The U.S. Environmental Protection Agency’s regional office in the Midwest is refuting the findings of an internal investigation that found that a lack of record-keeping controls and standard operating procedures could be preventing it from fulfilling federal record-keeping responsibilities.
The EPA’s Office of the Inspector General found that Region 5, which oversees EPA activities in Indiana and five other states, could not verify whether employees were using the agency’s official record-keeping system, preserving records for litigation holds and agency use, or knew how to report and investigate a suspected loss of records.
The lack of effective internal controls could have led to the loss of at least thousands of electronic documents submitted to Region 5, potentially affecting the agency’s ability to produce files for litigation and information requests.
EPA Region 5 said the report is “erroneous” and based on a misunderstanding between a storage system and official record-keeping systems.
The OIG began its investigation after it received a complaint from a Region 5 employee about a potential data loss.
According to the report, the EPA began using a new cloud file storage system in 2017 and began offering optional training that would teach staff how to, among other things, transfer the data using a data transfer tool.
Regional offices were given a May 2019 deadline to move all data to the cloud. Region 5 planned to move its data over a four-month period between February and May 2019, but at least one office began its data migration in early December 2018 when data transfer training was still optional.
The OIG found that one Region 5 employee tried to move data from a computer hard drive to the cloud storage without the training and failed, potentially losing thousands of files.
A government shutdown kept employees out of the office until late January 2019. After Region 5 returned to the office, the employee realized the files were missing and tried to get help to restore them. EPA’s information technology support could not locate the files but found that the employee may have inadvertently placed thousands of files in the cloud system’s recycle bin.
EPA IT then contacted the cloud storage system vendor, who told them the system automatically deletes its recycle bin after 90 days. If the files were placed in the recycle bin in December, there was no way to recover them now.
The employee then called the OIG’s hotline in May 2019 to report the data loss, and an investigation into the incident was launched Jan. 2020.
The OIG determined that the employee was responsible for the possible loss of files because of transferring them without training, but that management was ultimately responsible for the loss because of a lack of effective internal controls to prevent it from happening.
Region 5 did not require employees to use the cloud file storage system, but initiated the data move without mandating that personnel take training on the system or tools needed to move the data, the report concluded.
The OIG said Region 5 did not have standard operating procedures in place for the storage of electronic files subject to litigation holds . Nor did it have a way to verify whether personnel were maintaining records in the EPA’s official record-keeping system.
Further, OIG investigators said Region 5 did not have a protocol for reporting or investigating a loss of records.
“As a result, Region 5 cannot verify that it is saving all electronic records, which are necessary to substantiate EPA activities, or protecting electronic files subject to litigation holds. The Region’s inconsistent use of the EPA’s official record-keeping system makes the Region susceptible to future loss of records. A lack of preserved electronic files could also affect the Agency’s ability to fulfill Freedom of Information Act requests,” the report stated.
Investigators found that in some instances, official data was kept on unprotected portable hard drives off-site, sometimes at employees’ homes, a violation of EPA policy. Region 5 also did not know whether the files on the portable drives had security controls in place to prevent data from being modified, deleted or viewed off-site.
Region 5 still does not know whether records were lost. Region 5 officials told investigators that there is no evidence records have been lost and the employee cannot confirm whether records were lost in the data move.
Region 5 said it takes records retention responsibilities seriously and was “extremely disappointed” that the final report did not incorporate clarifications sent to the OIG.
“EPA Region 5 takes seriously its records retention responsibilities and our staff exercise great care and receive regular training to manage tremendous amounts of data and records in order to increase transparency for the American public. The OIG report minimizes this effort and erroneously implies that the Region lacks institutional controls, when the data shows how seriously – and effectively – we take our records responsibilities,” an agency spokesperson told the Indiana Environmental Reporter. “Further, the OIG report appears to confuse the Agency cloud file storage system with the official Agency record-keeping system – the two are not the same.”
Region 5 said the report was based on one employee’s error and failure to use the data transfer tool as instructed, while more than 1,000 other employees were able to successfully transfer more than 5.7 million files.
“We are always willing to review and improve processes, and do strive for perfection. This is why we have already instituted a number of additional controls and other measures are in the works,” the spokesperson said.
Region 5’s administrator Kurt Thiede and its chief information officer told the OIG that the region would institute at least four of the seven recommendations included in the report.