1. data that has to be retained for legal reasons can't be deleted by normal deletion processes
2. data that should be deleted didn't delete properly
3. to fix (2) they manually ran delete requests for times up to about the current date (back in 2018), relying on (1) to protect data
4. turns out somebody forgot to configure (1) for emails send to domains belonging to Chase (at that point the merger was 18 years ago)
5. It took 1.5 years for anyone to notice.
To me it seems like number 5 is the biggest problem here. Mistakes happen, but had they noticed in time they likely would have had those messages in backups (if they don't, that's a much bigger problem). But they probably don't retain the backups for long, for the same reasons they delete old emails in the first place (legal discovery)
It seems like laws about how data gets handled are pretty much not real laws, due to there being almost no enforcement. So, most companies handle their data in a fairly careless way
It might be illogical for companies to invest more into their IT infrastructure if there isn't a good reason to do so. I mean, even massive customer data leaks go basically unpunished, so how do you justify the mitigation expenses at the board meeting when shareholders are already mad about the lack of growth last quarter?
It turns out investigation and enforcement is disproportionately doled out to large corporations. Companies like Alphabet and Meta have multiple teams to make sure they are handling data correctly and yet there could still be things that fall through the cracks.
This regulatory attention on large companies is advantageous to startups though; until a startup gets big nobody really cares about its data handling compliance.
GDPR fines are for when you get caught. Nobody cares about small companies enough to catch them.
On the other hand, big companies don't just deal with clearly defined responsibilities like GDPR; that's table stakes. They deal with random government investigations on data handling. If a company has multiple products, combining data from those multiple products could very well suddenly become antitrust concerns. What makes a particular data handling practice an antitrust concern? Companies don't really know in advance because it's purposefully vague and meant to be worked out by the courts.
I’m not convinced companies actually keep these records so much as they retain access to inbox and outbox data And call that good enough. I think in many environments if you delete an email from your outbox it would become largely irrecoverable.
I’m curious if any IT folks can comment on what they have seen? Do you actually have log records of all messages? Or do you have something like a snapshot of all accounts at a given time?
In a "normal" operation (when things go smoothly and are well designed) yes, the objects are retained, even if deleted in primary mailboxes, explicitly for the accommodation of discovery requests and litigation holds. The rules can get more or less complex - negotiations on deals with TCV over a certain threshold have keywords and parties whose relevant emails are retained beyond normal policy, certain job classes have data retention extended beyond normal policy, keywords can trigger longer retention, information classification (either manual or automated) can extend retention periods. Software solutions have for many years streamlined the work necessary to pull this off compared to what it would have taken in an Exchange server farm 20 years ago.
Anyway, all these business rules are (should be) documented in formal policies on data retention, litigation hold, privacy, etc. If a company were going through a working annual audit process for Sox or increasingly even routine annual financial audits (non-sox), policies would be examined for evidence that they are working with spot checks - e.g. auditor selects examples of qualifying events and asks for evidence that the given policy is in fact enabled/enforced technically. This may test retention as well as intention deletion (e.g. we should deliberately have no data beyond five years unless an exceptional circumstance warrants it).
Office 365 offers message retention - our standard configuration will see it set with a seven year period. So you can delete from the outfox, and it goes to deleted items. If you delete from there it disappears from view, but any admin exporting your mailbox will include it for seven years.
There were “at least 12 civil securities-related regulatory investigations, eight of which were conducted by the Commission staff” [1]. No doubt, more will be filed.
For JPMorgan, sure. That missing evidence gets interpreted adversely against JPMorgan, which means those cases are basically won. The question is how many more will arise in the coming months, perhaps years, that find reasonable claim to damages arising out of evidence the defendant has conceded it can’t bring to its defense.
Will the interpretations of the missing evidence be worse or better for them, though? Seeing as it's JPM, it's very possible that whatever evidence was lost (lol) would be a lot more damaging than whatever the prosecutors will come up with.
The $4M is a slap on the wrist, but if there's evidence that it was done on purpose, and the deleted data is evidence for a bigger case, they'd be in much bigger trouble still.
But, innocent until proven guilty; if there's no indication of any missing evidence, it'll stay at the failure to retain data fine.
I think corporations of "too big to fail" stature should have different legal protections than what are offered to humans.
Innocent until proven guilty is not quite fair to apply to corporations that get bailed out by taxpayers when the policemen are driving bicycles trying to enforce the speed limit on a highway full of McLarens.
When a company has positioned itself to be a critical organ of society, it should be required to function properly. The rules of nature do not forgive a well meaning hare that didn't intend to be eaten by a lion.
I am of the position that no company should be allowed to become too big to fail. Or, if one does, it should be nationalized.
If its service is crucial and no other company can replace it, then there is a high risk that it makes use of its position by charging an arm and a leg for essential services.
> Worse still, the stuffup meant that it couldn't produce evidence that that the SEC and others subpoenaed in their investigations. "In at least 12 civil securities-related regulatory investigations, eight of which were conducted by the Commission staff, JPMorgan received subpoenas and document requests for communications which could not be retrieved or produced because they had been deleted permanently," the SEC says.
That would seem to be an indication of missing evidence
No one went to jail for the 2008 crisis, and most of the regulatory bodies are private corporations masquerading as a public entity. To add salt to the wound, the SEC is very discerning as to when to enforce the law
It doesn’t matter whether or not the above paragraph is reality, because masses perceive it as reality, and trust in public institutions continues to dive. If confidence isn’t restored soon, then things might start to destabilize
Nobody (who isn't a moron) is going to send an email about intentionally doing this, or talk about it with someone who wouldn't also be implicated if discovered. If you saw everything, kept careful notes, and decided to become a whistleblower, your career would be destroyed and your life might even be in danger.
> In at least twelve civil securities-related regulatory investigations, eight of which were conducted by the Commission staff, JPMorgan received subpoenas and document requests for communications which could not be retrieved or produced because they had been deleted permanently.
Fact that SEC sometimes fine some banks doesn't mean that SEC completely safe from influence from big banks. As usual its not a black and white picture.
What sort of work experience do you think the applicants for the jobs at the SEC ought to have?
If you need people people with experience in banking and finance, especially the legal and regulatory/compliance areas, where would you do your recruiting?
Do you think that only experienced murderers should adjudicate murder cases? Should all cops be expected to have extensive criminal experience, and should we expect them to return to crime after they retire from the police?
This. If anything, insider experience tends to dull willingness to enforce because "it's how everyone does it". As a regulator, the public in a real way depends on you to be the lever that looks at how everyone does it, and be willing to say "not good enough"
They are actually making a very powerful point. A regulator is expected to at some point operate from an "external to industry" perspective. Much like a test framework or testing harness must exist out_of_band of the system under test.
A regulator that regularly pulls exclusively from industry insiders should raise eyebrows. Now whether the SEC actually pulls the majority of hires from industry insiders, that's another question I can't readily answer. Don't have those figures.
The first two links describe the same event, if I can tell correctly.
A lot of people fail to realize how crucial financial institutions are for society. Everything we do has national currency as a middleman, and national currency is more under private control than under public.
$125M is a fee for stealing as much as you wish, since you have the power to print money. Need more assets? Just give out credit more loosely for a while. Then "accidentally" delete the records of what money went where, then get bailed out.
Commercial banks get to create and spend currency before its impact hits the wider market through inflation. In addition, the rate of creation has to continuously surpass debt repayment, otherwise there is a liquidity crisis. They have an immense privilege, and as such, should be held to much higher standards.
"Give me control over a nation's currency, and I care not who makes its laws."
If the violation of even the standards we have results in less than a month's worth of PROFIT for several years of wrongdoing, how are these rules or outcomes fair?
I believe that can still happen. This was just a fine from the SEC, the legal consequences could come later.
Basically a lot of that email was subject to litigation holds. If that litigation ends up depending on some email that Chase was supposed to retain but failed to, the judge is allowed to give a "spoliation inference" instruction to the jury - the jury can infer that the evidence would have been unfavorable to Chase.
The fact that this may have been due to incompetence rather than malice means this is less likely.
So, what you're saying is that if the actual evidence shows something worse than what the judge will assume it says, then you should 'accidentally' delete it.
I think there are plenty of cases of this happening.
I’ve made this kind of accident before. Within my first 6 months there was a massive internal investigation of someone entering the building without authorization, as they had made their own keycard.
I had been asked to analyze a machine’s event log to see what happened, and on a Teams meeting with a dozen people proceeded to right click the event log and mistakenly hit clear, unconsciously accepting the dialogue box.
That was embarrassing, but I was direct about it.
I always just pull the plug and image the disk since.
> right click the event log and mistakenly hit clear
Had you immediately pulled the plug on the machine at that point, you would almost certainly have been able to recover the event log. Sure, it would have been many days effort, but probably better than failing to get evidence of a suspected evil do-er.
When you need to do any infrastructure change not to mention data manipulation it takes million signatures and meetings. Like 13 meetings to deal with one ex employee corporate cloud folder.
Unless they end up in court. Then somehow million things happen on their own in their benefit.
As someone who has done support for finance's IT departments, the "this was broken for years and no-one noticed" idea sounds bang-on. I've watched the millions of signatures and meetings, but none of that matters when someone screws up the implementation (but not badly enough that anyone cares to complain).
Seconding this. You can have all the meetings you want, but at the end of the day the core competency of bank management is managing money and not managing IT, and banks suck at managing IT when it isn’t directly in the critical path of cash flow, and even then they get it wrong more often than anyone wants to admit.
So many people want to be "the person who orders the thing be done" and not "the person who does the thing".
Dysfunctional organizations have (somebody-else-is-doing-it / im-doing-it) ratios that get way out of control. There's also (talking-about-doing-it / doing-it), where dysfunctional orgs lose the ability to experiment.
Backing up the email database is probably a bad idea for an org like this, because they have data that isn’t allowed to be backed up.
I had a customer that got accidentally sent confidential data to the wrong email address and it was backed up for multiple months. In the end we left it in there but they considered deleting all the backups that contained this email.
That is a good reason for having short lived backups and an archiving solution with retention policies emails.
They likely spend all of it on the million meetings full of people who wouldn't actually be executing the change, next to none of it on the team and infrastructure where the change will be made, and then fire the team who made the change.
JP Morgan and other similarly acting agents in finance have become literal economic cancer tumors, attracting undue angiogenesis and convincing the body that excision is fatal all while leading it to its demise.
We haven't figured out how to cure cancer in humans because we turn a blind eye to it when we create it ourselves.
> Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one.
...That's actually textbook business/enterprise risk management calculation believe it or not. Not a facsimile or artistic exaggeration.
If you want to know why so much shady crap happens, part and parcel of that is when we fo catch malicious behavior, the fines are so small as to be cost of doing business.
If it weren't so depressing it'd be incredibly hilarious how blatant and open the corruption here is, as if anyone on planet earth is gonna buy this BS story.
The fines for these types of accidents should be starting with the letter B and ending with illions, lets see how often these types of mistakes happen in the future afterwards.
I find the story or incorrect archive settings/setup to be reasonably plausible and even likely. I work in finance and misconfiguration of systems are not that uncommon. Testing and reviewing archive settings is often not very thorough.
For example, I was working on a system that handles holdings and trading information at the fund level which covers AUM that starts with a T and ends in rillions. There was an SQL injection vulnerability with schema owner access. Luckily this was an internal app, but still there are trade desk devs who could accidentally paste a drop table statement with a name collison. Anyways, I brought all this up to the principal. I was told this isn't a real big deal because they have real-time backups. I asked if they ever tested the backups... no. Do they have procedures for restoring from backups... no. They go nuts if there's a 5 minute outage, so how long would it take to restore... no idea.
Trust me ignorance is very believable, even in regulated industries.
> I find the story or incorrect archive settings/setup to be reasonably plausible and even likely. I work in finance and misconfiguration of systems are not that uncommon. Testing and reviewing archive settings is often not very thorough.
GP's point stands: they should be fined to a degree that it becomes clear to management that these "not uncommon" practices must become very uncommon.
> they should be fined to a degree that it becomes clear to management that these "not uncommon" practices must become very uncommon
Why? Fining isn’t done for fetish, it’s done proportional to harm.
The article mentions twelve civil suits (four independent). JPMorgan will lose those. Any lawyer worth their salt, meanwhile, will be looking for claims which could reasonably involve the evidence which was deleted to file. In this way, the people actually harmed get compensated versus a government agency, which mitigates corruption concerns.
Don't get stuck on the word "fine'. The fines cans be judgment at court. The cost of doing business this way must go up, way up, so that these critical institutions are legally transparent* and motivated by a strong desire to avoid drastic haircuts.
*for example, no more "the dog ate our homework" excuses.
> Don't get stuck on the word "fine'. The fines cans be judgment at court.
All fines are subject to court supervision. This sentence makes no sense.
> cost of doing business this way must go up, way up
We want regulators thinking of the public, not randomly increasing the cost of business. This seems more motivated by hatred for a thriving industry than claims to specific damages. Regulators who pursue this path are rightfully overturned by courts for acting capriciously.
Regulators are not thinking of the public when they allow corporate sociopaths to neglect societal best interest while market fixing / mismanaging records / etc., activities that have demonstrably siphoned wealth from the lower class and moved it increasingly to the ivory towers of companies that do not deserve the influence that makes them "too big to fail".
The wealth inequality gap is widening and it's due to pussyfooted enforcement on white collar crime and strategic negligence.
You can’t fine a business just to reduce inequality. Any jurisdiction that starts ruling that way fails basic definitions for rule of law. (This is in part what ruined Argentina.)
Also, in what universe would larger fines for banks decrease income inequality? The history of enforcement is capricious penalties increase incentives for cover-ups. If a record retention mistake means personal bankruptcy, you have zero incentive to correct mistakes. In practice, this leads to corruption among regulators, who are now the de facto commanders of private business.
> due to pussyfooted enforcement on white collar crime
Where is the crime here? The SEC investigated and found no wilful wrongdoing. Those twelve private plaintiffs are going to win judgements, as will everyone else who brings claims which could reasonably by covered by the missing records.
The crime was identified, which is why JP Morgan was fined. Once a corporate entity is operating at a sufficient scale, it does not matter if the people inside willingly mess up. The organization is required to be run properly. The problem is that slaps on the wrist for failure do not suffice as environmental stressors for corporate evolution.
As for what we can do, the possibilities are endless. We shape society however we like, and that is the highest form of art humans engage in.
> crime was identified, which is why JP Morgan was fined
The SEC is a civil agency. No crimes.
> organization is required to be run properly
It’s that easy? Just require good organization and you’ll get it by diktat? This entire thread seems to require a reading of Argentinian and modern Egyptian and Russian economic history.
Evidently you don't get well run organizations by simply having legislation, which is my point. We do not enforce that legislation appropriately.
I'm confused by your point regarding the SEC, how are they allowed to fine a company without legal basis? If my use of the word "crime" means something different to you, I mean "crime" as anything that breaks the law.
> I'm confused by your point regarding the SEC, how are they allowed to fine a company without legal basis?
There is a legal basis: retention requirements of the Securities Exchange Act of 1934.
From the SEC order: “As a result of the conduct described above, JPMorgan willfully violated Section 17(a) of the Exchange Act and Rule 17a-4(b)(4) thereunder, which require brokerdealers to preserve for at least three years originals of all communications received and copies of all communications sent relating to its business as such.”
> you don't get well run organizations by simply having legislation, which is my point
Nobody argued as much.
> I mean "crime" as anything that breaks the law
This isn’t what “crime” means. Painting your house the wrong colour may be against code, but it isn’t a crime. Legally, the difference is starker, as nobody was shown to have done anything wrong here beyond the benefit of doubt.
> Just require good organization and you’ll get it by diktat?
This is what I was responding to. You seemed to be insinuating that I didn't understand that laws or rules are not sufficient deterrents.
> nobody was shown to have done anything wrong here beyond the benefit of doubt
I'm still confused as to how the SEC was able to fine someone for not committing any wrongdoing, exact definition of the word "crime" which I have clarified I used to mean "general rule breaking" aside.
I agree. From my point of view there is definite wrongdoing, and it is not adequately punished. I'm trying to understand the other commentor's point of view as to how the bank was fined if there was no alleged wrongdoing. They had earlier asked "Where is the crime here?"
Allowing "smart" individuals to play dumb to benefit themselves is not smart at all at a societal level.
Strategists at these companies examine the costs of failure or cheating, and simply see that it's worth it to cut corners or pile on risk. Just look at JP Morgans history in getting fined for market manipulation.
I briefly worked for a major European bank. There was a system that was backed up on tape. The way they checked the backups was to visually look at the tape spool - before sending the tapes off to a mountain to be preserved.
One day, they needed something from a back up. Sure enough, the tapes were simply blank due a bug in the back up script.
JP Morgan is the very definition of 'too big to fail'. Any actions against them to that degree would be self-sabotaging by any country. I'm not saying it's a good thing, but that's the reality right now.
Individuals and companies won't stop having accounts or buying home or investmenting in equipment because 1 bank 'gracefully' shuts down. Another one will take on.
But risking a crash like Lehman Brothers, Wirecard (a journalist nearly got charged with market manipulation in Germany for covering what really happened in this firm), FTX,... is the real self sabotaging for a country.
"Too big to jail" is not a service for the common good. It's just protecting friends.
We need real investigations into how this bank is run, and how others are run as well.
If this was genuinely just an IT incident, that's fine. But it raises questions obviously.
The global economy is built on confidence which is derived from trust in financial institutions and whether governments act economically reasonably.
It's not a matter of whether there's other banks that can take on the business. It's a matter of government intervention to that degree would rock confidence and cause a negative shockwave through the markets, which would most definitely affect you no matter how much or how little you have invested in the bank in question. New backers for loans made to the largest corporations and countries on earth, easily reaching billions if not trillions of dollars would need to be accounted for and reorganized. A primary source of funding for housing, infrastructure projects, etc. would be eliminated.
I think you fail to see how deeply entrenched the largest financial institutions in the world are with modern society. Our governments literally depend on them to function because of the complexities of globalization.
> JP Morgan is the very definition of 'too big to fail'
If the government revoked the license for a local lawn care company on the basis of a records retention mistake, I’m fairly sure they’d have a case for reversal in the courts. I get we’re technically minded, and so technical mistakes rank up with mortal sins, but let’s keep a sense of perspective.
JP Morgan is not a local lawn care service, they have the funds to not make mistakes like this. Larger companies should be held to a higher standard because their actions have a wider impact.
> Larger companies should be held to a higher standard because their actions have a wider impact
Sure. My point is this has nothing to do with too big to fail.
Also, what is the impact of these records being deleted? If you have a claim that reasonably involves them, it is basically cashable due to the error. If nobody can show damages, it’s hard to argue this mistake had a wide impact.
I have never just deleted millions of emails and pieces of evidence in a listed company, especially one that falls under the SOX act (it implies some governance.)
Proportionl fines that dent seriously into their profits ensures this does not happen again. But usually the fines end up being slaps on wrists which ensures continuity of these schemes
Do you really think JP Morgan, which has about 300,000 employees, has a secret network of corrupt actors at an administrative level to carry out something like this on purpose without someone blowing the whistle?
There doesn't have to be a "network". This probably reached the highest executive levels and a few of them discussed it and said let's accidentally delete this and take the fine. You're incredibly naive if you think this wasn't intentional.
I run a very small public company, and can say from first hand experience it would be extremely difficult to do something like this let alone do it and not get caught.
All emails and code changes are up for discovery and I don’t work with individual contributors directly so I’m not even sure how I would be able to give an instruction like this without many people wondering what was up.
In the early days sure, I could go ask X person to access things directly but after a couple hundred people it doesn’t work that way. Think about an org of hundreds of thousands with the most strict compliance rules in existence.
And doing something willful here would be jail time so why would someone already wealthy risk this? Even in a corrupt system people balance risk reward. A fine for the bank, fine, but life ruined forever stretches credulity given the limited upside.
Presumably they would have gone to some low-level tech and told him something to the effect of "We are looking for a new team lead, you might be a good fit. Completely unrelated: how difficult would it be for emails from the last couple years to be 'accidentally' deleted as part of routine operations".
I'm not saying that's what happened, I find the sequence of events described by JP Morgan believable. But the same process issues that allowed this to happen accidentally would allow it to happen maliciously.
> Presumably they would have gone to some low-level tech and told him something to the effect of "We are looking for a new team lead, you might be a good fit.
Not a chance. NOTHING gets done at JPMorgan without a mountain-load of direction and a grip of meetings. This would have had to wipe out both the data and records of that direction. Because the layers of tape are so thick you can't travel floor to floor without an access card coding and used to log your time and that even these simple systems don't work all the time (which generates even more busy work, yay), it's a form of friction against any sort of "secret" dealings within the company. If your keycard/dev env/database access/wiki edits/etc are so chaotically managed, it's unlikely that you will leave 0 evidence behind. Note that there was enough information to reconstruct what happened, to some degree.
I would bet someone didn't communicate the arcane symbol column that meant "do not delete for legal reasons", in some SQL. It's that chaotic, which reinforces the paranoia about the legal consequences that are foisted on every employee, routinely. If you have a shoplifting conviction (a record that hasn't been purged), you aren't getting hired. Viewed from the inside, it's strangely dystopian, but far from subtle.
Some executives going on WhatsApp to collude is going to be possible to this day, as long as the highest ranked member(s) ok it and there's no paper trail. It's not much different from after-work drinks, but they left records and got caught. shrug That's a different kind of corruption than what I was addressing, which does not involve technical operation.
Not to brag, but I skirted company policies at JPMC. I had been tasked with writing a solution for a specific process that integrated a freeform type of data. I didn't use customer data or even sensitive company information, but did cobble something together that worked as a prototype over 6 months, in addition to my application workload. Due to some unannounced hardware refresh, my laptop was to be wiped. I decided to mail a zipfile of the custom javascript code (all open source or hand-written), to myself. There was a proper application (OneDrive) to normally store this kind of data, but it wasn't on my machine...which was probably part of the reason some laptops were being nuked. So, against, company policy I "mishandled source code" and got a 2-week-long wrist-slap over it. Was this "letting employees use email to evade company policies", or is it simply something that happens because there's no practical way to prevent me from doing it and still maintain standard business operation? It's important to read between the lines sometimes.
Anything that requires participation of lower level employees, is different because they have to have explicit instructions and action plans to do anything...according to multiple policies and processes. If someone walked in and said "this is the SQL to use to delete this data for this JIRA ticket", it would be written down in a Confluence, JIRA, email, git, for starters. You would also have to have to account for the rollback as well, or it doesn't play.
Your mental model is broken in that you seem to think the techs have independent models of what is and is not legal and will "legal fact check" the executives. In specific cases this may occur, but in general, if legal comes to a tech and says "we need to delete this", the tech will delete this. If you want to mess the tech around, you don't fire a guy and promote someone else and hire a private investigator to get blackmail on the database operator and hire the mafia to rough up the guy holding the backup tapes to make sure they get the message. You just tell the tech staff that legal says this has to happen. The tech staff does all sorts of things because legal tells them to, totally routine thing. This would not have stood out at all.
I mean, I live this personally. When legal tells me to delete or retain something, I don't go get a law degree, and then insist that they let me have all the details to come to my own independent opinion about whether or not we need to delete or retain something. That is every bit as nonfunctional as when I tell them that the task they're asking for will take three weeks and they go get a programming degree and then come over and learn the exact environment we are working in so they can verify that we are telling them the correct estimate.
> they would have gone to some low-level tech and told him something to the effect of "We are looking for a new team lead
Part of the SEC’s process is peppering these people with pamphlets explaining how their testifying this happened is a $10+ million whistleblower payday.
I just don’t buy it. Even a C-level has limits, whatever was being investigated currently just has the possibility of some big fines and maybe losing their job. As soon as they start colluding to destroy evidence that turns into jail time.
As someone who does this work, I agree. This sounds like a IT Operations messed something up on its way to the people who do the lawyer work. Never had it happen to us, but I could see me handing something off to others in the Operations Org and having accidents happen.
The implementers and auditors themselves get bogged down by red tape and/or the game of telephone between various departments, leading to information and Acceptance Criterias falling between the cracks.
Yes I do and yes it could happen. It could simply be someone accidentally taking off the lit hold on a Friday after a bad day. Then not realizing it till Monday. A bunch of data would be gone.
The scale of record keeping in a place like JP Morgan is enormous. Just payments transactions are about $10 trillion a day. Unless documents are ring fenced from the start and not many systems and people have access to it, it is highly unlikely that someone is able to destroy it in all the right places without anybody noticing.
If you read the link in my previous comment, you'll see this isn't the first time they got fined for bad record keeping practices. In that instance, $125m.
On the one hand you're saying it can't be done without some whistleblower turning up, on the other hand you think that its possible to happen accidentally.
It's kinda either/or. It's either possible that someone can get full admin privileges and deletes it off-the-record or they've got enough safeguards in place that the accidental deletion isn't possible either.
It seems very reasonable that 47 million messages were deleted from 8,700 mail boxes by accident, but it seems like a stretch of the imagination to say this resulted in the intentional deletion of the EXACT evidence that they were being subpoenaed for, without forgetting to delete SOME of the evidence.
What? according to the article, all emails were deleted in that given timeframe with the excuse "they thought it would be impossible to delete records that were still required to be kept by regulation"
I don't think your argument works unless the article is wrong.
nobody is claiming intentional deletion of the EXACT records being subpoenaed and only those records, and the article makes clear that isn't what happened
the thing we're discussing is deleting A LOT of records which INCLUDE the ones being subpoenaed, which is obviously easily possible, intentionally or otherwise
Well, since the number of mainstream outlets investigating Epstein's links to the mega-wealthy with appropriate depth is precisely zero, we need to adjust our standards a bit.
If you can point out anything specific in there that's provably wrong, I'd genuinely love to hear it.
> If you can point out anything specific in there that's provably wrong, I'd genuinely love to hear it.
While there are many statements one can confirm, such as "took up boxing", they are surrounding nuggets like this: "After being selected by a mix of powerful businessmen, many of whom shared connections to intelligence and/or organized crime", a statement which is so vague as to be highly suspicious.
And don't even get me started on the author feeling the need to point out that all these organized crime and banking folks are Jewish - what's the relevance? Only to double down on stereotypes - the other people in the story aren't called out for their ancestry or religion...
She specified their ethnicities and countries of origin to describe their relation to the "SuperMob," which was apparently "composed mainly of Jewish and Italian mobsters and businessmen who rose to power thanks to the corruption within the city of Chicago before expanding to other areas of the country, particularly the West Coast."
By only denouncing this Dangerous Anti-Semitism and ignoring the equally deplorable Anti-Italianism, you've outed yourself as an Anti-Italian Romanophobe whose opinions may be summarily dismissed. Checkmate.
Actually, she did not specify the ethnicities of any specific person other than the Jews.
If you read the article, you'll notice "Italian" occurring once, but not in relation to a specific person...
However, in the opening paragraphs of the "SuperMob" they're sure to mention which specific individuals are Jewish:
Crown Prince of the “Super Mob”
Henry Krinsky was born in 1896 in the city of Chicago. His father, a Jewish immigrant from Lithuania, worked as a sweatshop foreman and changed the family name to Crown when Henry was a child. After dropping out of school in the 8th grade, Crown started a steel business with his older brother, Sol Crown, in 1915, creating S.R. Crown & Company. A few years later, in 1919, another brother, Irving Crown, joined the company, which became Material Service Corporation (MSC), a sand, gravel, lime and coal business that was prominent in Chicago’s construction industry.
Henry Crown developed an early relationship with Jake Arvey, a notorious political fixer for the Democrats in Chicago who, like Crown, was the son of poor Jewish immigrants. Arvey had deep ties to the Chicago mob, including the circles around notorious gangster Al Capone
Now, I know also that you're saying I'm being overly sensitive, but I'm trying to point out (when I was asked to disprove the article) that these are signals that I think the article is not to be trusted on face value.
In the entire, very long article, there are only three references to Jewishness - twice saying that people had Jewish immigrant parents, and once in reference to the makeup of a particular mob which also references their Italian members, putting the lie to your claim that other ethnic backgrounds are not mentioned.
Making things out to be anti-semitic when they're not, such as happened to Corbyn, is a popular smear tactic. It's pretty disgusting though, and many Jewish people have pointed out that it's a very harmful and anti-semitic thing to do.
>Making things out to be anti-semitic when they're not, such as happened to Corbyn, is a popular smear tactic. It's pretty disgusting though, and many Jewish people have pointed out that it's a very harmful and anti-semitic thing to do.
That ship has long sailed in the US. I don't see this behavior stopping in earnest until the greater populace stops giving any credibility to the claims due to repetitional damage. In fact right now they have become emboldened after the 2020 elections. Meanwhile there is a real rise in anti-semitism that is likely occurring among the far-right.
Change is starting to happen online in that every single thread i've been seeing on Reddit/HN that calls out Israel also tends to completely swat away the anti-Semitic claims thrown out when any criticism of Israel typically occurs. Whether this translates into real world changes remains to be seen but we are starting to see it in the voting patterns of Millennials and Gen-Z(them supporting comments made by "the Squad" and electing more reps that don't shy away). It very will likely be a generational shift as Israel continues to damage its reputation in the US due to its tactics.
You realize that isn't how it works, right? It shouldn't be OK to make wild claims without evidence that need to be backed up. It's the other way: you need good evidence to back up wild claims.
The article seemed pretty clear about where evidence was lacking; and is more densely packed with links than >95% of mainstream news articles.
Even if one were to completely dismiss everything fta that was even slightly suspect, you'd still have more insight into why JP Morgan might intentionally delete tens of millions of emails.
Forty-seven million emails. 47,000,000.
"Accidentally". Even if you could believe this - wow - even if you could take that at face value, the fine worth ~45 minutes or so of profit is still preposterous.
No need to fine them, if this stuff is needed in a lawsuit just let the other side make adverse inferences by default whenever the data could have been deleted.
Do you mean bail? The only thing bail does is get the defendant out of jail until the trial, and the only (Constitutional) reason to jail someone before trial is to make sure they show up.
E.g. Elizabeth Holmes got out on bail, but just recently went in to serve her sentence.
Indeed I meant bail. I always thought you can avoid jail that way in that country and very pleased you taught me I’m wrong, this seems a more fair system.
Not thankful for the downvoters although they probably thought I was cynical or something… but hey better have knowledge than points.
> the only (Constitutional) reason to jail someone before trial is to make sure they show up
Well cynicism is definitely called for wrt bail, because it's regularly used for a very different purpose. It's normal for people accused of crimes to have to wait over a year for their trial in this country, and the courts often intentionally set bail so high that the accused can't possibly afford it. They are forced to choose between sitting in jail that whole time while their life evaporates, or they can plea guilty to a crime they may or may not have committed; the actual punishment is often less severe than being found innocent at trial. The prosecution can repeatedly push back the trial to keep the pressure on. Since healthcare access is almost always tied to employment, people plead guilty to crimes they didn't commit every day in this country so that their kids don't lose their access to healthcare. Just the sort of systemic, everyday corruption that we're supposed to pretend can't happen here.
no, it's just a cost to do business.
They still have billions after you charged them billions.
And charging companies with fines is ridiculous IMO. There are always humans who made decisions ultimately. And charging companies (not them) is just a "get out of jail and enjoy Hawaii" card for them.
After they cheated, they probably had the promotions, money, golden parachutes, and left the company after bleeding it out and hurting it anyway.
So why would you charge the company a second time ? Why not them ?
Because a key element of the American corporate/justice system is to avoid negative consequences for individuals with wealth and connections, so long as they "follow the rules" when harming the public for private profit?
Do establish in what way these fines are at all reasonable or appropriate. I don't think you know to what level this data loss is if you're being this reactionary.
That's the point, they shouldn't be "reasonable" nor "appropriate" for an entity as large and with as many resources as JPM. Surely with the 300k employees they have and the literal infinite well of money they have, there's a few competent individuals working there to prevent these sort of "mistakes" from happening, and if not then they should either find some competent people, or cease to exist.
What's reasonable about charging them 4 million? It's not even a drop in the bucket, it's a singular molecule of water getting inserted into the bucket if we're talking about JPM.
When it comes to companies like JPM that blatantly disregard the law constantly and are never given more than tiny little taps on the wrist, yes? If it were up to me we'd start rounding up every C-Suite we could, let's see how much longer they'll keep trying to get away with things like this after that.
Tell me, what exactly is reasonable or appropriate or fair about such a pittance of a fine for such blatant corruption? We're not talking about some random mom & pop shop, we're talking about the largest fucking bank in the States and arguably the entire world here. Someone in the thread already did some rough back-of-the-napkin math, this 4 million is a bit less than 20 minutes of income for them, in what universe is that a reasonable fine?
In a regulated industry, the regulator would absolutely issue fines and threats of license if gross incompetence led to them not upholding their regulatory duties... Well in some ideal world that would happen, but ha, not likely.
Instead they'll just have to have some 'extra' meetings with the regulator and report on their remediations later.
First of all: your current society has no chance at a future, AI overlords, mogul trillionaires, climate change and so on being the least currently concerning of your issues.
Nevertheless, one counter-intuitive policy which would end corporate control [1] (hence will never be implemented, again, no future for you) is supra-unitary taxation: effectively, tax rates above 100%, ensuring that the corporation has by default a lifetime (like a person they wish to be). Once the forever-in-debt corporation gets past a certain level of debt, it gets liquidated. Of course, corporations affected by this would have a certain scale (above $10 trillion, let's say) and a certain domain of activity (embedded AI, synthetic biology, nuclear fusion, asteroid mining, and similar).
Reminds me of the Dutch government who "accidentally" deleted confidential documents that were related to the formation of a new government. The process is under investigation, and the documents containing transcripts of conversations could be used as evidence against some political figures. This is even more remarkable, since government bodies are typically very sloppy if it comes to document retention.
Storage costs are an excellent reason as someone else said. Another reason is security, less data sitting around to be leaked, either accidentally or purposely, the better. Another reason is privacy, less data sitting around that can be used against you.
I was the records retention lead for a bank for a few years. Deletion projects are also conducted to reduce storage costs, but yes, ensuring that you’re not retaining unnecessary information that you could be subpoenaed on is a large factor as well.
Similar to that my provincial Conservative government and other Conservative governments in the region don't write down or type any meeting minutes. No notes nothing to give FOI requests. Dirty tricks!
Maybe Americans should be asking for the NSA's support in protecting the rights and freedoms of their country, and give Congress the backup they definitely made of all of JP Morgans data ..
EDIT: its amazing - not a mention of the fact that JPMorgan is under investigation for its relationship with Epstein ..
For sure. This is bad faith 101 from JPMC, and I don't really think they'll care if they get a slap on the wrist. 4 million dollar fine IIRC. The government's agencies that have this data should release it to the American public as a public service.
JMPC is no longer under investigation for Epstein - they paid a fine and that's that, sadly. Mr. Dimon doesn't want to testify again, because there's a high chance the Feds knew he was lying when he claimed in his first testimony that he had never heard of the guy and then claimed that he had no idea what Epstein was doing. Which if you follow the people involved, you know was a bold-faced lie. Yet JMPC will walk away unbothered, because they are untouchable.
Ah, you're right about that. I thought the 200-million odd settlement announced a few weeks back was the same thing. It's not.
Hope the USVI gets all they are asking for and then some. The way Dimon testified it's so obvious he knew what was up - I mean, he worked with Jes Staley for nearly a decade, and promoted him to the head of JPMC's investment bank. There's no way in hell a guy in such a position who has a personal client transacting billions of dollars with former and current heads of state (including multiple former or future US Presidents), Fortune 50 CEOs, famous academics and also was convicted of sex trafficking in 2006 can hide that all from his boss. I don't believe that for a second.
Indeed. Not only are these slaps on the wrist accounted for in initial estimations of the cost of doing business, but then they're just written off and ironically inconsequential. There needs to be real consequences.
Yes, supposedly a shelf fell and knocked the fire-suppression system out. I forget if that was the cause of the fire or simply the excuse for why the fire-suppression system didn't put the fire out and save the documents.
It was TD Ameritrade documents mostly it seems, but it was located close to a Citadel-owned building as well.
Everyone thinks it's malicious. I'm more likely to believe it was a poorly-trained IT person who thought they were in the test environment, or something along those lines.
Aggressively deleting all records the moment it’s legally allowed is the name of the game. Records are a real liability for banks so the moment they can go they’re gone.
Unless the fines become existential or the c-suite goes straight to jail this won’t change.
When I worked for an investment bank (over 2 decades ago), we wrote emails to a WORM storage device (I think from EMC) so it was literally impossible to accidentally delete emails without physically destroying the device (which was backed up to tape and replicated to an identical device on the other coast). We retrieved sample emails quarterly to prove the device was working.
>The vendor had apparently assured both JP Morgan and the Financial Industry Regulatory Authority (FINRA) on multiple occasions that its media storage complied with the relevant Exchange Act rules regarding the 36 month retention period, and therefore documents falling within that period were protected from deletion.
If this vendor screwed up this badly, why can't we know their name?
All enterprises have shitty IT. If you want this not to happen again, don't fine them, add a regulation. Regulations are literally the only thing that makes enterprises confirm that they've done something correctly. Only when an exec VP has their bonus or freedom threatened do they take shit seriously.
anyone gonna use AI to "do something about" top-level management of the SEC being an accessory to various crimes, or about corruption, money laundering and all that jazz? haven't read about a single startup, now that I think about it ...
It's likelier that they ran the numbers of such an "accident" and concluded that notwithstanding new fines and more paperwork it will end up being the cheaper alternative. They are after all bankers.
Why does it feel like general financial law and order has completely collapsed in the last few years, and that you can get away with pretty much anything with no real punishment?
Anyone know what the US law says about stuff like this?
Even if it was a genuine mistake, if anything legal came up, does a court need to accept that the evidence is gone and that the data was probably guilt-free? (getting some obstruction of justice vibes that I had in the US in 2019.......)
So UBI, unions and social safety nets are bad because they encourage people to be lazy and become dependent on handouts? But a company can lose millions of potentially legally damaging emails and pay a paltry fine that's a rounding error of its profits.
I wonder when democracy will arrive in America. Where people overpower concentrated wealth through overwhelming majority the way we did when we broke from England. Collectively voting to break up monopolies, tax the wealthy and imprison the corrupt.
I'm seeing ads on TV now for Vanguard and BlackRock, the companies perhaps most responsible for sending rents into the stratosphere and killing the dream of home ownership for millions of people. The American Dream.
Can we stop using accident to describe the haphazard and often disingenuous policies of multi billion $ international corporations as though they are freshman writing a merge sort or something. It's not an accident when a company does it... it's a crime
When a law requires data to be retained for X time, risk-averse companies interpret this as an instruction to immediately delete said data as soon as time X passes, and use automated tools to this end. Sadly, these tools tend to be ad-hoc software written and maintained by internal teams, and thus about as buggy as you'd expect.
I've worked in such places, and - in addition to all the other issues - the continuous collective loss of corporate knowledge makes life pretty miserable.
Additionally it looks like they farmed out the project to a third party that was working with FINRA to ensure compliance, apparently that consulting agency failed at their task miserably.
big companies like JPM just don’t have the secret networks of bad actors at an administrative level to carry out nefarious activities like this without someone blowing the whistle.
We're in the early days of building this over at phaselab.co. We've been taking more of a data privacy angle, but the product helps folks operationalize all of their data lifecycle / governance tasks. There are some existing players who work with email/comms, but for internal technical systems & user data most orgs are rolling their own deletion pipelines.
I’ve been insinuating otherwise playfully in this thread.
But, it is unfortunately absolutely realistic that companies are throwing away data the moment they can justify it. Ironically, it’s not the ones we’d like to forget about us most.
Data retention is a liability as much as it is an asset, and it’s challenging regardless.
If you’re a large enough company you will eventually come to be frustrated by whatever policies you have (either they’re too conservative or too liberal). And understandably when you’ve been caught being shady enough, even an honest deletion will look shady.
This happened because JPMorgan is under investigation for its relationship with Jeffrey Epstein the person who invited wealthy scientists, politicians and businessmen to come to an island where he also raped kids.
It doesn't matter, anyone that even mentions it will eventually be relegated to the "her emails" camp and disregarded. Can never tell if i'm just getting older and taking more notice or the blatant corruption we seem to shrug off is actually growing (probably the prior).
The difference is that if you were to be held in contempt of court, your fine would probably be higher than something like 0.01% of your annual earnings.
>The difference is that if you were to be held in contempt of court, your fine would probably be higher than something like 0.01% of your annual earnings.
Fines are not based ad hoc on how much you're able to pay. They're standard and the enforcer can't make you pay more - that would be terrible.
> Fines are not based ad hoc on how much you're able to pay. They're standard and the enforcer can't make you pay more - that would be terrible.
In socialist dictatorship like…check notes… Finland and Switzerland, they are. Those countries are indeed notorious for being terrible places to live… /s
> Can you imagine a low wage earning getting away with stuff because they can't pay?
But somehow this is OK if that's rich people getting away with it…
(Sarcasm aside, nobody prevents the legislator to ad a floor to the fine, to avoid this exact issues, and unsurprisingly that's what the aforementioned countries do)
1. data that has to be retained for legal reasons can't be deleted by normal deletion processes
2. data that should be deleted didn't delete properly
3. to fix (2) they manually ran delete requests for times up to about the current date (back in 2018), relying on (1) to protect data
4. turns out somebody forgot to configure (1) for emails send to domains belonging to Chase (at that point the merger was 18 years ago)
5. It took 1.5 years for anyone to notice.
To me it seems like number 5 is the biggest problem here. Mistakes happen, but had they noticed in time they likely would have had those messages in backups (if they don't, that's a much bigger problem). But they probably don't retain the backups for long, for the same reasons they delete old emails in the first place (legal discovery)