gone 
up or down? Has Congress shown a commitment to try to modernize 
your IT systems so that we do not have this kind of problem? 
Presumably we could find common ground. That is non-partisan 
agreement.
    Chairman Chaffetz. It is in my set of questions and why we 
are having this hearing today.
    Mr. Connolly. Except that it is not.
    Mr. Cummings. Reclaiming my time, Mr. Chairman, I yield 
back.
    Chairman Chaffetz. I just have to say, and I will give you 
equal time here. For the gentleman to suggest those are not my 
questions and to impugn the motive of any member is totally 
inappropriate.
    Mr. Connolly. I would simply say I did not impugn anybody's 
motive. I characterized this hearing and this process, and if 
the gentleman wishes to take exception to that or offense by 
that ----
    Chairman Chaffetz. Oh, I take deep exception to it.
    Mr. Connolly. Well, I regret ----
    Chairman Chaffetz. It is bipartisan. We get equal time, and 
there is a legitimate reason to understand why they go to the 
Department of Justice, represent that they do not have the 
documents. We ask for them, and then they miraculously say, oh, 
yes, I guess we do have them.
    Mr. Connolly. I think that the chairman can certainly 
appreciate questioning the process and the 23rd hearing on the 
IRS without necessarily personalizing it. The chairman knows I 
do respect him, and I certainly made no attempt to try to 
personalize it. But would I characterize this process 
negatively? Yes. I have made no secret of that, and I do not 
apologize for it, and I do not retract it.
    And it is not impugning you or any other individual to call 
into question that process. That is my right as a member of 
this committee, and I will not be silenced by deliberating 
trying to personalize it so that the critique somehow is 
diluted. The critique stands. You do not have to agree with it, 
Mr. Chairman.
    Chairman Chaffetz. I do not.
    Mr. Connolly. But I stand by it.
    Chairman Chaffetz. Let us move on. Let us move on.
    Mr. Connolly. Fine, let us move on.
    Chairman Chaffetz. I am pleased to welcome Mr. Terry 
Milholland, chief technology officer at the Internal Revenue 
Service, Mr. Jeff Tribiano, deputy commissioner of Operations 
at the Internal Revenue Service, and Mr. Ed Killen, Director of 
Privacy, Government Liaison, and Disclosure at the Internal 
Revenue Service. I appreciate you all being here today.
    If you will, please rise and raise your right hands.
    [Witnesses rise.]
    Chairman Chaffetz. Do you solemnly swear or affirm that the 
testimony you are about to give will be the truth, the whole 
truth, and nothing but the truth, so help you God?
    [Chorus of ayes.]
    Chairman Chaffetz. Thank you. You may be seated. Let the 
record reflect that the witnesses all answered in the 
affirmative.
    In order to allow time for discussion, we would appreciate 
it if you would limit your oral presentation to 5 minutes. Your 
entire written statement will be made part of the record. Mr. 
Milholland, you are now recognized for 5 minutes.

                       WITNESS STATEMENTS

                STATEMENT OF TERENCE MILHOLLAND

    Mr. Milholland. Chairman Chaffetz, Ranking Member Cummings, 
members of the committee, my name is Terence Milholland. I am 
the IRS chief technology officer and chief information officer. 
I appreciate the opportunity to testify today.
    In my role at the IRS, I'm responsible for all aspects of 
the systems and data that operate our tax infrastructure. We 
have a 7,000-person information technology organization that 
maintains 500-plus systems and data, and supports the 
processing of 200 million tax returns annually.
    Before joining the IRS 7 years ago, I spent 3 decades in 
the private sector and held a number of information technology 
leadership positions. My experiences included as executive vice 
president and chief technology officer of Visa International. I 
was also the chief information officer and chief technology 
officer for Electronic Data Systems Corporation, and before 
that the chief information officer for the Boeing Company.
    It is an honor for me to serve the public as the IRS CTO, 
and to support the tax system by helping the Service modernize 
its IT systems.
    This concludes my opening statement, and I'd be happy to 
take your questions.
    [Prepared statement of Mr. Milholland follows:]
    [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]

    
    Chairman Chaffetz. I thank the gentleman. Mr. Tribiano, you 
are now recognized for 5 minutes.

                   STATEMENT OF JEFF TRIBIANO

    Mr. Tribiano. Chairman Chaffetz, Ranking Member Cummings, 
and members of this committee, my name is Jeff Tribiano, and I 
am the deputy commissioner for Operations Support for the IRS. 
I appreciate this opportunity to testify today.
    In my position at the IRS, I oversee internal operations, 
which includes information technology, human capital, finance, 
privacy, procurement, planning, facilities, and security. Prior 
to joining the IRS in June of 2015, I served as the associate 
administrator and chief operating officer of the Department of 
Agriculture's Food Nutrition and Consumer Services. And prior 
to joining the Federal government in 2010, I held a number of 
key leadership positions with Fortune 500 companies. In 
addition, for more than 22 years I have served and continue to 
serve our country as a captain in the United States Navy 
Reserves, to include three mobilizations and deployments to the 
Middle East.
    My experiences in the public sector, private sector, and 
military have given me a deep understanding of the importance 
of public service. I'm especially proud to be part of the 
leadership team at the IRS and to work for an agency with such 
an important mission. In my 8 months at the Agency, I have 
found this team to be an amazing organization filled with 
dedicated and talented people, and I'm privileged to work 
alongside of them.
    Turning to the subject of today's hearing, the IRS has been 
working for more than a year to modernize our records 
retentions practices in regard to emails and other electronic 
records. We are implementing the National Archives and Records 
Administration's Capstone approach to managing email, and are 
working towards full implementation by the end of Calendar Year 
2016. At that point, our systems will permanently preserve the 
email records of all employees in electronic format.
    Our ultimate goal is to end the reliance on computer hard 
drives of individual employees as an archive records store, and 
instead use network databases to preserve all records that are 
electronically generated by the workforce. As we make these 
improvements for the long term, we recognize we need additional 
interim measures to ensure we are doing everything possible to 
retain official records until a more comprehensive solution is 
in place.
    This need became apparent when an issue arose in connection 
with the Service's collection and production of documents 
related to a Freedom of Information Act case captioned 
Microsoft v. the IRS. In January of this year, the IRS advised 
the Court that we had discovered an issue regarding the 
computer hard drive of Samuel Maruca, a former IRS employee who 
we identified in a litigation hold effort undertaken in 
December of 2014 in connection with the case.
    Shortly after Mr. Maruca left the Service on August 1st, 
2014, his hard drive was designated for erasure so it could be 
securely reused or scrapped in line with the standard IRS 
procedures. Because Mr. Maruca's hard drive was designated for 
erasure before the issuance of the litigation hold, the hold 
did not prevent the erasure of this hard drive, which occurred 
in late 2014 or in early 2015.
    However, we do believe the erasure of Mr. Maruca's hard 
drive will have minimal effect on our ability to complete 
document production in this instance. We know that Mr. Maruca's 
hard drive was copied on July 16th, 2014 in connection with the 
document collection being undertaken for a separate litigation. 
We have, therefore, determined that the data stored on his 
computer hard drive up to July 16th, 2014 has been preserved. 
We also have emails copied on Mr. Maruca's network account in 
July of 2014, and if necessary, we also can access our backup 
tapes or disaster recovery tapes in order to produce documents.
    Even so, we recognize the situation will reflect a 
shortcoming in our document controls. Therefore, pending 
further review of the IRS' litigation hold procedures, the 
Commissioner has ordered a halt to the erasure and recycling of 
employees' devices, including computer hard drives and mobile 
devices, for all departing employees. We'll now copy material 
off the hard drive of every employee who leaves the Agency, and 
store that information in a digital format in addition to 
retaining the physical hard drive.
    We are also broadening our litigation hold procedures to 
ensure that hold instructions are provided not only to the 
pertinent employees, but also to the employee's supervisor. 
We'll also update our procedures for processing employees who 
leave the Service to ensure that appropriate personnel are 
advised of pending litigation holds and document collection 
efforts involving the records of custody for departing 
employees.
    In closing, I want to assure the committee that the IRS is 
committed to building on these efforts and to make further 
improvements, and continue focusing on serving the Nation's 
taxpayer.
    This concludes my statement, and I'll be happy to answer 
any questions.
    Chairman Chaffetz. Thank you. Mr. Killen, you are now 
recognized for 5 minutes.

                   STATEMENT OF EDWARD KILLEN

    Mr. Killen. Chairman Chaffetz, Ranking Member Cummings, and 
members of the committee, my name is Edward Killen, and I am 
the director of Privacy, Governmental Liaison, and Disclosure 
at the IRS. I appreciate the opportunity to testify today.
    In my role at the IRS, I represent the Agency's interests 
in multiple aspects, including records management, information 
protection, disclosure, data sharing, and combatting identity 
theft. My office manages relationships with Federal, State, and 
local agencies by facilitation and oversight of various data 
sharing programs and initiatives. We also work to ensure the 
protection of Federal tax information in the custody of our 
data exchange partners.
    The bottom line for my office is that we're working every 
day to protect taxpayers, safeguard their personal data, and 
promote both privacy and transparency principles, including the 
appropriate availability of Agency records.
    I've spent my career in public service, beginning as a 
presidential management fellow with an appointment to the 
Social Security Administration. In 2003, I joined the IRS as a 
policy analyst in our Wage and Investment Division. Since then, 
I've had the opportunity to carry out a wide range of 
assignments in different areas at the Service, including 
leadership positions as the director of Governmental Liaison, 
Disclosure, and Safeguards, and senior advisor to the deputy 
commissioner of Operations Support. I have also engaged in 
numerous and diverse detail assignments across the IRS, 
including stints within our Chief Counsel's Office and the 2008 
economic stimulus team.
    I'm proud of the years I've spent in public service and 
grateful for the chance to continue to serve the American 
taxpayer.
    This concludes my statement, and I would be happy to take 
your questions.
    Chairman Chaffetz. Thank you. You all seem like decent 
individuals. The question is, why do we have to keep coming 
back and asking for the same basic information? The IRS advice 
to individuals in businesses is that they should hold their own 
personal business and tax information for how long? How long 
are you supposed to hold onto your own personal information? 
Mr. Tribiano?
    Mr. Tribiano. Sir, that is not my area. I am with 
Operations Support, so I ----
    Chairman Chaffetz. Mr. Killen, how long? How long does the 
IRS advise you to hold onto your own personal information?
    Mr. Killen. Well, I think it would depend on the particular 
circumstances. But, you know, as a general matter, probably 7 
years or so is probably ----
    Chairman Chaffetz. 7 years. I mean, that is what I have 
generally heard as well, 7 years. So how long does the IRS hold 
onto its own data and information? Mr. Maruca leaves the 
employment. Why the swift erasure of everything that he has? 
Why does that happen? Mr. Killen?
    Mr. Killen. Well, I think in the particular case of Mr. 
Maruca, as the written testimony shows and as I think we will 
probably talk through the day, that was largely a factor of 
sequencing and of particular circumstances. But I think the 
thing that I would reiterate about that is that essentially we 
have found the file, the data ----
    Chairman Chaffetz. Okay, but, yes, you did find the file 
because we pushed the issue, forced the issue. But on January 
15th of this year, the Department of Justice on the behalf of 
the IRS actually filed a notice with the Federal court that 
they had erased Mr. Maruca's hard drive.
    Here is the fundamental problem. You require us, the 
people, to hold onto their information for 7 years. The IRS 
erases their information. There is no consequence. Nobody is 
held accountable. There was an internal preservation order, but 
it was ignored, and there is no consequence for that, right? 
Who issued the internal preservation order?
    Mr. Tribiano. That came from our legal department.
    Chairman Chaffetz. How does that process not hold that 
information?
    Mr. Tribiano. The internal preservation order came, it was 
actually a litigation hold order, came after Mr. Maruca left 
the Agency.
    Chairman Chaffetz. What originally happened is Microsoft 
filed a Freedom of Information Act request. That was not 
complied with, so they had to go to court and wait to get a 
court date, and then get to the court to try to say where is 
this information, and you had already erased it in less than a 
year. I do not understand why the IRS asks us to hold 
information or 7 years, and you do not even hold it for 7 
months. How does that happen? Why does that happen?
    Mr. Tribiano. Well, Mr. Chairman, it was a timing issue. 
Again, Mr. Maruca left the Agency on August 1st.
    Chairman Chaffetz. But if we have to hold our information 
for 7 years, how come the IRS does not have to hold its 
information for 7 years?
    Mr. Tribiano. The information from Mr. Maruca's system is 
backed up with our backup tapes. It is just harder to get into 
that system, and Mr. Milholland can walk through that. It is 
the hard drive that is easier to access, and that ----
    Chairman Chaffetz. Right now today, how long does the IRS 
preserve its own internal documents? How long?
    Mr. Tribiano. It depends on the documents. Mr. Killen can 
walk you through that.
    Mr. Killen. That is true. You know, there are various 
records, disposition schedules for different types of records, 
both across the Federal government as a general matter, but 
certainly within IRS, so it is largely fact dependent. But ----
    Chairman Chaffetz. Give me a range. What is the shortest 
amount of time, what is the longest amount of time.
    Mr. Killen. Oh, it can really vary.
    Chairman Chaffetz. You have a $1.7 billion dispute, and you 
have the person who is working on the issue, they leave 
employment for whatever reason. I am sure it was a legitimate 
reason. But why is all that information suddenly erased, and 
how do you go in front of a judge and say we no longer have 
that information? How does that happen?
    Mr. Killen. Well, I mean, so certainly we ----
    Chairman Chaffetz. Because neither--sorry--neither of those 
things were true, right? Neither of those things were true. You 
actually did have the information, but you represented to the 
Department of Justice that you did not have it. But it was 
erased even though there was an internal preservation order.
    Mr. Tribiano. At the time that the Department of Justice 
was notified, we thought that there was information saved. When 
we went back to take a look at it and to go through the 
records, we found that we did back it up for another litigation 
hold up through July 16th of 2014. Mr. Maruca left the Agency 
on August 1st.
    Chairman Chaffetz. Can you help detail for us, and you are 
not going to be able to get through it verbally now. My time 
has expired. I have two things that I would love to understand. 
How do preservation orders internally work, and why are they 
not adhered to because we had that happen in the Lois Lerner 
case. We have that happening in the Microsoft case. How does 
that happen? And then the second thing is I would like to know 
what documents you do and do not retain and for how long? And I 
fundamentally do not understand why it is not the same for the 
IRS as it is for the American people.
    Could you between the three of you get back to the 
committee on those two topics? Is that fair?
    Mr. Tribiano. Yes, sir.
    Chairman Chaffetz. Let the record reflect all three of them 
thought it was fair. All right.
    Chairman Chaffetz. My time has expired. I will now 
recognize the gentleman from Virginia, Mr. Connolly, for 5 
minutes.
    Mr. Connolly. And let the record show this member has felt 
the chairman has always conducted himself fairly. We do not 
always agree, but I think he has always been fair.
    I want to talk a little bit about investments and capacity. 
Mr. Tribiano, is it true that the Agency's inflation-adjusted 
budget has been cut by 17 percent since 2010?
    Mr. Tribiano. Yes, sir.
    Mr. Connolly. Is it further true that by Fiscal Year 2015 
we whittled down your funding and your budget to the lowest 
level in 5 years?
    Mr. Tribiano. Yes, sir.
    Mr. Connolly. Is it also true that, in effect, when you 
count inflation, that means that your budget has the buying 
power of the budget of 1998?
    Mr. Tribiano. Yes, sir.
    Mr. Connolly. That is a long time ago. The reduction has 
been about $1.2 billion?
    Mr. Tribiano. Yes, sir.
    Mr. Connolly. And in Fiscal Year 2015 alone, the budget was 
cut another $346 million from the previous year funding. Is 
that correct??
    Mr. Tribiano. Yes, sir.
    Mr. Connolly. Well, let me see. Because of these cuts, as I 
understand it, the workforce has been cut by 17,000 since 2010. 
Is that correct??
    Mr. Tribiano. Yes, sir.
    Mr. Connolly. Two-thirds of your top managers have left in 
the last 5 years. Is that correct??
    Mr. Tribiano. Yes, sir.
    Mr. Connolly. 40 percent of your workforce, by the way, on 
top of that is eligible to retire by 2019 largely because of 
the baby boom generation. Is that correct?
    Mr. Tribiano. Yes, sir.
    Mr. Connolly. Well, do these cuts and reductions have an 
impact on productivity, customer service?
    Mr. Tribiano. Yes, sir, it has a direct impact.
    Mr. Connolly. Does it impact your audit capability?
    Mr. Tribiano. It impacts our audit capability and our 
revenue collection of capability as well.
    Mr. Connolly. Well, Mr. Milholland, do these cuts have any 
impact at all on the IT budget?
    Mr. Milholland. Yes, sir.
    Mr. Connolly. How so? Do you want to elaborate a little?
    Mr. Milholland. It affects people, processes, and 
technology. For example, in the people area, we know that we 
have 67 people who are the single points of failure, so to 
speak, for particular systems. If they left, we would not have 
any knowledge to deal with an issue in that particular system 
they support. That is how thin we have become is that we now 
can identify the places where we are truly thin, so we have to 
deal with risk mitigations for those particular systems.
    Mr. Connolly. So Mr. Koskinen was quoted last week as 
saying we have got systems that go back to the Kennedy 
Administration. What was he talking about?
    Mr. Milholland. What he was referring to are systems like 
the individual master file or the business master file, where 
these systems were literally designed and architected in the 
1960s and rolled out in the 1970s. Those systems are where 
literally your tax returns, the master file record of your tax 
returns, are kept. We have been ----
    Mr. Connolly. Let me interrupt you one second there. So my 
tax returns might be kept on a system that goes back to the 
1960s and 1970s?
    Mr. Milholland. That was architected in the 1960s and 
1970s. That is correct, sir.
    Mr. Connolly. What could go wrong with that?
    Mr. Milholland. Well, that is one of the many issues that 
we deal with is the sustainability of those long-lasting legacy 
systems so that every year we can have a smooth filing season.
    Mr. Connolly. So when we talk sometimes about retrieving 
information, archiving information, being able to produce 
documents or evidence with respect to a court case, we are 
relying in many cases on technology to be our friend that goes 
back 40, almost 50 years.
    Mr. Milholland. Obviously depending on the case, so to 
speak, if individual taxpayer data is being accessed, that 
architecture is that old. The access mechanisms might be more 
current.
    Mr. Connolly. Right.
    Mr. Milholland. But the fundamental underlying structure is 
reliant upon systems that were built in that era.
    Mr. Connolly. Okay. You come from private sector?
    Mr. Milholland. Yes, sir.
    Mr. Connolly. You are now the CTO for a public sector 
entity. Real quickly in the time I have got left, what would 
you do and what would it cost to do what you do to modernize 
and upgrade the IRS so it is functioning as a modern 
technology-oriented entity in 2016?
    Mr. Milholland. Yes, sir. I will try to be very brief. We 
built a technology roadmap. We did that a few years ago and 
have been executing against it for the future state; that is, 
to bring the IRS so it looks like a digital company in the 
financial area; that is, comparable to the way a large 
financial institution would operate. That means that we have to 
upgrade a number of the underlying processes which are based in 
these, as I say, the 1960s architecture, bring them into a 21st 
century architecture, and implement the technology that allows 
that.
    We have standardized on modern programming languages, for 
example. All new developments since I have arrived, they are in 
Java, for example, rather than the more ancient languages like 
assembly language, or COBOL, or these, I will just say, simply 
legacy programming languages. We have standardized on a 
different operating system, in our case, Linux, for example, a 
very modern operating system environment that is very common 
across all of private enterprise.
    And we have been slowly and steadily migrating new systems 
of what we have had to invest in to support things like FATCA, 
the Affordable Care Act, the Revenue Return Program, our fraud 
detection system, all are built, I will say, the right way so 
that we can slowly remove ourselves from dependencies on these 
older systems.
    And then the last comment I would make, we have plans to 
get off, so to speak, of that dependency. The Congress has 
supported us in our business systems modernization program in a 
program called CADE 2, Customer Account Data Engine. The second 
transition state of that is underway in which we are converting 
off of that master file system into a modern relational 
database program, at the same removing the financial material 
weakness of the older individual master file systems.
    Let me stop there because I could certainly go on and on 
and on.
    Chairman Chaffetz. I thank the gentleman. I would simply 
ask that the digital roadmap that you are talking about, if you 
could provide this committee that copy of this roadmap, I think 
we would both like to look at it. When you can provide that to 
this committee?
    Mr. Milholland. As soon as our release mechanism allows us. 
Soon if I can get away with that.
    Mr. Connolly. Mr. Chairman, if we could also to that 
request the cost. What would it cost?
    Chairman Chaffetz. Yes, that would be great because ----
    Mr. Connolly. Thank you.
    Chairman Chaffetz.--the IRS has had over the last 5 years 
more than $11 billion in just IT expenditures. It is a 
significant amount of money. We would appreciate you sharing 
that plan with us.
    Mr. Milholland. Mr. Chairman, could I add one other thing?
    Chairman Chaffetz. Sure.
    Mr. Milholland. The roadmap does not stand by itself. It 
goes along with a business plan which we call a future state 
vision, in which all of the businesses as outlined, how do they 
want to actually operate in the next 3 to 5 years, and then 
that roadmap supports that plan. So you would actually need to 
understand both.
    Chairman Chaffetz. If you could provide both, that would be 
appreciated.
    Mr. Milholland. All right.
    Chairman Chaffetz. Fair enough? And I appreciate it.
    Chairman Chaffetz. I thank the gentleman for his questions, 
and I am surprised after 23 hearings you still have questions.
    Mr. Connolly. It was a struggle, Mr. Chairman.
    Chairman Chaffetz. Yes. Yeah, you still have questions, and 
so do we. We will now recognize the gentleman from Ohio, Mr. 
Jordan, for 5 minutes.
    Mr. Jordan. Thank you, Mr. Chairman. Mr. Milholland, in May 
of 2013, the country learns that the IRS has been targeting 
conservative groups. Congressional investigations are 
announced. The President has a big press conference. The 
Attorney General announces that there is a criminal 
investigation that will be following. As the chief information 
officer, did you take any action to preserve information data 
and documents?
    Mr. Milholland. Yes, sir.
    Mr. Jordan. And what action was that?
    Mr. Milholland. We issued a directive to my staffs down 
through every level of management and individuals to hold onto 
every piece of information.
    Mr. Jordan. Was your order clear?
    Mr. Milholland. I certainly thought it was clear.
    Mr. Jordan. I am going to read from it. ``Do not reuse, or 
refresh, or wipe information from any personal computer that is 
being reclaimed, returned, refreshed, updated from any employee 
or contractor of the IRS. Effective immediately, the email 
retention policy for backups is to be indefinite rather than 6 
months.'' Pretty clear, right?
    Mr. Milholland. Yes, sir.
    Mr. Jordan. You go on in that email to say this, ``In other 
words, retain everything.'' Now, ``everything'' is a pretty big 
universe, so I do not know how you could be more clear. So the 
chairman has asked this a couple times. How in the world did 
the IRS end up destroying, with that clear directive, end up 
destroying 422 backup tapes that were extremely relevant to the 
investigation?
    Mr. Milholland. As you are undoubtedly aware having that 
email, TIGTA did their report out. They looked at every step of 
the process along the way of how did we end up doing that. In 
fact, I think I was quoted in there when they interviewed me as 
I was literally blown away by the fact that it had happened 
because, again, I thought the instructions were remarkably 
clear.
    Mr. Jordan. So I think they are clear, too, if I could just 
interrupt, Mr. Milholland. So I think they were pretty clear, 
too. So did you do anything else? Did you just send this email 
out or this directive out that says keep everything and then 
that was it? Is that all you did?
    Mr. Milholland. Within IT, the information technology 
organization, we discussed it with staff and with the executive 
team that we needed to do this. We were also in the midst of 
consolidating all the email servers that were sitting around 
the country into our two primary data ----
    Mr. Jordan. Let me interrupt again. I only got 5 minutes 
here. Were there other preservation orders that came to the 
Internal Revenue Service, other orders to preserve documents, 
not just the one you sent out internally, but were there others 
that come in from the outside?
    Mr. Milholland. I really do not know. You would have to ask 
the chief counsel about that.
    Mr. Jordan. Yeah, well, there were two, right? There was 
one from the Justice Department and one from TIGTA that said, 
hey, they want to just reinforce and preserve documents. So did 
you take any action relevant to those other orders to preserve 
all information?
    Mr. Milholland. I do not recall seeing those orders, so --
--
    Mr. Jordan. When the legal staff got the order from the 
Justice Department to preserve all the information, they did 
not say, hey, you better make sure we do not destroy anything. 
They did not communicate it to you, and then you did not 
communicate another email like the one we were just talking 
about.
    Mr. Milholland. I am totally unfamiliar with the order that 
you are discussing. We always have a practice generally when a 
request comes in that counsel needs us to hold onto items, they 
send an email around to the responsible individuals ----
    Mr. Jordan. Okay.
    Mr. Milholland.--and tell them to literally--sorry. Go 
ahead.
    Mr. Jordan. What about the subpoenas? This committee sent 
two subpoenas. Did that warrant or did that trigger you taking 
any further action than this one email that you sent?
    Mr. Milholland. No, sir.
    Mr. Jordan. So the two subpoenas and the other two 
preservation orders, the IRS chief information technology 
officer, that did not trigger you to do anything else. You sent 
this one email that I think is pretty clear, but that is all 
you did.
    Mr. Milholland. As I tried to express earlier, Congressman, 
we discussed the request to hold on to all of those items that 
were in that email throughout our staffs so the executive team, 
the management team, would understand how serious this was. 
And, therefore, to protect ----
    Mr. Jordan. So there is ----
    Mr. Milholland.--basically the retention of information.
    Mr. Jordan. I got it, yeah.
    Mr. Milholland. So it was reinforced constantly to do so.
    Mr. Jordan. So then why was it not? So there are two key 
questions. There are two questions, and I have got 30 seconds 
here. Two questions. One, when you say ``keep everything'' and 
then 422 tapes, 24,000 emails are destroyed, I want to know how 
that happened and why that happened. Second, this is the 
question I get all the time from folks back home. Who is held 
responsible? So there is an order given from the chief 
technology officer to keep everything, and it is not kept. In 
fact, it is destroyed. Who was disciplined? Who was held 
accountable? That is what we would like to know.
    Mr. Milholland. I will answer the second question first. I 
held myself accountable as it was reported in the TIGTA report 
that it starts at the top. I was at the top, and, therefore, 
myself and my management chain were held to be accountable. 
That was part of our performance plans and such and was 
discussed appropriately when we discovered this particular 
incident when it happened.
    Mr. Jordan. Let me just ask one other question. Did you get 
a raise the last few years? Have you had a raise in your 
salary?
    Mr. Milholland. Because I am in the senior critical, I got 
an adjustment because of this senior critical pay.
    Mr. Jordan. Did your pay go up?
    Mr. Milholland. Yes, it did.
    Mr. Jordan. The last 2 years?
    Mr. Milholland. I think only once in the last 2 years.
    Mr. Jordan. Who is your direct boss? Who do you report to? 
When I look at your chain of command, it looks to me like you 
report to Mr. Tribiano.
    Mr. Milholland. Mr. Tribiano.
    Mr. Jordan. And, Mr. Tribiano, your office is a direct 
report to the commissioner of the IRS. Is that right?
    Mr. Tribiano. Yes, sir.
    Mr. Jordan. All right. So what happened there? You find out 
this guy does an order, and that is as clear as it gets, retain 
everything. It is not followed. Tapes are destroyed, 24,000 
emails. That information comes to you. What did you tell Mr. 
Koskinen?
    Mr. Tribiano. Well, sir, I was not part of the IRS during 
that time.
    Mr. Jordan. What did your office tell Mr. Koskinen?
    Mr. Tribiano. I do not know what my office told Mr. 
Koskinen.
    Mr. Jordan. You come to the hearing, you know we are 
talking about record retention, and you do not know what 
happened?
    Mr. Tribiano. I did not say that, sir. I said I was not 
responsible, and I was not there.
    Chairman Chaffetz. The gentleman's time has expired.
    Mr. Jordan. Thank you, Mr. Chairman.
    Chairman Chaffetz. We will now recognize the gentlewoman 
from the District of Columbia, Ms. Norton, for 5 minutes.
    Ms. Norton. Thank you, Mr. Chairman. I understand that we 
are here talking about what we loosely call data preservation 
and security, but we are doing so for the IRS, where the data 
that we most want to keep to ourselves is to be found. I have 
often wondered how the IRS is able to attract the advance 
technical professional employees to do what needs to be done. 
You know, it is easy enough for us to tell you what you should 
do.
    So I am interested in exploring what we can do to make it 
possible for you to do what you are supposed to do. Now, what 
intrigued me was this notion of critical pay authority that 
allows the IRS--other agencies have it, too--to hire people who 
it would be very difficult to attract to the public service 
otherwise. Do I understand, Mr. Milholland, that you are a 
critical pay employee?
    Mr. Milholland. Yes, ma'am.
    Ms. Norton. Is it fair to say that in order to come to the 
IRS, you took a pay cut?
    Mr. Milholland. Yes, ma'am.
    Ms. Norton. Would that have been a significant pay cut?
    Mr. Milholland. Yes, ma'am.
    Ms. Norton. So when we look at how important this data is, 
I wanted to see how many people were in this position. I 
understand that you are authorized in these critical positions, 
that the IRS is authorized only for 168, only for 40 at one 
time. I am quite amazed at that. And even they can only serve 4 
terms. You would be lucky to keep them for 4 years. You would 
be lucky to keep them for 4 years when you consider how 
critical these people are. We do H-B1 visas that are so 
critical in our own country.
    Is my information correct that here are only 19, Mr. 
Milholland, of these critical technical people at the IRS at 
this point?
    Mr. Milholland. I can answer for the number in information 
technology. There are 11. I believe Mr. Tribiano can cover the 
rest.
    Mr. Tribiano. Yes, ma'am, we have 14. And I would just like 
to note, ma'am, that we do not have that authority anymore. 
That authority expired.
    Ms. Norton. Well, that was going to be my next question. I 
understand that this number, since they can only stay 4 years, 
that that number is depleted every time you get to the end of 
the 4-year term. And that critical person, even if they have 
not already left to go to some high tech company, has to go 
then.
    Mr. Tribiano. Yes, ma'am.
    Ms. Norton. And you have had no authority for at least 2 
years ----
    Mr. Tribiano. Yes, ma'am.
    Ms. Norton.--to hire people. That is why you are down to 
19.
    Mr. Tribiano. 14 in total.
    Ms. Norton. 14 for you, Mr. Tribiano, and ----
    Mr. Tribiano. No, 14 in total for the Agency, ma'am.
    Ms. Norton. Oh, for the entire Agency out of 168 that are 
authorized.
    Mr. Tribiano. Yes, ma'am. We lose one this year, and then 
the remaining 13 next year.
    Ms. Norton. This is malfeasance it seems to me, but it is 
on our part. I do not know how we could have gotten without at 
least authorizing. I do not know if there is enough funds even 
if authorized, but if you were able to even attract such 
people, you deserve our congratulations. But if we can continue 
to reprimand you for things you do not do in data collection 
while we do not recognize our responsibility to authorize you 
to have what I regard as a very small number of technical 
professionals on board, then there is a disparity here that I 
think the government has to take account of.
    Chairman Chaffetz. Would the gentlewoman yield?
    Ms. Norton. Yes, sir.
    Chairman Chaffetz. My understanding of this process is that 
the Office of Management and Budget has the opportunity to 
offer 800 people within the Federal government critical pay 
authority in consultation with the Office of Personnel 
Management. Of the 800 available slots for critical pay 
authority, they are only using 4. Not 400, 4 of the 800 that 
are already ----
    Ms. Norton. Where is this, in this Agency?
    Chairman Chaffetz. Well, throughout government. So if the 
IRS commissioner needs critical pay authority, for instance, 
for IT specialists, which I would probably actually agree with, 
there is already a process and authorization in place where OMB 
with OPM goes and gets that authorization.
    Ms. Norton. Well, I understand they do not even have to go 
through OPM. Is this authority authority that you think the 
Agency needs?
    Mr. Tribiano. Yes, ma'am. Streamlined critical pay is very 
important to us, and if we are able ----
    Ms. Norton. But do you think you have the authority? The 
chairman thinks you already have the authority.
    Mr. Tribiano. Not under what we had before, which is 
streamlined critical pay. What the chairman is referring to, I 
believe, is, if I understood right, is an OMB, I mean, an OPM 
process that exists for critical IT.
    Ms. Norton. But the people we are talking about do not have 
to go through that process, do they?
    Mr. Tribiano. Streamlined critical pay, no, ma'am. We would 
recruit directly from the private sector into the top IT 
positions.
    Chairman Chaffetz. If the gentlewoman would yield, if the 
IRS has a case, the mechanism that Congress previous to me had 
set up is that they make the case to the Office of Personnel 
Management or through the OMB. In concurrence, they can grant 
that all within the executive branch without having to come to 
Congress.
    Ms. Norton. But it expired 2 years ago.
    Chairman Chaffetz. No. Well, I will work with the 
gentlewoman to help clarify this, but I do believe it is 
currently available. The gentlewoman's time has expired, but I 
will work with the gentlewoman on this topic.
    Ms. Norton. I wish you would because the testimony has been 
pretty direct here that it has expired, and our own research 
shows it has expired.
    Chairman Chaffetz. Okay. Well, again, we will be happy to 
work with you. We now recognize the gentleman from Michigan, 
Mr. Walberg, for 5 minutes.
    Mr. Walberg. Thank you, Mr. Chairman. And just in reference 
to statements made earlier by a member of our committee 
concerning several senior-level administrators leaving under 
the guise of the challenges of doing the job here, remember 
some of those left under a rather dark cloud pleading the 5th 
under potential impeachment, et cetera. So we do not need to 
forget that also.
    Mr. Milholland, you mentioned that when finding out that 
your direct orders for preservation were disregarded, you were 
blown away. Coming from your experience in the private sector, 
extensive experience and background in the private sector, I 
would assume that orders like that would not have been 
disregarded clearly without significant consequence. So I do 
want to go back to a question made by a colleague of mine, Mr. 
Jordan, and just get a more direct answer. Do you know of 
anyone who was reprimanded for not following the preservation 
notice? Reprimanded or worse.
    Mr. Milholland. The way we handled the situation was 
waiting until the TIGTA report was in where basically, as I 
say, the TIGTA concluded there was no criminal wrongdoing, 
which was peace of mind. Someone did not deliberately set out 
to do this. And then, in reading through their report, what 
conclusion do you come to?
    As I say, management--me--took accountability for our 
management chain's failure to see that the instruction was 
followed. That then was dealt with through performance reviews 
and feedback to people for their whole entire performance 
through the appropriate chain and such. We did not penalize or 
punish anyone on the floor because they thought they were doing 
what they were supposed to do. They had received instructions. 
They were following a process, and ----
    Mr. Walberg. But the leadership team, any one reprimanded?
    Mr. Milholland. In the sense of in their performance review 
feedback, yes.
    Mr. Walberg. But no other consequences beyond that.
    Mr. Milholland. No other consequences, no, sir.
    Mr. Walberg. I doubt that in the private sector it would 
have been as simple as that. Let me move on. Let me move on. 
The taxpayer advocate recently released a report on the IRS 
future state plan that stated the IRS's intent to move all 
taxpayer filing and help systems to an online platform.
    In the last 9 months, the IRS has experienced at least two 
electronic data breaches surrounding taxpayer P-2s. This 
includes the May 2015 breach that exposed more than 100,000 
taxpayers' sensitive information. The taxpayer advocate also 
found that roughly 1 in 5 taxpayers who were victims of 
taxpayer identity theft had their IRS files closed. Despite 
unresolved issues remaining, taxpayers, in other words, still 
had to wait an average of 6 months before the negative impact 
of taxpayer identity theft was addressed.
    Mr. Tribiano, in light of these breaches, why does IRS feel 
that now is the best time to roll out a more expansive and 
pervasive online tax system?
    Mr. Tribiano. Well, sir, if I can just add one thing to 
that. We are not abandoning and going everything to digital or 
to online. We still have to take care of the taxpayers that 
still want to file paper returns and go that route. But the 
customers in this case, the taxpayers, have advocated for us, 
or for the IRS, to operate more as a large multinational type 
of bank to be able to do things online. As you can imagine, 
they would rather deal with us online more so than deal with us 
in person, so we are shifting.
    It is a 3- to 5-year process to go to where we want to go, 
what we call future state. And that is to be able to have 
interactions with the taxpayers electronically the way they are 
asking for it.
    Mr. Walberg. How do you propose to protect them, though, 
online?
    Mr. Tribiano. As we build out the technology, we are 
changing and adapting it, and I think Mr. Milholland can walk 
you through some of the things ----
    Mr. Walberg. Walk me through that, some of the means by 
which you can stop the breaches that could very clearly come 
that has taken place in person, but it could take place 
extensively online.
    Mr. Milholland. Yes, sir. We have an initiative we call the 
eAuthentication Authorization and Access Initiative. The first 
part of this is what we are doing to get transcripts back 
online. If you recall, with that original issue from last May 
and June, we took it offline until we could get it right; that 
is, the underlying authentication. Can we really identify that 
the individuals coming in are who they say they are. That work 
is underway. We hope to roll that application back up some time 
this spring.
    But we also have done other things that we started changing 
the way that we handle, I will say, the online environment. The 
particular technologies we, in fact, deployed as a result of 
the ``Get Transcript'' incident were, in fact, what allowed us 
to stop this bot attack from 2 weeks ago explicitly. The 
ability to capture and see that this attack was ongoing is a 
direct result of us improving that environment.
    A number of other tools and such are built into our cyber 
investment plan. It is what we are going to use some of the 
monies that are now made available to us from the Congress 
through an extra $290 million. About $100 million of that has 
been assigned to IT specifically for cyber. That is where the 
investments will be made. The President has certainly 
recognized it in his Fiscal Year 2017 budget submission for 
what he wants to do across the Administration. And then part of 
those monies will be used to improve aspects of the IRS online 
presence.
    There are a number of specific tools I could talk about 
here, Congressman. I do not know exactly ----
    Mr. Walberg. I appreciate this getting on record of what 
you are doing, and that down the road we will not be blown away 
by mistakes that come, but I want to make sure that this is 
taken care of. That is part of our oversight, and we want to 
make sure that you are doing oversight as well. I yield back.
    Chairman Chaffetz. The gentleman's time has expired. If Mr. 
Milholland can continue to provide the committee with what they 
are doing in that regard, we would appreciate it.
    I will now recognize the gentlewoman from New Jersey, Ms. 
Watson Coleman, for 5 minutes.
    Ms. Watson Coleman. Thank you, Mr. Chairman. Mr. 
Milholland, it has been almost 4 years since the committee 
launched its investigation of the IRS, and to date IRS has 
produced more than 1.3 million pages of documents from 88 
custodians in response to over 80 document and information 
requests. According to the information I have, on June the 3rd, 
2015, the IRS' senior privacy official testified before this 
committee. Is that you, Mr. Killen? Is that you?
    Mr. Killen. Not at the time.
    Ms. Watson Coleman. Okay, thank you. Well, let me read to 
you what was said. ``More than 250 IRS employees have spent 
more than 160,000 hours working directly on complying with 
investigations at a cost of $20 million, which also includes 
the cost of adding capacity to our limited information 
technology systems to accommodate the voluminous information 
requests.'' And that figure does not include that at least $2 
million additional have been spent by the inspector general. 
Mr. Milholland, what sort of capacity has been added to the IRS 
information technology system in order to accommodate this 
information and this investigation?
    Mr. Milholland. There is an investment plan to build out 
the entire process of record retention. This ranges from saving 
all of the email and all of its attachments, the archiving of 
information that are on hard drives in turn being saved. And 
the first elements of this, if we are able to complete our 
project, would start to roll out at the end of December, 
beginning of January.
    Ms. Watson Coleman. Do you have the resources and the 
personnel to be able to accommodate this effort?
    Mr. Milholland. At the current moment we do not. We have 
what we need to implement toward the end of this year, but for 
the long-term needs of the record retention initiative, to do 
everything that is being asked in the sense of build a system 
that can search for anything and do it instantly, that has not 
yet been, I will say, completely planned out, nor staffed, nor 
resourced.
    Ms. Watson Coleman. You have made some improvements because 
you were able to detect some suspicious behavior most recently 
in the system. And you do not have any reason to believe that 
that was anything terrorist related or anything of that nature 
or ----
    Mr. Milholland. Ma'am, are you referring to the bot attack 
that was 2 weeks ago?
    Ms. Watson Coleman. Mm-hmm.
    Mr. Milholland. I cannot speak to who it was. There is an 
investigation going on right now by the investigative side of 
TIGTA. This was done from international sites using malware 
placed on individual machines and servers that attacked the IRS 
attempting to get these e-file PINs, no other taxpayer data. In 
fact, the e-file PIN is not taxpayer data, so I cannot 
characterize who they were. They were, you know, more than 
likely criminals, but I cannot really say.
    Ms. Watson Coleman. After Mr. Maruca's file was detected, 
after there was this belief that it did not exist and then you 
found out that you had a backup to it, you all have done 
something that would ensure that this problem does not occur in 
the future until you can take care of it in a more 
technologically savvy way? You have made decisions that no 
information gets erased until after something happens, right? 
Until after what happens, and when would that happen?
    Mr. Milholland. Is that a question toward me? I just was 
not sure.
    Ms. Watson Coleman. Well, to whomever can answer it.
    Mr. Milholland. I was not sure if it was to the deputy 
commissioner.
    Ms. Watson Coleman. Well, if the deputy commissioner is the 
one that should answer it, I am fine with that. Thank you.
    Mr. Milholland. Okay.
    Mr. Tribiano. The answer to that, ma'am, is yes. We put a 
non-destruct order in for all hard drives and devices for all 
employees of the IRS when they depart the IRS, and we 
immediately back up the hard drive itself electronically so we 
would have two copies until we get to the long-term solution 
that Mr. Milholland was talking about.
    Ms. Watson Coleman. So minimally, would you say that you 
have a future desire to hold this information as long as we are 
responsible as citizens to hold our information at 7 years, 
that incredible 7 years that we are talking about, or is there 
something other that you all would be presenting?
    Mr. Tribiano. Well, I think that is a question for Mr. 
Killen.
    Ms. Watson Coleman. Mr. Killen?
    Mr. Killen. Thank you for the question. We are working 
vigorously to ensure that we migrate our records management 
practices from sort of the current state to where we need to 
get to, you know, in the future in order to be compliant with 
all of the respective guidances out there from NARA and from 
OMB.
    So principally, we have taken, you know, really a multi-
pronged approach at that. Mr. Milholland and Mr. Tribiano both 
talked about various aspects of that, but I think, you know, 
first and foremost, again, ensuring that we no longer wipe or 
----
    Ms. Watson Coleman. Erase.
    Mr. Killen.--sanitize existing hardware, ensuring that we 
have copies that are in place on the machines. But we are, in 
addition to that, we have put a process in place for our 
senior-most Agency officials throughout IRS at the executive 
level because those are the individuals most likely to create 
Federal records. And so, we have an approach that we have 
implemented called the Capstone approach to ensure that we 
maintain and appropriately archive those records of our senior-
most officials. At the same time, we are currently in the 
process of implementing a plan for December 2016 where all IRS 
employees' email accounts will be archived electronically. And 
that is per directives that we have ----
    Ms. Watson Coleman. Thank you, Mr. Killen.
    Chairman Chaffetz. The gentlewoman's time has expired. How 
convenient. December of 2016, then we will start that process. 
There we go.
    All right. I will now recognize the gentleman from 
Tennessee, Mr. DesJarlais, for 5 minutes.
    Mr. DesJarlais. Thank you, Mr. Chairman. Mr. Milholland, 
did the IRS hire a new director of the Office of Personal 
Responsibility in the past year?
    Mr. Milholland. I actually do not know.
    Mr. DesJarlais. Mr. Tribiano?
    Mr. Tribiano. We transferred an individual into that 
office.
    Mr. DesJarlais. Who was that?
    Mr. Tribiano. That is Mr. Whitlock.
    Mr. DesJarlais. Mr. Whitlock. Okay. And that is basically 
the director of the IRS ethics department, correct?
    Mr. Tribiano. It could be categorized as that, yes, sir.
    Mr. DesJarlais. Okay. Did they review this individual's 
history with the Department?
    Mr. Tribiano. With the Department of Treasury? I am not 
aware, sir.
    Mr. DesJarlais. Do you know why the individual's record 
would not be reviewed prior to hiring someone for this 
position?
    Mr. Tribiano. Why it was not sent to the Department of 
Treasury?
    Mr. DesJarlais. Why they would not review his record before 
hiring someone to oversee the IRS' ethics department.
    Mr. Tribiano. The Executive Resources Board would have 
reviewed the record before making the recommendation of the 
movement of that individual into that position.
    Mr. DesJarlais. Okay. Mr. Milholland, did that ring any 
bells? Are you aware of Mr. Whitlock?
    Mr. Milholland. Not at all, sir.
    Mr. DesJarlais. No knowledge of him?
    Mr. Milholland. No, sir.
    Mr. DesJarlais. That was not run by you, Mr. Killen?
    Mr. Killen. No, sir.
    Mr. DesJarlais. No. Okay. So the IRS hires a new director 
to head up their personal ethics program. And, Mr. Tribiano, 
are you aware that he has a history of illegally shredding 
documents?
    Mr. Tribiano. Sir, well, first, let me say I cannot 
discuss. There is an IG investigation. But our internal review 
that was done in 2005 found that Mr. Whitlock, there was no 
intent from that office, and that there was no wrongdoing in 
that process.
    Mr. DesJarlais. Okay. I have seen different reports. Mr. 
Milholland, would you be blown away if you learned that you 
hired an ethics director that had illegally shredded documents?
    Mr. Tribiano. Just for the record, this position does not 
report to Mr. Milholland. The position reports to the deputy 
commissioner for Service and Enforcement.
    Mr. DesJarlais. Okay. So you have not reviewed the TIGTA 
audit of the OPR that was completed while the individual was 
destroying taxpayer records, or you have not read the 
investigation record, or the record destruction, or 
whistleblower retaliation?
    Mr. Tribiano. No, sir. What I reviewed was our internal 
review of the process that happened. Again, I cannot discuss 
the TIGTA investigation, and our internal review showed that 
there was no wrongdoing by that individual. That individual did 
not order the destruction that was done by the acting director 
at that time.
    Mr. DesJarlais. Okay. I guess I am just kind of shocked 
that, you know, this is a person that the IRS hired to be the 
head of their Office of Personal Responsibility, and he has got 
this history, and no one on the panel today seems to know 
anything about him.
    Mr. Tribiano. He was transferred, sir. He has been part of 
the IRS. He was in there as the deputy director of that office, 
was transferred to head up another office for us, and then was 
transferred back in.
    Mr. DesJarlais. Is this typical of how the IRS handles new 
hires?
    Mr. Tribiano. He was a transfer, sir, not a new hire who 
has been with the IRS ----
    Mr. DesJarlais. So when somebody gets in trouble, they 
transfer him around. Is that how it works?
    Mr. Tribiano. I am not saying that, sir.
    Mr. DesJarlais. Okay.
    Chairman Chaffetz. Will the gentleman yield?
    Mr. DesJarlais. Yes.
    Chairman Chaffetz. Mr. Tribiano, you said there is a new 
non-destroy policy. When did that come into place?
    Mr. Tribiano. That came into place right after we found out 
that we had that gap with Mr. Maruca.
    Chairman Chaffetz. That you had destroyed things. So can 
you give me a specific time?
    Mr. Tribiano. January, sir. I do not know the exact date, 
but it was in January.
    Chairman Chaffetz. So just in the last 30 days?
    Mr. Tribiano. Yes, sir. When we realized we had the gap 
when Mr. Maruca before the ----
    Chairman Chaffetz. Why did you not put this in a policy 
when Mr. Milholland put this into place into 2013? Did you ever 
lift that non-destruction order, Mr. Milholland?
    Mr. Milholland. I have never lifted the non-destruct order 
for the tapes, the backup tapes, which we were dealing with at 
the time.
    Chairman Chaffetz. The gentleman from Ohio.
    Mr. Jordan. The chairman asked my question. When was the 
order rescinded that you wrote in 2013 which says effective 
immediately, email retention policy for backups is to be 
indefinite? So if it is indefinite, is that still in place?
    Mr. Milholland. Yes, sir. Email is saved indefinitely.
    Mr. Jordan. Well, but the key question is, what about the 
backup tapes. They are saved indefinitely?
    Chairman Chaffetz. If the gentleman will yield, it says, 
``Do not destroy, wipe, or reuse any of the existing backup 
tapes for email or archiving of other information for IRS 
personal computers.''
    Mr. Jordan. Okay. And our question is, was that rescinded 
in any way.
    Mr. Milholland. If I understand your question correctly, 
sir, no. What we have, we still back up email and ----
    Mr. Jordan. Okay. Good.
    Mr. Milholland. Excuse me. I am sorry. I am interrupting 
you.
    Mr. Jordan. No, if it was not rescinded, then why did you 
have to issue a new order that Mr. Tribiano just referenced?
    Mr. Tribiano. I believe what Mr. Milholland was saying is 
that ----
    Mr. Jordan. Is it so that you could have another one that 
people will not follow? I mean, that is our point. If you have 
one in place, obviously it was not followed. You said nothing 
is being rescinded, and Mr. Tribiano said just last month we 
issued a new order to preserve all documents and not destroy 
anything. Why was that necessary?
    Mr. Tribiano. The order that Mr. Milholland was referring 
to, the one that he did that was about backup tapes and 
disaster recovery tapes. What we are talking about is the 
cleaning of hard drives for recycling back into the IRS system 
for computers or for destruction when they go out. And the 
reason that is in place is because some of those hard drives 
contain 6103 data, so we cannot leave them around now for a 
longer period, so we have to secure them. So now with the new 
order we have to secure those hard drives, put them in a secure 
location, document them, and put them away because it has 
information on them.
    Chairman Chaffetz. And the time has expired. We are going 
to recognize Ms. Kelly here. But that is not what Mr. 
Milholland's memo of May 22nd, 2013. It says, ``Do not destroy, 
wipe, reuse any of the existing backup tapes or email or 
archiving of other information from IRS computers. Further, do 
not reuse, or refresh, or wipe information from any personal 
computer that is being reclaimed, returned, refreshed, updated 
from any employer or contractor of the IRS.'' I mean, it could 
be not be more explicit.
    Mr. Milholland. Again, Chairman, if I may, that was 
referring to our backup tapes of the email systems and all the 
information ----
    Chairman Chaffetz. You can dance around this all the time. 
You had a preservation order in place. You had a do not 
destroy, and you continued to destroy them. You have 
represented to the Department of Justice, and to the courts, 
and to the United States Congress that you are not doing this. 
This issue has never been fixed, and that is why we continue to 
have these hearings.
    We have gone way past your time. We will recognize the 
gentlewoman from Illinois, Ms. Kelly, for 5 minutes.
    Ms. Kelly. Thank you, Mr. Chairman. Mr. Killen, I wanted to 
talk about what the IRS is doing to ensure that document and 
preservation measures are being implemented so that we do not 
end up here again, which no one wants. It seems strange that we 
are having a full committee hearing because of one employee's 
hard drive, especially since all but 2 weeks of his emails were 
preserved. What is the current IRS policy with respect to 
document preservation for departing employees, and how long are 
their emails kept?
    Mr. Killen. Thank you for the question. As I stated a 
little earlier, we have essentially a multi-pronged strategy 
and approach that we are taking with respect to email. First 
and foremost, we have implemented the Capstone approach, which 
is an approach that has been developed by National Archives 
that is focused on your role within the organization, because 
you want to ensure that the senior-most officials in an 
organization who are most likely to create records, that those 
records are preserved.
    And so, about a year ago we implemented that process across 
IRS to ensure that our senior executives all across IRS, that 
we had the appropriate electronic preservation of those emails. 
And so, that has been in place for the last year, and that was 
really one of the significant early pieces of the strategy.
    Ms. Kelly. And how long are they kept?
    Mr. Killen. They will be kept, there are ranges. But for 
our most senior executives, they will be kept permanently. For 
sort of our second tier of executives on down, they will be 
kept for 15 years. And that is very consistent with a role-
based approach because you want to ensure that you have the 
preservation of records, you know, in the most appropriate 
fashion.
    So the second piece of that strategy related to email is 
that by the end of this calendar year, by December 2016, 
consistent with the directives that we have received from OMB 
that applies across the government, not just to IRS employees, 
we will ensure that all of our employee email is available in 
an electronically accessible environment. And then we are also 
taking a variety of other steps to shore up our other processes 
and procedures with regards to records retention for separating 
employees and for, you know, an entire gamut of issues that we 
are working towards. So we are making significant progress.
    Ms. Kelly. Okay. What is the IRS doing right now to ensure 
that an instance such the Maruca case does not occur again?
    Mr. Killen. Thank you for that question. So, again, as part 
of sort of the multi-pronged strategy that we have, because, 
you know, the key issue with Mr. Maruca is he separated from 
the Service.
    Ms. Kelly. Right.
    Mr. Killen. And so, we have a process in place now where if 
an employee separates from the Service, we are ensuring that we 
do not wipe the machine. In addition, we are making the copies 
of the machine. So really, you know, our whole approach around 
records management and retention is first and foremost ensuring 
that we follow the relevant guidance and directives that are 
out there. But then secondly, trying to, you know, build in 
multiple layers of redundancy so that we do what we can to 
reduce, you know, the likelihood of the human element where 
people make mistakes as well.
    Ms. Kelly. So would you look at this as your longer-term 
solution, or do you have other long-term solutions as it 
relates to hard drive inventory management?
    Mr. Killen. There is a very long-term solution because, you 
know, you can imagine the volume of records, and particularly 
as just in all walks of life, as we move more towards a digital 
environment. And so, you know, our first focus and emphasis is 
on email. We have paper records, as you might imagine, that we 
do a pretty good job of maintaining, but we have improvement 
opportunities there as well. But longer term, you know, there 
is guidance that talks about by 2019 the Federal government 
should be able to migrate to a place where all records are 
stored in that, you know, accessible electronic medium. Our 
focus is initially on email, but that will extend to, you know, 
all of the various avenues of record creation towards that 2019 
directive.
    Ms. Kelly. And once you get there, this will allow you to 
answer inquiries from Congress faster or FOIA requests? Do you 
feel like you will be faster at that?
    Mr. Killen. It will certainly help. It will certainly help 
because, you know, the first thing is that the documents have 
to be available certainly. But when you get beyond the actual 
availability of the documents, and when you talk in terms of 
document production, you also need to have the ability to 
search. And ideally you would want to have the ability to do 
key word searches because those are things that allow you to 
have, you know, very efficient document production.
    So my answer to your question is that having the 
documentation retained is a necessary predecessor first step, 
but there is also the need to have the ability to do, you know, 
adequate search, find, and redaction capability. And that will 
be a separate effort, but it certainly is one that we have our 
eye on as well.
    Ms. Kelly. I am out of time. Thanks.
    Chairman Chaffetz. I thank the gentlewoman. I will now 
recognize the distinguished and always dapper gentleman from 
South Carolina, Mr. Gowdy, for 5 minutes.
    Mr. Gowdy. Chairman Chaffetz, I appreciate your leadership 
on this issue as I do Chairman Jordan's. And for that reason, I 
would like to yield to the gentleman from Ohio, Mr. Jordan.
    Mr. Jordan. I thank the gentleman. Mr. Milholland, who told 
you to issue the May 22nd, 2013 order, or I think ``directive'' 
is what you called it.
    Mr. Milholland. The email we talked about earlier, sir?
    Mr. Jordan. Preserve all documents. In other words, retain 
everything. That email.
    Mr. Milholland. That was a request that came from Chief 
Counsel's Office, and the way to do it was to send an email out 
as quick as we could to the people involved dealing with the 
backup tapes and such.
    Mr. Jordan. And when you did that, did you like have just a 
couple people you were sending it to, or was it like send to 
everyone, send all?
    Mr. Milholland. Principally directed to the operations team 
who deal with the backup tape processes and such, but the IT 
staffs all knew about it.
    Mr. Jordan. And the chart that I see, you got five agencies 
or five groupings that answer to Mr. Tribiano. Were the heads 
of all five of those groupings sent your email plus all your 
staff, or just within your area?
    Mr. Milholland. It was just within IT.
    Mr. Jordan. Okay. Okay. I just want to be clear. And do you 
know if the commissioner at the time, Commissioner Werfel, knew 
about your directive to preserve all documents?
    Mr. Milholland. I am pretty sure he did because this was 
one of the subjects we were talking about, how we were going to 
protect ----
    Mr. Jordan. Okay. And then when Mr. Koskinen came on board, 
do you know if he knew about the directive that was in place 
and, as you have testified today, still in place? Did Mr. 
Koskinen know about that, and does he know that it is still in 
place today?
    Mr. Milholland. I cannot testify to that, but can I add one 
correction to my earlier statement?
    Mr. Jordan. Sure.
    Mr. Milholland. Okay. As I tried to say earlier--I may not 
have been very clear--that was intended to cover backup tapes 
for email and anything to do with anyone's information that 
dealt with attachments, calendars, and such. At the same time, 
we also were not allowing hard drives to go anywhere. We, in 
fact, locked up all of the TEGE employees' hard drives in a 
cabinet, so to speak, so they would not go anywhere and such.
    During the Windows 7 implementation 2 years ago and such, 
basically because of budgetary problems, we went and asked, 
hey, if we copy all the hard drives we have been saving, can we 
now reuse them so that we can implement Windows 7. And we got 
permission to do that, so in that sense those non-TEGE hard 
drives were reused. So in that sense, they were rescinded. I 
hope that is clear.
    Mr. Jordan. I mean, it is not, a lot of the stuff you said 
there. But nowhere in there did you talk about still how the 
backup tapes, which you said your order applied to, were 
actually ultimately destroyed. So that did not cover what he 
just described, at least I did not think so.
    Mr. Milholland. No, sir. I responded earlier describing how 
that happened through employee mistakes.
    Mr. Jordan. Okay. Well, we obviously know there were 
mistakes because you gave an order, and it was not followed, 
and tapes were destroyed, and information and data that is 
important to the investigation was lost. I am going to go back 
to the question I asked you in the first round. I want to be 
clear. So you received a bonus this year and last year?
    Mr. Milholland. No, sir.
    Mr. Jordan. You said your pay went up. So it was not a 
bonus?
    Mr. Milholland. I am capped salary wise. I do not receive a 
bonus.
    Mr. Jordan. How about this management team you referred to 
when I asked, you know, how this could happen that tapes were 
destroyed in light of your order, in light of your directive? 
Anyone on your management team, did they receive a bonus this 
past 2 years?
    Mr. Milholland. Yes, sir.
    Mr. Jordan. They did?
    Mr. Milholland. Yes, sir.
    Mr. Jordan. And do you okay that, or does that go up 
through Mr. Tribiano and then up to the commissioner?
    Mr. Milholland. It certainly comes through me. I believe it 
goes to a committee Mr. Tribiano sits on called the Executive 
Review Board.
    Mr. Jordan. Mr. Tribiano?
    Mr. Tribiano. Yes, sir. It starts at the division head 
area, so Mr. Milholland would gather up performance awards, not 
bonuses, and they would make those recommendations coming 
forward. I would get them. Either I agree or disagree.
    Mr. Jordan. Performance awards. If you get a performance 
award, that results in additional pay?
    Mr. Tribiano. It results in a performance awards, so, yes, 
sir, your pay. Not your pay salary pay, but your cash.
    Mr. Jordan. You get more money.
    Mr. Tribiano. Yes, sir, but it is not on a continuous 
basis. It is a one-time performance award.
    Mr. Jordan. Mr. Milholland said he takes responsibility for 
the fact he was blown away when this happened after his 
directive. His pay is topped out. He cannot go any higher. And 
the people on his management team who were responsible for the 
directive not being carried and for the backup tapes being 
destroyed all got performance pay increases. Is that accurate?
    Mr. Tribiano. I have to ask Mr. Milholland if he put them 
forward in that fashion.
    Mr. Milholland. Not all the managers and executives who 
report to me got pay increases or bonuses. I do not recall 
explicitly in the chain that led down to where this incident 
occurred what the actuals were.
    Mr. Jordan. But many of them did.
    Chairman Chaffetz. Will the gentleman ----
    Mr. Milholland. Probably, but I really do not know, sir.
    Mr. Jordan. I would be happy yield back.
    Chairman Chaffetz. The gentleman's time has expired. Will 
you provide that to this committee, Mr. Milholland?
    Mr. Milholland. If I am allowed to legally. I do not know 
if I am allowed to release personal information.
    Chairman Chaffetz. Well, when the United States Congress 
asks you, you have legal authority to provide that information 
to Congress. There is nothing classified about people's 
compensation and bonuses. Would you agree?
    Mr. Milholland. Not to me, sir, but I am not a lawyer, so.
    Chairman Chaffetz. Well, there are some positive qualities. 
I appreciate that. That is a real plus in your column. I get 
it. I am asking you all to provide this information to this 
committee.
    Mr. Milholland. Yes, sir.
    Chairman Chaffetz. Thank you.
    Chairman Chaffetz. I will now recognize the gentlewoman 
from New York, Ms. Maloney, for 5 minutes.
    Ms. Maloney. I thank the gentleman for yielding. And I 
would like to talk about another outage that was treated 
differently than one recently at the IRS, and that was one that 
many New Yorkers were concerned about. It concerned the New 
York Stock Exchange on July 9th of 2015, and a number of my 
constituents work there and suffered an outage that completely 
suspended all of financial trading for roughly 4 hours. And 
this committee sent letters to the SEC and to the Stock 
Exchange trying to understand the circumstances surrounding the 
outage. And they briefed our staff in July, and they told us 
that a software problem--it was basically a glitch--caused them 
to go offline in order to respond and to solve the problem.
    Now, the Department of Homeland Security in response to 
questioning by this committee reported that there was no 
suspicious activity, and the FBI saw absolutely no reason for 
any type of enforcement action. And since the committee 
received those briefings, we saw no reason to hold a public 
hearing or to hold an investigation since everybody involved 
said that it was merely a glitch.
    Yet we are going after the IRS today for a similar 
temporary and subsequently resolved website outage. And I just 
feel that there is a little bit of an unequal treatment, and I 
think we should not have unequal treatment. I mean, I will not 
suggest that the New York Stock Exchange should come in for a 
hearing. I am suggesting that we should not be having a hearing 
on a technical outage for any organization, and the IRS seems 
to be getting a little unequal treatment on this.
    And I would like to elaborate, Mr. Milholland, to ask you 
about an incident earlier this month when portions of the IRS 
website were shut down for roughly 30 hours. And I understand 
that some members of Congress thought, and questioned, and 
rightfully so, I think, in the world we live in that it was a 
cyberattack. But the IRS briefed our staff earlier this week, 
and they told us that this was definitely not a cyberattack. 
They told us, in fact, that it was just a mechanical hardware 
failure similar to what happened at the Stock Exchange, a 
glitch, a hardware failure.
    Now, is my description of what happened to the IRS somewhat 
correct?
    Mr. Milholland. Yes, ma'am.
    Ms. Maloney. So this was not a failure of an IRS 
information system, but just the failure of a singular piece of 
mechanical equipment, correct?
    Mr. Milholland. That is correct, ma'am.
    Ms. Maloney. And can you describe what sort of hardware we 
are talking about?
    Mr. Milholland. Yes, ma'am. Our Enterprise server is the 
primary engine for processing tax returns. It is made up of 
various components, including a storage subsystem, which has 
voltage regulators in it. Now, while the root cause analysis is 
still underway, it was those voltage regulators that failed. 
They are mechanical components that are under somewhat high 
stress conditions when the computer is operating. And over 
time, one of the modules that held the voltage regulators 
literally said I'm failing, called for an alert to the 
mechanic--that is, the technician--to come and fix it.
    During the process of attempting to fix the mechanical 
device, the redundant voltage regulator module also failed. 
Then it took time to restore the equipment to its natural 
state, bring the system back up so tax returns could be 
processed. Total outage time was roughly about 30 hours.
    No software was involved. No micro code. This was with 
absolute certainty not a cyberattack. It was a failure of 
mechanical device. What we are most interested is the root 
cause analysis as to why did the two fail relatively close 
together. That work is going on. I expect to have the root 
cause analysis, you know, within a week. I have a draft root 
cause analysis now, but it is not done. We have working 
questions with the supplier on this. But no question that this 
was a mechanical failure.
    Ms. Maloney. So mechanical failure, such as what the IRS 
experienced, is not unique to the IRS. It happens to many 
organizations. In fact, there was a highly publicized 
mechanical failure with the New York Stock Exchange which was 
similar. They went offline for a while to repair it. So I feel 
that there is a little bit of an unfair or unequal treatment, 
and maybe a little bit of a major focus on the IRS and 
questioning of the IRS for a long time that is not the same 
treatment that other organizations that handle a great number 
of filings experience. So I just wanted to point that out. The 
failures were very similar for the Stock Exchange and the IRS 
of mechanical equipment failure.
    In any event, my time has expired, and thank you for your 
testimony today.
    Chairman Chaffetz. Thank the gentlewoman. We will now 
recognize the gentleman from North Carolina, Mr. Walker, for 5 
minutes.
    Mr. Walker. Thank you, Mr. Chairman. Thank you, Panel. I 
appreciate you being here today.
    I want to go back to something that I heard a little bit 
earlier. First of all, I want to talk about something that 
Commissioner Koskinen has said repeatedly. His quote says, ``I 
believe that the underfunding of the Agency is the most 
critical challenge facing the IRS today.'' He has made this 
comment pretty much in several different speeches whether it is 
the Tax Policy Conference or other places where he is pretty 
adamant that that is a major issue.
    But something said earlier by one of my colleagues, I want 
to go back talking about the systems that you said that were 
dating back to John F. Kennedy time, I believe was the comment. 
It was not so much the application as it was the system. Would 
you repeat a little bit earlier and go into that for me just a 
minute?
    Mr. Milholland. Certainly. What they built back in the 
1960s for implementation in the 1970s was a system designed 
based around the technology that was available to them then.
    Mr. Walker. Sure.
    Mr. Milholland. That design still exists. Even though we 
are running the application now with much more modern 
underpinning--that is, this Enterprise server that we just 
discussed with the congresswoman ----
    Mr. Walker. Sure.
    Mr. Milholland.--the actual design of the application is 
still built upon that 1960s approach.
    Mr. Walker. And I appreciate you clearing that up, but that 
is not what Commissioner Koskinen said. What he said in his 
ploy to try to get more funding, more than the $11 billion 
already, he said, ``We have many applications that were running 
when John F. Kennedy was president.'' Is that an untruthful 
statement?
    Mr. Milholland. No, I think that is true. The application, 
individual master file, and the business master file, and a 
number of those other clearly legacy applications, while some 
of the platforms they run on have changed and the code has been 
updated numerous times due to legislation, the programming 
language is still the one that we had then.
    Mr. Walker. Well, he seems to be disagreeing with you on 
the code as well because he said, ``The code has been out of 
date so long, it has the unintended effect to keep hackers from 
hacking in.'' So is that just something he is not 
technologically current with that? I mean, are you running code 
from John F. Kennedy because it seems 50-something years ago we 
are still running those kinds of systems, and we are still 
operating with that code? Is that correct?
    Mr. Milholland. There are elements of the code that exist 
back that far, but the ----
    Mr. Walker. COBOL? FORTRAN? What are we talking about here?
    Mr. Milholland. COBOL, yes. COBOL programming language 
code. Assembly language code is the principle engine. While we 
have modified it numerous times with particularly legislation, 
the fact of the matter is that system was designed and built in 
the 1960s to start running in the 1970s. And so, you know, I 
believe that the commissioner is correct.
    Mr. Walker. Okay. Let me transition while I have got some 
time left. I am going to go back to Form 3210 that was filled 
out authorizing the destruction of Mr. Maruca's hard drive. If 
so, if that was ordered, who authorized the destruction of that 
hard drive?
    Mr. Milholland. What would have happened would be that--I 
must say ``presumed happened''--was whoever was checking out 
Mr. Maruca from the IRS would have called the IT organization, 
filled out a request to say take his IT assets and follow the 
normal disposition procedures.
    Mr. Walker. Did you assume that would have happened? Why 
was Mr. Maruca's hard drive not covered by the litigation hold 
the IRS put in place? Why did that not cover that?
    Mr. Milholland. At the time, I mean, he had left before 
that particular litigation hold was put into place.
    Mr. Walker. Well, did he take his stuff with him? Did he 
take the information with him?
    Mr. Milholland. It had already been entered into the 
process of disposition.
    Mr. Walker. Well, so what happens when he leaves? When an 
employee leaves, do their records get destroyed like this? I 
mean, what happened? Who made the decision? Who authorized 
that, to destroy what he was working on?
    Mr. Milholland. I am sorry. I really am not understanding 
your question.
    Mr. Walker. His hard drive, okay?
    Mr. Milholland. Pardon me?
    Mr. Walker. Mr. Maruca's hard drive.
    Mr. Milholland. Yes, sir.
    Mr. Walker. Who destroyed it? Who authorized it?
    Mr. Milholland. That would have followed the normal IT 
process of dispositioning of old equipment. And in that sense, 
the authorization is the IRS process.
    Mr. Walker. Is there a timeline for how long an employee 
leaves that hard drives are destroyed? Is there a standard on 
it?
    Mr. Milholland. No, there is not. It follows ----
    Mr. Walker. So it is up to discretion.
    Mr. Milholland. There is a lot discretion. There are a 
number of steps that are followed as to where it goes. Because 
we have had shortfalls in our staffing, oftentimes machines can 
sit around before they are disposed of. They may oftentimes 
even get so stacked up until someone gets to it.
    Mr. Walker. But his did not get stacked up. Mr. Chairman, 
my time has expired.
    Chairman Chaffetz. I thank the gentleman. I recognize the 
gentleman from Alabama, Mr. Palmer, for 5 minutes.
    Mr. Palmer. Mr. Chairman, I only have one question. 
According to a September 2015 inspector general report, the IRS 
spent $139 million in 4 years on upgrading its workstations 
from the outdated Microsoft XP to Windows 7, but you still 
missed the Microsoft April 2014 end of life deadline. I think 
you understand that using a supported version of Windows is 
critical to securing data. Yet according to a TIGTA report from 
September 28th, 2015, you have got approximately 1,300 
workstations that you either cannot locate or you confirmed are 
running an old operating system.
    My question is, where are you on locating those 
workstations and getting them updated?
    Mr. Milholland. I think there are a number of questions in 
your statement, sir, and I will try answering each one.
    Mr. Palmer. Well, just answer the one where you are on the 
status of locating those workstations and updating the 
software.
    Mr. Milholland. We got support from Microsoft to go beyond 
the original expiration of XP so we were not taking a risk with 
those particular workstations. Second, we took them off the 
network so they would be isolated, and would not, therefore, be 
possible to hack into them through, I will say, anyone having 
access to the network. Where we are with the actual remaining 
numbers, if I recall correctly, we are complete. I would have 
to double check that, sir, if I can get back to you.
    Mr. Palmer. Could you inform the committee where you are on 
that, and I would like to have that answer in 7 days. Can we do 
that?
    Mr. Milholland. Sure.
    Mr. Palmer. Mr. Chairman, I will yield the balance of my 
time to the chair.
    Chairman Chaffetz. I thank the gentleman. Mr. Milholland 
and Mr. Tribiano, it is May 2013. TIGTA issues its audit, and 
you issue an internal preservation order that is extensive. It 
is capped with ``in other words, retain everything to do with 
email or information that may have been stored locally on a 
personal computer.'' It is pretty broad, but also very 
definitive. Did you ever rescind that order? That is a yes or 
no question. Did you ever reverse that order?
    Mr. Milholland. I changed the order with, as I tried to 
explain earlier with a TEGE situation where we had to start 
using some of the hard drives that we were saving ----
    Chairman Chaffetz. Can you provide that ----
    Mr. Milholland.--in order to implement Windows ----
    Chairman Chaffetz. Can you provide that to this committee?
    Mr. Milholland. Provide which list, sir?
    Chairman Chaffetz. When you rescinded that, send that to 
this committee. Fair enough?
    Mr. Milholland. I will, yes.
    Chairman Chaffetz. Thank you.
    Mr. Milholland. Yes, sir.
    Chairman Chaffetz. Mr. Tribiano, did the IRS ever change 
that or rescind the order that Mr. Milholland put out to 
preserve?
    Mr. Tribiano. Not to my knowledge, sir.
    Chairman Chaffetz. After the issuance of that audit, did 
the IRS put any new procedures or policies in place regarding 
the preservation of emails, hard drives, or anything to do with 
people's interaction with the computers?
    Mr. Tribiano. That was during the time period where we 
initially started the Capstone Project, sir.
    Chairman Chaffetz. Okay. You started a project, but was 
there any change to the internal functionality of the 
preservation of computers, hardware, emails, that sort of 
thing? What changed?
    Mr. Tribiano. Sir, I was not there. I would have to go back 
and look at ----
    Chairman Chaffetz. Mr. Killen, what changed?
    Mr. Killen. So, following those events, again, in late 
calendar year 2014, early calendar 2015, we implemented the 
Capstone approach for our senior-most Agency officials. And so, 
that ----
    Chairman Chaffetz. All government records. You do not have 
to be a senior-most official at the IRS to generate a record 
that needs to be in compliance with the Federal Records Act or 
to be in compliance with FOIA. I want to know after TIGTA had 
issued their report in May of 2013, what did the IRS do 
internally to preserve and protect the records that they should 
have been protecting in the first place?
    Mr. Killen. Well, Mr. Chairman, I think that does represent 
a fairly substantive change, and ----
    Chairman Chaffetz. What does?
    Mr. Killen. Well, first of all, implementing the Capstone 
approach, you know. We had significant consultation with the 
National Archives ----
    Chairman Chaffetz. Do you feel it was fully implemented?
    Mr. Killen. The Capstone process that we initiated with our 
senior officials, yes, that has been fully implemented.
    Chairman Chaffetz. If the policy is in place, why was Mr. 
Maruca's information destroyed?
    Mr. Killen. Fair question. It is an issue of timing because 
we implemented the Capstone approach in actually late December 
2014. Mr. Maruca had already left the Service by that point.
    Chairman Chaffetz. So it takes you more than a year and a 
half to implement a new policy. How hard is it to just save a 
hard drive? I mean, how hard is that? How expensive is that? 
How much does a hard drive cost, do you know?
    Mr. Killen. I will defer to Mr. Milholland on that.
    Chairman Chaffetz. How much is a hard drive? You want two 
gigs.
    Mr. Milholland. $100 to $250, depending on the ----
    Chairman Chaffetz. Yeah, we are talking about a hundred 
bucks here. You got a $1.7 billion issue with Microsoft, and 
you all went out and destroyed something that is maybe a 
hundred bucks. Mr. Tribiano, you had to issue a new policy in 
2016, correct?
    Mr. Tribiano. A new policy was issued in 2016.
    Chairman Chaffetz. What does that policy do?
    Mr. Tribiano. We will not destroy any hard drives or mobile 
devices for any departing IRS employees, and we will copy the 
hard drives digitally to a server.
    Chairman Chaffetz. Congress has been investigating the IRS 
since 2011, and you are just now getting the memo to start 
preserving things in 2016? Why does it take almost 5 years to 
get the message that you should not be destroying things? Why 
does it take so long?
    Mr. Tribiano. Well, sir, I mean, we have a records 
retention policy ----
    Chairman Chaffetz. Yeah, but you did not follow it. You did 
not follow it. Mr. Maruca's stuff was destroyed, and it should 
not have been. And you are misstating the facts, by the way, 
because there was another case that they actually copied Mr. 
Maruca's, and then they happened to find that. I mean, I find 
it totally unbelievable. It truly is an unbelievable set of 
circumstances. 24 to 48 hours after this committee issues a 
bulletin that we are going to have a hearing, and then suddenly 
you find the information?
    And the Department of Justice had gone to the courts and 
said this stuff had been inadvertently destroyed, but then you 
actually did find it. Do you see why we have zero confidence in 
the record retention policy and the ability to execute on it?
    Mr. Tribiano. Well, sir, you said that I misled you, and if 
that is the case, that was not the intent, so I just want to 
clarify that. We did find those records, and we found it 
because of another litigation hold. I thought I made that clear 
in my opening statement. It was not because there was some 
other thing. It was pure coincidental that we had another 
litigation, and we ----
    Chairman Chaffetz. And coincidental and 24 hours after I 
issue a notice that you are going to have to come appear here, 
suddenly you do find them. That is what is unbelievable. You 
had gone to the courts via the Department of Justice and put it 
on the record that you did not have them. That was not true, 
was it?
    Mr. Tribiano. At that time that, that was true, yes, sir.
    Chairman Chaffetz. It was not true.
    Mr. Tribiano. Well, in hindsight it is not, but at the time 
that we went to them and said we might have an issue, it was 
true. When it was found that we did copy it for another 
litigation hold, we corrected it. We found that there was 
another litigation hold.
    Chairman Chaffetz. Okay. The gentlemen's time has expired. 
I now recognize myself or recognize Mr. Carter for 5 minutes.
    Mr. Carter. Thank you, Mr. Chairman. Mr. Milholland, help 
me out here. I am just trying to educate myself. What is the 
timeline between when an employee leaves the IRS and when their 
hard drive is erased?
    Mr. Milholland. Yeah, that timeline can vary from immediate 
to 6 months.
    Mr. Carter. What determines that? What determines the 
variation?
    Mr. Milholland. Where the person is when they leave. For 
example, if you are in ----
    Mr. Carter. I mean, what hallway they are in?
    Mr. Milholland. What office they are in. For example, the 
equipment, if it is picked up by IT, has to be shipped to 
another location. But if you are in the D.C. area, for example, 
it might happen very quickly and such. We typically send these 
devices to a particular data center for the degaussing once we 
separate the hard drive from the rest of the PC.
    Mr. Carter. Okay. When was Mr. Maruca's hard drive erased? 
What day?
    Mr. Milholland. The deputy commissioner can answer the 
details, but ----
    Mr. Carter. Okay.
    Mr. Tribiano. Well, we do not know the date, and I think 
that is what the problem is. We know we sent it or consolidated 
it on August 5th. We picked it up from the manager. We 
consolidated it with other hard drives and other laptops, and 
we sent it to our Memphis facility. It arrived in ----
    Mr. Carter. Now, where was Mr. Maruca because you said, Mr. 
Milholland, that it depended on what office he was in. Which 
office was Mr. Maruca in?
    Mr. Tribiano. Go ahead.
    Mr. Milholland. He was in D.C. as I ----
    Mr. Carter. He was in D.C. So you just said if he is in 
D.C., it ought to be pretty quick.
    Mr. Milholland. It could be depending, again, on the 
process being followed and the staff that we have to do that 
work. If there was an intent that we say, hey, we could reuse 
this device very quickly, then at that point we would separate 
the hard drive from the rest of the platform and put a new hard 
drive in.
    Mr. Carter. But in the case of Mr. Maruca, you do not know 
what day it was destroyed?
    Mr. Tribiano. No, sir. It was sent down to the Memphis 
facility, and it was stored down there with other laptops and 
other computers that were marked for disposal.
    Mr. Carter. Okay. So where it was sent down to, do they 
have a record of it? Can you call them and find out? I mean, 
surely they keep a record to tell you, okay, we destroyed this 
hard drive this day, this one this day.
    Mr. Milholland. No, sir. What we keep a record of is the 
asset. Once we separate the hard drive from the rest of the 
computer, the rest of the computer is sent off for salvage by 
an outside contractor.
    Mr. Carter. I am not worried about the rest of the 
computer.
    Mr. Milholland. Yeah, you are saying ----
    Mr. Carter. I am worried about what gets erased. It would 
just occur to me or it would appear to me that you would have a 
day on there, somebody would keep a day that said that this is 
the day it was erased.
    Mr. Milholland. Not necessarily, sir, because we do not 
view it as a major asset at that point. Its disposition, we 
have flagged for destruction. It is sent into the system. Okay, 
this ----
    Mr. Carter. Do you ever consider it to be an asset, an 
important asset?
    Mr. Milholland. Once it is flagged for disposition to be 
destroyed, no.
    Mr. Carter. Okay. And this is even after we have had the 
experience with Ms. Lerner and with her hard drive being 
destroyed and being wiped out. Even after that we still do not 
have in place when exactly we destroyed it. We still do not 
know. So you are telling me that is a matter of policy?
    Mr. Milholland. It is a matter of the workload and the 
resources we have to do that task.
    Mr. Carter. The workload and the resources.
    Mr. Milholland. Yes, sir.
    Mr. Carter. So everything is determined by the workload and 
the resources, not by its importance.
    Mr. Milholland. Well, the importance is that we had already 
decided that this particular drive could be, in fact, be 
destroyed. At that point it is deemed worthless, so it is 
stacked up with other hard drives.
    Mr. Carter. I just find it to be a very poor excuse about 
resources. I mean, it would seem to me like that you would have 
been really on your toes, especially in light of what has 
happened in the past. It would seem to me that you would want 
to absolutely know when a hard drive was destroyed or wiped 
out. I mean, you see where I am going here.
    I am just getting the impression from where I am sitting, 
it looks like the IRS is just taking the attitude, hey, we are 
above the law here. I mean, that is what it looks like to me, 
and I can imagine what it looks to a regular citizen who is 
being audited by the IRS. It is really confounding to me that 
we do not keep better records than this. It would appear to me 
the IRS, in light of everything that has happened in the way of 
hard drives being wiped out, that your policy would be better 
and that you would be keeping better records. So you can 
understand why the general public thinks, well, they think they 
are above the law here.
    I am just flabbergasted by this. Mr. Chairman, I do not 
know what to say except that I hope that you will take it as a 
lesson and understand that, you know, there are people out 
there who are being audited by the IRS who feel like they are 
being targeted, feel like they are being treated unfairly, and 
feel like the IRS thinks they are above the law. And in 
instances like this, you can understand why they feel that way. 
This is unacceptable.
    Mr. Chairman, I yield back.
    Chairman Chaffetz. I thank the gentleman. Myself and Mr. 
Jordan have just a couple of other questions, and we are going 
to wrap up the hearing. And members are advised we have votes 
on the floor soon.
    Since when has the IRS preserved all of its internal 
emails? When did they start to do that?
    Mr. Killen. So our internal email, again, there are nuances 
to it. So ----
    Chairman Chaffetz. You are either saving them all or not. 
Do you save all the emails?
    Mr. Killen. All our internal emails--all--are not being 
saved, but we have the plan in place in order to get there. All 
of our emails for our senior-most officials are saved. We have 
actually had substantial interaction with NARA, so I do want to 
get this point across that NARA ----
    Chairman Chaffetz. Hold on. I want to get to this point. 
You still to this day do not preserve all of the IRS emails 
internally. You do not save those.
    Mr. Milholland. May I answer that question, Mr. Chairman?
    Chairman Chaffetz. Yeah.
    Mr. Milholland. The answer is we save them on our backup 
tapes and have since that original email that Representative 
Jordan was referring to.
    Chairman Chaffetz. Then why did Mr. Killen just tell me 
that we do not do that?
    Mr. Milholland. I think he was referring to all the ----
    Chairman Chaffetz. No, no. He can tell you what he is 
referring to.
    Mr. Milholland. I am sorry, sir.
    Chairman Chaffetz. Mr. Killen, you just told me that they 
do not preserve all the emails.
    Mr. Killen. I think there is a distinction between what we 
have preserved on the network and what we have preserved via 
backup and disaster recovery process. And I think that is the 
distinction that Mr. Milholland was going to make.
    With respect to, because I do want to be clear about this 
point. The directive that we are under is that all email should 
be in an electronically accessible format by the end of 
calendar year 2016. That is the plan that we have implemented. 
That is the plan that we are on a trajectory to meet. But in 
the interim, and, again, this has all been a process that we 
have worked with NARA on. In the interim, our senior-most 
Agency officials' emails are being preserved, and that is sort 
of, I talked about this multi-pronged approach that we have 
implemented. That is ----
    Chairman Chaffetz. Is there anything, Mr. Milholland, that 
you would disagree with that he just said?
    Mr. Milholland. No, sir. We are going to be NARA compliant.
    Chairman Chaffetz. Here is the problem, okay? Here is the 
problem with the testimony. This is testimony from John 
Koskinen of June 23rd, 2014, and here is what he says: ``I 
would note, however, since the investigations into the 
application process for 501(c)(4) organizations began in May of 
last year, the IRS''--here it is--``the IRS has saved backup 
tapes for all emails on the IRS' servers, which includes tapes 
for the 6 months preceding May of 2013.'' And you are telling 
me that is not true, and that is why we keep coming after the 
IRS, and that is why we are not going to let go of this.
    I recognize the gentleman from Ohio.
    Mr. Milholland. Sir, could I make one statement, please?
    Chairman Chaffetz. The gentleman from Ohio.
    Mr. Jordan. If I could, Mr. Chairman, this will be my third 
time, and the right fine gentleman from North Carolina has not 
went. I just have two questions anyway, Mr. Chairman.
    Mr. Meadows. I will yield to the gentleman from Ohio for 
two questions, and then take up the balance. How about that?
    Mr. Jordan. Okay. So, Mr. Milholland, on March 4th when you 
discovered the tapes are destroyed, March 4th, 2014, the backup 
tapes are destroyed. You testified in the TIGTA investigation 
that you were blown away by the fact that your directive was 
not followed. What did you do then? And I guess specifically 
what I am asking is, did you have any conversations with your 
direct report, Mr. Tribiano's office, or the person who runs 
Mr. Tribiano's office, and/or Mr. Koskinen?
    Mr. Milholland. At that particular time, the TIGTA 
investigation was still going on, so I was not allowed to talk 
about the conversation I had with TIGTA until after the report 
was released.
    Mr. Jordan. Okay. So when you learned that the tapes had 
been destroyed, your directive was not followed, you had no 
conversation with the commissioner?
    Mr. Milholland. No.
    Mr. Jordan. Subsequent to when it became public, have you 
had conversations with the commissioner?
    Mr. Milholland. Yes, sir.
    Mr. Jordan. About this specific issue.
    Mr. Milholland. The general conversation around backup 
tapes, yes, sir, and that is what I was trying to correct 
earlier. We have retained backup tapes for indefinitely since 
that email was issued. Those are off of the exchange system, 
which is the primary email system of the Enterprise.
    Mr. Jordan. I get that, but I am asking more specific. Did 
you have a conversation with Mr. Koskinen and say, look, I gave 
a directive. It was not followed. 422 backup tapes were 
destroyed. We no longer have those records at all. Did you have 
that conversation with Mr. Koskinen?
    Mr. Milholland. No, I did not specifically.
    Mr. Jordan. Okay. One final one here. In your opening 
statement, this is Mr. Maruca's situation. His hard drive was 
designated for erasure before the issuance of the litigation 
hold. Is that right?
    Mr. Tribiano. Yes, sir.
    Mr. Jordan. Okay. Yet you said later that his data was, in 
fact, though, backed up because you had another litigation 
hold.
    Mr. Tribiano. Yes, sir.
    Mr. Jordan. So why didn't the previous litigation hold 
prevent you from destroying the hard drive?
    Mr. Tribiano. Because the data was backed up, and it was 
sent to the digital. What happens is when the attorneys request 
the information, it goes into their--I might be calling it the 
wrong thing--their e-Discovery system where they can access the 
data and do whatever they need to do for discovery purposes.
    Mr. Jordan. And just to be clear, a litigation hold does 
not trigger preservation of hard drives. That only triggers it 
goes to a backup?
    Mr. Tribiano. No, sir. It preserves the records for use in 
the litigation.
    Mr. Jordan. And the best record would be the hard drive, 
not the backup. But under this situation, you did not do that.
    Mr. Tribiano. The records are what was on the hard drive 
and backed up at that point in time.
    Chairman Chaffetz. Will the gentleman yield?
    Mr. Jordan. Sure.
    Chairman Chaffetz. Then why did the Department of Justice 
on behalf of the IRS go to the court and say these records had 
been destroyed?
    Mr. Tribiano. Because at that time that we notified the 
Department of Justice, we did not know that we had the backup 
of that hard drive for that other litigation. So we told the 
Department of Justice that we did not have the hard drive.
    Chairman Chaffetz. And you have no records of what you 
destroy and when you destroy it, correct?
    Mr. Tribiano. That is correct. What we know is that on 10/
27, it was received in Memphis, and between that period and the 
period of April 16th, I believe, when the shell of the computer 
was delivered to the third party vendor, it was during that 
time period.
    Chairman Chaffetz. How convenient. You have no records of 
what is destroyed and when, and yet you require every American 
to keep all their records. That is what so fundamentally wrong 
and screwed up with the IRS. That is just wrong. And there a 
lot of good people that work at the IRS, but you know what? You 
go after Americans, but you do not take care of business at the 
IRS. It is just wrong. It is just wrong.
    And it causes mess. We are talking about a $1.7 billion 
case, and you guys cannot keep track of what you destroy and 
when you destroy it. How hard is it to put a log in there, 
``destroyed this one at this time?'' How long does that take? I 
mean, you can go to Best Buy and buy something off the shelf 
for like 50 bucks. I just do not understand that. Do you have 
an answer for that?
    Mr. Tribiano. I do not think it would be that difficult, 
sir.
    Chairman Chaffetz. Then why is it not done?
    Mr. Tribiano. I can turn that over to the Mr. Milholland 
who runs the IT shop and runs those procedures, and ask what 
that would mean from a staffing perspective and from a 
documentation perspective. But I think what Mr. Milholland 
alluded to was that it is an asset, and it is kept into the 
assets, and it is kept into the system up to the point where it 
is marked for disposal. And at that point it stops.
    Chairman Chaffetz. I yield back to the gentleman from North 
Carolina.
    Mr. Meadows. Thank you, Mr. Chairman. Mr. Milholland, let 
me tell you the issue that most Americans have with this. 
Storage is cheap. I mean, we have gotten to a point where even 
storage of millions of records is really cheap. We have gotten 
to a situation where it would have been so much easier when the 
first hearing happened, not 24 hearings later, but the first 
hearing, to say, you know what? Gosh, we are going to have this 
problem. We had better preserve everything. What precluded you 
from doing that, from preserving everything at that point? When 
Lois Lerner first came in here and took the 5th, what stopped 
you from saying let us just preserve everything?
    Mr. Milholland. I cannot recall the subject ever coming up, 
sir.
    Mr. Meadows. Now, you cannot recall the subject coming up. 
It was in the headlines, I mean, almost every major newspaper, 
and the subject did not come up about keeping it? And yet your 
testimony today says that you are NARA compliant. Would you 
care to revise your statement, because I do not believe that 
you are NARA compliant at this point. Having the National 
Archives underneath my subcommittee, I would probably beg to 
differ with that. So would you like to revise your ----
    Mr. Milholland. I would ask that Mr. Killen to respond to 
whether or not we are NARA compliant since that is his area of 
expertise.
    Mr. Meadows. All right. So are you NARA compliant?
    Mr. Killen. We are generally NARA compliant.
    Mr. Meadows. No, there is a ``yes'' or ``no.'' 
``Generally'' is if I am speeding and I generally go below the 
speed limit I do not get a ticket. But only those couple of 
times that I go beyond the speed limit I actually do get a 
speed limit ticket. Tell me, are you compliant or not?
    Mr. Killen. Well, I have to speak to the wording of the 
report, I mean, because we have had NARA reviews. And so, 
certainly we have opportunities for improvement, and ----
    Mr. Meadows. Then you are not NARA compliant.
    Mr. Killen. But on the whole, NARA has opined that we are 
generally ----
    Mr. Meadows. You are making progress I think is what they 
are saying.
    Mr. Killen. We are certainly making progress, and we have 
opportunities ----
    Mr. Meadows. But today you are not NARA compliant, which 
means that all communication would be preserved, would it not?
    Mr. Killen. We certainly have work to do.
    Mr. Meadows. Okay. So if you have work to do, then you can 
revise your statement that you are NARA compliant because 
obviously you are not.
    Mr. Milholland. In that sense, you are correct, sir.
    Mr. Meadows. All right. So let me go a little bit further, 
and I am going to piggyback on what the chairman talked about. 
Mr. Killen, why is it taking so long? I mean, why is this 
taking so long for us to get it right? Why December of 2016?
    Mr. Killen. Well, I think that the 2016 date is predicated 
on the OMB directive. That does not extend to just IRS.
    Mr. Meadows. So it is OMB's fault.
    Mr. Killen. No, no, it is not an issue of fault. It is an 
issue of what is the origin of the December 2016 date. And the 
origin of that December 2016 date is the OMB directive that 
says that all Federal agencies should have email in an 
electronically accessible format.
    Mr. Meadows. So it would not have anything to do with the 
change of Administration.
    Mr. Killen. I could not speak on that. I do not ----
    Mr. Meadows. Well, do you not find it curious that December 
2016 and Administration change would happen within 20 days of 
that date?
    Mr. Killen. I really cannot speak on that.
    Mr. Meadows. Okay. All right. So let me go on a little bit 
further because part of this whole hearing process has been 
other types of communications. And you all have been very 
careful to say ``email communications,'' but there are a number 
of other electronic communications that go on the system and go 
back and forth. Is that correct, Mr. Milholland?
    Mr. Milholland. Are you referring to instant messaging, 
sir?
    Mr. Meadows. Yeah. I mean, do you not have substantial 
communications among some senior-level people at the IRS that 
happens outside of email?
    Mr. Milholland. Yes, sir. There are obviously phones. There 
are ----
    Mr. Meadows. Okay. How about on text messages or instant 
messaging?
    Mr. Milholland. Actually I do not actually ----
    Mr. Meadows. You do not. Does anybody there use instant 
messaging?
    Mr. Tribiano. I do not, sir. It is on our system.
    Mr. Meadows. Yeah. You know, our gray hair probably throws 
this away, but I will go to the end. Mr. Killen, I am sure you 
do, do you not?
    Mr. Killen. I certainly do.
    Mr. Meadows. I figured you would, so it may be a general 
thing. But, Mr. Killen, do you use that instant messaging to do 
anything more than ``is it time to go to lunch or a coffee 
break?'' I mean, do you conduct business on instant messaging?
    Mr. Killen. Generally speaking, I do try to be careful 
about what I ----
    Mr. Meadows. Has there ever been a case where you have used 
instant messaging for business?
    Mr. Killen. I am sure there probably has been.
    Mr. Meadows. Yeah. And so, here is the issue, Mr. 
Milholland, and I am going to finish with this. Storage has 
become cheap. Backup tapes are becoming a thing of the past. I 
remember backup tapes, and I do not understand why with the 
amount of money that we are spending that we are still using 
backup tapes, unless they are just such legacy programs that we 
have to use the backup tapes for storage.
    We are committed to providing the resources. What we have 
not seen is the commitment to really get serious about 
preserving everything like Commissioner Koskinen has said he 
would do. And until we see that, we are going to take issue. 
Does that make sense?
    Mr. Milholland. I understand you, sir.
    Mr. Meadows. All right. I will yield back.
    Chairman Chaffetz. I thank the gentleman. The committee 
stands adjourned.
    [Whereupon, at 3:18 p.m. the committee was adjourned.]


                                APPENDIX

                              ----------                              


               Material Submitted for the Hearing Record
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]


                                 [all]