JPMorgan Chase is being fined $4 million after mistakenly deleting 47 million data communications records, including emails, instant messages, and other old communications. It impacted around 8,7000 electronic inboxes, with data from January 1st through April 23rd, 2018. The extent of the problem is outlined in recent litigation by the Securities and Exchange Commission (SEC).
Their IT team had no backup strategy before deleting the data, and they found no way to recover it. They also admitted the lost communications could impact future inquiries and legal matters. Amongst that was a portion of business records they were required to retain for at least three years. While the fine was a fraction of the cost of a 2021 incident where employees were using personal chat for company business, it may have longer-lasting effects due to the value of what was deleted.
What JPMorgan Chase Did Wrong
The corporate compliance technology department (eComm Tech team) for JPMorgan Chase was tasked with deleting old communications and documents from the 1970s and 1980s that they weren’t required to keep. That project started as far back as 2016 and included support from a vendor they have used since 2012, though ongoing issues made progress slow.
It wasn’t until June 2019 that they began the deletions as part of the troubleshooting process. Unfortunately, they also permanently erased communications they were legally required to keep. That mistake wasn’t noticed until October 2019 by the legal discovery team.
The problem started with how the eComm Tech team managed the vendor relationship. The vendor told them that the 2018 data was configured so it wouldn’t be marked for deletion; they were wrong. The IT team made a few other critical mistakes:
- The deletions happened during what they called a “troubleshooting exercise,” meaning there were still unknowns.
- There was no internal process for double-checking that all the files were flagged correctly to avoid getting deleted. It was reliant on the vendor’s word.
- They had no backups for the data they were legally required to maintain.
- There was no audit system to track the status of mandatory data. Nobody noticed it was deleted until a different department saw it four months later.
While this project was the one that triggered the unfortunate mistake, it was likely brewing for years due to IT mismanagement. Human error can happen in any industry and can lead to unexpected problems. There should have been a fail-safe to detect the mistake and a strategy to reverse the deletions if something went wrong.
The Results of JPMorgan Chase’s IT Mistakes
Since there was a lack of data recovery process or detection method, it was only a matter of time before something happened. The short-term result is a $4 million fine and the loss of 47 million communication records from 2018. Depending on the value of the deleted data, it may have longer-lasting legal consequences for JPMorgan Chase. It also highlighted the role of the IT staff and the vendor involved with the project, which creates an opportunity for behind-the-scenes improvements.
The Role of IT Compliance in Managing Data
IT compliance protects companies from mishandling data and getting hefty fines. While guidelines vary depending on the industry, they can touch on data handling, security, and disaster recovery. The goal of these regulations is less about punishing businesses and more about protecting consumers. While data breaches are a topic that’s often discussed, maintaining compliance can also help protect businesses from their own mistakes.
JPMorgan Chase’s IT team didn’t follow standard compliance procedures to ensure there was a way to recover lost data. While they were working with a third-party vendor, their internal team was leading this project, and it was their responsibility to confirm there was a data backup in case something went wrong. Since mistakes can and will happen, having a disaster recovery plan is essential.
Data Backups Can Prevent Costly Deletion Mistakes
Data accidentally or maliciously lost can impact operations, finances, regulatory compliance, and customer trust. The larger the IT infrastructure, the easier it is to overlook something critical, which can lead to even greater damage. Maintaining data backups acts as a low-cost solution to prevent a worst-case scenario. Looking at JPMorgan Chase, they’re fortunate the incident didn’t cause customer damage and was limited to past data with a shorter retention period.
What Other Businesses Can Learn From JPMorgan Chase
The ordeal with JPMorgan Chase is a good reminder that any company, even one valued at $400 billion, can make mistakes. Due to the scale of their operation, the $4 million fine won’t have much of an impact on their bottom line. However, smaller businesses in similar situations may not be able to take that kind of fall. The easiest lessons to learn come from observing the business mistakes of others. Data security and disaster planning are key to any long-lasting company.
