Federal technology team at the Securities and Exchange Commission unintentionally erased a year's worth of messages from the former chairman's smartphone.

The Office of Inspector General (OIG) has published a review detailing the erasure of text messages from Gary Gensler's government-issued phone, highlighting inadequacies that impacted the report's reliability and usefulness.

The trouble started on July 6, 2023, when Gensler's phone lost its connection with the Securities and Exchange Commission's (SEC) mobile device management system. On Aug. 10, 2023, the SEC's Office of Information Technology (OIT) launched a policy to remotely wipe any SEC-issued mobile devices that hadn't linked with the device management system for 45 days or more. When Gensler noticed his SEC apps were gone on Sept. 6, 2023, the OIT performed a factory reset of his phone, resulting in the permanent deletion of his data, including text messages.

The text messages in question were sent and received between October 2022 and September 2023. Some of the recovered text messages included discussions about an enforcement action against a crypto platform, a possible settlement with a global financial services firm, and the appointment of a new commissioner. Approximately 38% of the recovered text messages were "mission related and concerned matters directly involving SEC senior staff and/or Commissioners at the time," making them records.

The OIG could not review the missing text messages to definitively determine their status as records, but surmised that many, if not most, would be records based on their review of the recovered text messages. The incident cost the agency more than $50,000.

The OIG's review also criticised the SEC's IT office for poor change management with regard to the wiping policy, not properly maintaining its mobile device inventory, and not effectively reviewing and escalating relevant system-generated notifications. The responsibility for reviewing and improving the faulty actions regarding the management of SEC employees' mobile phones lies within the SEC or a designated cybersecurity and compliance office tasked with IT governance and security.

The SEC concurred with all five of the OIG's recommendations aimed at better mobile device management practices and pledged to complete the tasks within the next six months. The unrecoverable text messages could impact the SEC's responses to some Freedom of Information Act requests.

This policy was based on the assumption that such devices were not in use, potentially lost or stolen, and could no longer connect to the SEC's network. Had OIT or Gensler known that his phone had been wiped due to the new policy, the messages could have been recovered. The SEC's mobile device vendor knew of a 'bug' in prior versions of its operating system that could break the connection between a mobile device and a mobile device management system, which could be a possible culprit of Gensler's initial phone troubles.

In conclusion, the loss of nearly a year's worth of text messages from Gary Gensler's government-issued phone has raised concerns about the SEC's mobile device management practices and their impact on the agency's operations and transparency. The SEC has acknowledged the issues and has pledged to improve its mobile device management practices in the coming months.

Federal technology team at the Securities and Exchange Commission unintentionally erased a year's worth of messages from the former chairman's smartphone.