back to article JP Morgan accidentally deletes evidence in multi-million record retention screwup

JP Morgan has been fined $4 million by America's securities watchdog, the SEC, for deleting millions of email records dating from 2018 relating to its Chase Bank subsidiary. The financial services giant apparently deleted somewhere in the region of 47 million electronic communications records from about 8,700 electronic …

  1. Anonymous Coward
    Anonymous Coward

    >JP Morgan accidentally deletes evidence

    Whatever happens, definitely absolutely do not delete that evidence.

    wink wink nudge nudge, just blame it on that "the project experienced 'glitches,'"

    Call me cynical.

    1. Anonymous Coward
      Anonymous Coward

      Re: >JP Morgan accidentally deletes evidence

      Yes, I smell a rat too. Surely you start deleting actitivies only after you've tested the process and have made a backup anyway??

      And surely you verify that the data you are legally required to retain is still there? This 'oops' feels a tad too much like a happy coincidence IMHO.

    2. Malcolm Weir

      Re: >JP Morgan accidentally deletes evidence

      The only thing that suggests (to me) that this is Murphy at work rather than calculated is the process obeyed the "legal hold" protection tag, which is of course the data that they would be most terribly sad to see deleted!

      Also, if it were deliberate, being as how banks are such beloved institutions, I would wonder where are the loyal staff eager to protect their wonderful employer but who feel compelled to rat them out?

      1. Anonymous Coward
        Anonymous Coward

        A different take on that point

        The files that were on legal hold were put there because the court system, civil or criminal, already had them on their radar. The stuff that was supposed to be retained contained stuff that they were required to produce in pending suits, but no-one had flagged up in discovery yet.

        If they delete files on legal hold, they will come back and ask you where the files they told you to hold are. Their only play is that the penalties of destroying evidence and (probably willful) destruction of evidence are less severe that whatever legal doom cloud is hanging over their heads.

        If they delete files that the other side hasn't seen yet, the plaintiff or prosecutor has to then try to find copies of the missing documents somewhere else. If they can't, then the bad-actor may actually get away with a slap on the wrist. (and lets be clear, 4mill from JP Morgan-Chase isn't even a slap, it's about the sum of the rounding errors in the residential banking sector. That's what this incident is about, an insufficient but well deserved notice that the government saw what they were doing at least wanted to squawk about it.

        1. Malcolm Weir

          Re: A different take on that point

          Err, dude, you appear to have failed to detect any element of sarcasm!

          As a matter of fact, you're quite possibly wrong: files on legal hold are likely to be in that state because the banks own lawyers (i.e. the legal department) said put them in that state, which may or may not have anything to do with a court system (yet), or indeed an action that the bank might be defending (which is to say that some files get placed in that sort of state because the bank has flagged them as potentially of interest to law enforcement).

          But have a nice day!

        2. TheBruce

          Re: A different take on that point

          I believe if you delete evidence, at least in USA, the judge can instruct the jury to consider it as evidence of guilt.

          1. Anonymous Coward
            Anonymous Coward

            Re: A different take on that point

            "consider it as evidence of guilt."

            That applies only to poor people, not JP Morgan. Poor people also get put in jail, not getting to party on with measly $4M fine.

    3. ecofeco Silver badge

      Re: >JP Morgan accidentally deletes evidence

      I would call you correct and bet on it.

    4. Anonymous Coward
      Anonymous Coward

      Re: >JP Morgan accidentally deletes evidence

      The power of accurate observation is commonly called cynicism by those who have not got it.

      - George Bernard Shaw

    5. Wzrd1 Silver badge

      Re: >JP Morgan accidentally deletes evidence

      If only there was some way in which to capture an information store, just store it back up in an attic or something.

      But, they apparently can't back up, they only back down to the bit bucket, as part of their disaster preparedness efforts.

      So, all backups, both on site and off site, grandfathered or incremental, all also got weeded?

      Yeah and the Crown Jewels just fell into the boot of my vehicle.

  2. Eclectic Man Silver badge
    Joke

    $4 million fine

    Well that will really sting.

    And then being told to 'obey the law' in future, gosh, the SEC is really going to town on them.

    Next they'll have to sit on the 'naughty step' and think about what they've done.

    So there!

    1. Anonymous Coward
      Anonymous Coward

      Re: $4 million fine

      Presumably the fine is not a percentage of revenue/profit. It should be.

      1. Toni the terrible

        Re: $4 million fine

        With megacompanies the fine should always be a % of their turnover, not just gross profit or net profit

  3. alain williams Silver badge

    Define "accident"

    JP Morgan top execs should be personally liable for this fine.

  4. An_Old_Dog Silver badge

    Blaming the Outsource Workers

    "Yeah, it was all their fault!"

    Hint: you can outsource the work, but not the responsibility.

    It will be interesting to see whether or not JP Morgan turns around and sues the contracting company for damages. If they don't, that may be an indicator that those were "accidental" deletions wink, wink; nudge, nudge.

    1. Zippy´s Sausage Factory

      Re: Blaming the Outsource Workers

      It'll depend on the contract, of course. I suspect someone at the contracting company may have said "are you sure about this? Like, really really sure? Like, sign this paper indemnifying me personally and the company I work for from any legal action arising from me pressing this button you're telling me to press". If they had any sense, that is.

      1. John Brown (no body) Silver badge

        Re: Blaming the Outsource Workers

        Nah. The article says the contractors assured bot JP Morgan and the SEC that their processes were compliant. I don't really see how any contractual indemnity could get them out of that mess. So, assuming JP Morgan are telling the truth, the whole truth and nothing but the truth, they should of course as you said, be starting the process of suing the contractor for the full amount of the fine and all associated costs resulting from the investigation and legal process.

        1. Anonymous Coward
          Anonymous Coward

          Technically the article says

          JP Morgan insists that they said that. I for one won't take their word alone for that, as companies always lay blame on the vendor when they footgun themselves. It appears based on the details in the article that the platform they used provided the functionality required to implement a compliant policy. JP Morgan gave it's users the ability to override the retention settings, and relied on them to set the settings correctly for new silos of information like the acquired chase assets. It gave them the rights to mass delete records without training them on how the system actually works. AWS buckets used to be a pain to lock down from the defaults, that doesn't mean that a company isn't to blame when they leave one wide open.

          There is also likely an auditing trail that pointed out exactly who changed what and when, which probably helped the FTC make it's case. JP Morgan is just trying to re-frame this and deflect now that it is hitting the newswires.

    2. Strahd Ivarius Silver badge
      Devil

      Re: Blaming the Outsource Workers

      the question is: does the mail chain requiring explicitly that the mails be deleted without applying the required holds has also been deleted, or does the NSA still have a copy?

      1. Wzrd1 Silver badge

        Re: Blaming the Outsource Workers

        The NSA doesn't have a copy, but Russia and China still do.

        And likely, GCHQ.

  5. IGotOut Silver badge

    Well simple...

    as they are guilty of destruction of evidence, then use that as evidence in all the active cases against them.

  6. Tubz Silver badge

    hmm lets look at the maths, $4M fine and slap on wrist for deleting records that are needed under 12 investigations and blame a 3rd party, that if proven would cost $xxxxxM. Seems like a good deal for JPM.

    1. tiggity Silver badge

      Would be interesting to know approx. what fines and other costs* they would have incurred IF they were at fault in those investigations where data was missing, and how that compares to 4M.

      If fines etc. were likely to be > 4M then surely 4M fine should have been increased as if we assume data loss was accidental it has still prevented those investigations and although no guilt can be assumed, fine ought to reflect worse case of those investigations resulting in fines, otherwise we have a case of this accident potentially saving a lot of money.

      * e.g. intangible costs such as loss of future business, reputational damage (though whether a company known as the vampire squid can have its reputation reduced further is arguable)

      1. Persona Silver badge

        whether a company known as the vampire squid can have its reputation reduced further is arguable

        JPM is not the Vampire Squid. Also JPM was not as highly regarded as GS for perhaps a decade after that Vampire Squid comment.

      2. Eclectic Man Silver badge
        Trollface

        'loss of future business'

        Sorry? Loss of future business?

        Let's see, they have 'accidentally' deleted records which we'll never know, but could possibly have implicated themselves or (gasp) their clients in being naughty, and have suffered a mere $4 million fine. Sounds like some pretty good advertising to me. But then what do I know?*

        (Troll icon, coz this is deliberately provocative.)

        * I did do some consultancy for a well known commercial financial institution. The 'Money Men' (and yes they are still almost all men, despite all the advances of 'equal rights for women' etc.) were interested solely in money. So they might just consider this to be a benefit. Had Bernie Madoff or the Enron chaps had this sort of 'luck' maybe they'd not have had such long sentences.

      3. Anonymous Coward
        Anonymous Coward

        "although no guilt can be assumed"

        That applies only to people: Major banks are professional criminals. All of them. Proving that is another matter and they do not publish the evidence, naturally.

    2. Anonymous Coward
      Anonymous Coward

      "hmm lets look at the maths"

      Always, *always* follow the money!

      $4M is pocket lint amount for JP Morgan and that saved them from most probable conviction in 12 separate court cases.

      This is literally a case where a 3M insurance paper rubs to a 30k house, causing a fire: You can call it an accident but no-one will believe you. But, in this case JP Morgan paid a 50k fine and got to keep the 3M insurance money: That does not happen to ordinary people.

  7. HammerOn1024

    Your Responcibility

    Dear JP Morgan CEO and Board,

    This is squarely on YOUR shoulders. You hired the vendor, you failed in supervising them and verifying their deletion procedures. Did you even bother testing them on a replication system BEFORE going live? Probably not.

    If I was a stock holder, I'd call for your ouster and file a suit for failure of fiduciary duties.

    1. Anonymous Coward
      Anonymous Coward

      Re: Your Responcibility

      Hahahaha come on.

      If you were a shareholder this exactly what you'd want to them to do. A $4m fine is obviously far less than whatever the SEC would've fined them for the issue at hand

    2. Wzrd1 Silver badge

      Re: Your Responcibility

      Yeah, sue away. They spend far more on paperclips that are used in their paperless offices.

  8. Anonymous Coward
    Anonymous Coward

    I work for a company who is looking to take possession of a significant number of JP Morgan records- this is a massive concern for me that we could end up on the wrong end of their muck up.. Raised it as a risk, will see what happens, if anything.

  9. Daedalus

    Ahem

    Anybody care to speculate about the exact location of the company hired to do the archiving? Perhaps one located in a country famed for bait-and-switch staffing, exaggeration of capabilities and certifications etc.? Oh the physical archives may have stayed in the USA, but it's rupees to bhajis that the staff were located elsewhere.

    1. Anonymous Coward
      Anonymous Coward

      Re: Ahem

      I think you may need to look a little closer to home my friend. Try Portland, OR.

    2. Wzrd1 Silver badge

      Re: Ahem

      Actually, you might want to watch it. The outsourcing was paid for in Fenwickian Pounds.

  10. Anonymous Coward
    Anonymous Coward

    The people that

    accepted this obvious pre teenage bullshit? Equally obvious that they have the I.Q. of a fucking carrot.

    1. Wzrd1 Silver badge

      Re: The people that

      Why, you're right! The SEC should've driven a tank through their main office digs and fired a machine gun nuke launcher at them!

      Rather than apply statute as they did.

      Wow, carrots are smarter than some commentards.

  11. Azolnai

    My back snafu

    Data Center Fire!

    https://www.zolnai.ca/old/fire.htm

  12. VeritasSupreme

    Sounds Familiar

    "Accidentally deleted????" Sounds like JP Morgan must have used the same IT support as Hillary Clinton. Did JP Morgan also "accidentally" destroy the hard drives with a hammer like Hillary did? LOL. $4M fine seems like peanuts for something like this. Any wonder most Americans find it difficult to trust the government to hold the elites accountable?

    1. Malcolm Weir

      Re: Sounds Familiar

      The oddity of the Clinton emails is that destroying the hard drives with hammers (which I don't think actually happened; the indication is that the files were purged with a thing called BleachBit) is precisely the correct action to take if they did indeed contain sensitive information!

      However, the comparison with the Clinton server is apt: IF the deleted records were somehow incriminating, THEN this was a problem. But if they were personal emails (as Clinton alleged) or routine emails that would have been purged by 2021 anyway (the Chase emails), THEN there was no problem, except that it's hard to prove the absence of problem because the data was gone.

      In the words of the SEC, "Because the deleted records are unrecoverable, it is unknown – and unknowable – how the lost records may have affected the regulatory investigations."!

      [ The boring small print in the SEC statement reveals the rather dull scope of the issue: in June 2019 records created between January 2018 and April of that year were deleted; the law requires that they be kept until January - April 2021, so they were deleted after 14 - 17 months instead of after 36. Clearly this is wrong, but it explains why the penalty is also quite low. ]

      1. Wzrd1 Silver badge

        Re: Sounds Familiar

        And laughably, for being so destroyed, the FBI has drive images of Hillary's mail server. The FBI released a report on the contents.

        It all ceased to exist in only one excuse for a mind.

        The majority of classified documents on that mail server were only Confidential and were mismarked, making it easy to not realize that and leave them on the server (there's a procedure for data spills like that, handled quite a few over the decades).

      2. Anonymous Coward
        Anonymous Coward

        Re: Sounds Familiar

        " Clearly this is wrong, but it explains why the penalty is also quite low. ]"

        Does not, as these and only these records were needed for criminal investigation. When you destroy evidence it's *a lot* more than deleting random emails too early.

  13. DS999 Silver badge
    Facepalm

    Seems like they should just adopt a no retention policy

    And pay the puny fines doled out, given the alternative of having records available for subpoena in cases with liability that could be measured in billions!

  14. Anonymous Coward
    WTF?

    That's 0.003108003 percent of their annual earnings

    I thought the retention rate was ten years.

    1. alisonken1

      Re: That's 0.003108003 percent of their annual earnings

      Well, A quick Google shows:

      IRS: Link

      3 years (individual returns except as noted below)

      4 years (employment tax records after tax due/paid date)

      6 years (not reporting income you should have reported)

      7 years (file a claim for a loss from worthless securities or bad debt reduction)

      Other notes: MeyersBrothersKalicka CPA link

      10 years (some legal documents; e.g. cancelled leases, notes receivable, etc.)

      Permanent (some legal documents; e.g. bills of sale, permits, contracts, etc.)

      1. Wzrd1 Silver badge

        Re: That's 0.003108003 percent of their annual earnings

        That's IRS, not SEC under the banking act.

  15. ThinkingMonkey

    Just a "good" business decision, perhaps?

    Maybe there was a meeting where it was decided that paying $4 million in fines now was a much cheaper deal than tens of millions lost in lawsuits or even greater fines later?

  16. Groo The Wanderer Silver badge

    Oh, boy! A 4 MILLION DOLLAR FINE! That should take them all of 15-30 seconds to earn with their revenue stream.

    1. Chris 239

      You seem to have misspellt a word in your post, here's a correction -》"That should take them all of 15-30 seconds to scam ...."

  17. Anonymous Coward
    Anonymous Coward

    reminds me of my greatest shame

    Deleting the past options trading records of a broker by rebuilding an old server that had been taken out of service after migration to a new server. Historical data was held on storage in the original server, and needed to be transferred to the new server, but to get the new server up in time for market operation and to avoid delays in the system, the transfer was delayed, and then forgotten :(

    Mind you this happened back around the turn of the century before virtualisation became as widespread as it is now.

    Unfortunately at the time we were embroiled in a court case about one of our securities traders doing unauthorised options trading on their client's accounts ( called discretionary trading and very much frowned on by ASIC Australian Securities and Investment Commission)

    So my boss had to write a stat dec that the data had been irretrievably destroyed, and that the backups only backed up the live data, not the historical records. This was based on information from the trading system suppliers who looked at the backups as a way of getting the system back up and running for trading and not as a way of restoring historical information.

    So the takeaway for me was, always backup and test said backup before destroying a server.

    1. Wzrd1 Silver badge

      Re: reminds me of my greatest shame

      Always backup and test on a regular basis. That stuff can break over time and reconfigurations of the enterprise.

      A lesson hard learned, long, long ago.

  18. rskurat

    "enhance" our process. Simply for crimes against English they ought to be shot

  19. Anonymous Coward
    Anonymous Coward

    CEO to CIO: Hmm $4m? That is less than the cost of managing that data. Let us make it an annual activity and hand over $4m to those SEC folks. And while you are at it, check if there is a discount if we pay 10 years upfront.

  20. RLWatkins

    You guys gotta hire a proofreader.

    JP Morgan "accidentally" deletes....

    There. That's better.

  21. Bump in the night
    Facepalm

    And I thought I had problems

    It takes me forever to remember out how to archive email in Outlook efficiently. It looks like the bigger you get the bigger the fail.

  22. Vader

    One rule for the big players 4 Million is peanuts and if a smaller company did they same off with there heads.

  23. nonpc

    Boris and the UK Conservatives would like to know who looks after their records, and can they do the same for WhatsApp please?

    Alternatively has anyone tried the Dark Web for copies?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like