The email has hit the fan. Revelations that Hillary Clinton used a private, non-government email account while she was Secretary of State ignited weeks of debates, controversies and investigations.
Critics questioned Clinton’s motives for creating a private email domain connected to a server in her home, calling it an overt effort to circumvent the State Department’s controls and saying she may have put national security at risk. Many added that acting as the arbiter of what is worthy of review and what can be defensibly deleted presents troubling questions for those who might one day benefit from access to those records.
Guest article by Greg Arnette, founder and CTO of Sonian
In a news conference, Clinton was adamant that she did nothing wrong and vigorously defended herself, saying she used her personal email account for convenience, that she never sent classified information and that she assumed that when she communicated with State Department staffers and foreign ambassadors that her mail was being archived “on that end.”
Most recently, the House Select Committee on Benghazi has formally requested Clinton to appear before May 1 to testify about the server and her email account. (After receiving a subpoena from the House, an examination of the server kept in Clinton’s Chappaqua home revealed there are no copies of any emails sent during her time as Secretary of State.) After her representatives determined which emails were government-related and which were private, a setting on the account was changed to retain only emails sent in the previous 60 days. The setting was recently altered after she provided printed records of emails to the government
For many, it’s equally troubling that apparently there were no systemic monitors to identify and escalate the fact that Clinton’s official email account wasn’t being used. Politics aside, consider the business and technology implications of what happens when an employee “goes rogue” and chooses to forgo using a company email address. This would allow their business communications to fly under the radar, no longer subject to corporate monitoring, encryption, archiving or security measures. Audited compliance would be even more challenging.
In a twist that might give Kafka a chuckle, and on the cusp of the 50th anniversary of the Freedom of Information Act (FOIA), the White House, in an apparent response to the Hillary email scandal, has removed a regulation subjecting the Office of Administration to FOIA requirements. This is the very department charged with archiving emails. Even more ironic, this also occurred during “Sunshine Week,” a seven-day effort to promote open government and greater compliance with the Freedom of Information Act, the law that allows public access to federal documents with limited exceptions.
Executives everywhere should see this as a teaching moment and take precautions to protect their intellectual property. This email preservation story serves as a reminder that records retention requires organizations to be knowledgeable and proactive. In light of this, here are the top questions to ask yourself:
- Can we identify and prevent rogue behavior?
It’s time to be diligent in identifying rogue employees. Many of the behaviors that put data at risk are not deliberate or malicious. The only way to ensure that intellectual property is preserved for future investigations and audits is to compel all employees to comply with some data management best practices. However, willful employees can still ignore company policies, so the effort can’t stop there. Some archiving systems contain alerting functions in which threshold alerts can be set (and notifications created that, for instance, a primary email box wasn’t sending any messages). There are also data loss prevention (DLP) applications which can prevent some types of messages from even being sent.
- Are we prepared for an audit?
Seems a simple enough question, but some organizations still don’t archive emails. If the data, discussions and documents embedded in corporate communications are “lost to history,” what liabilities does that create for the organization? You may not face a Congressional committee, but you might find yourself standing in court explaining why you can’t respond to a discovery request.
- Are our emails secure?
Companies will never be able to prevent employees from making their thoughts and feelings known over email. But the Sony email hack shows how damaging it can be when malicious parties surface those messages to the world. In Sony’s case, many of the leaked emails were nearly a year old. Archiving older email from a messaging server out of reach of hackers can mitigate the risk of a PR nightmare, and prevent the loss of personal employee and customer information.
As Clinton’s story continues to unfold, it’s time to ask the right questions and take precautions to protect your intellectual property.
For more on the topic of IT security, read the Aberdeen report Insider Threat: Three Activities to Worry About, Five Ways They’re Allowed to Happen – and What Enterprises Can Do About It
Greg Arnette is the founder and CTO of Sonian, a pioneer in cloud-based email archiving. He has been a messaging, collaboration, Internet and networking expert for more than 15 years.