WOOF! Newsletter

April 08, 2015

Corporate Lessons from the Hillary Clinton Email Scandal

Hillary Clinton used personal email while Secretary of State. Exposing her office to theft, spying and legal trouble--risks that can affect your business as well, if anyone in the office uses a personal email account for work purposes. Read about these risks, and 7 things you can do to prevent them.
As you've no doubt heard on the news, Hillary Clinton used a private email server for all of her electronic State Department communications during her 4 years as Secretary of State.

Selfishly, we’re kind of glad she did, because it’s a perfect chance for us to illustrate the dangers of using personal email for work.

If you think it’s no big deal, consider this:

Personal email accounts are wide open for theft, spying and legal trouble. They don’t have many of the protections afforded enterprise IT solutions in terms of security, backups, or archival/e-discovery.

That’s why the Clinton email scandal is not really a ‘scandal’. It’s a serious breach of national security, involving one of the most powerful and most targeted offices in the U.S. Government.

These risks extend to the corporate environment, too. Let’s look at the technical issues, and the lessons we can draw for protecting your company's email.

The Clinton Email Scandal: Short Version

On March 2, the New York Times reported that Hillary Clinton used a private email server residing in the Clintons' New York home for her work communications during her 4-year tenure as Secretary of State. Her stated reason was avoiding the “inconvenience of carrying two devices."

The NYT article created a flood of media attention & social media speculation. What was Hillary trying to hide? Why didn’t she use a .gov address like all the other Department heads and staff?

Since then, Clinton has defended her private email use, saying that she's cooperated with the State Department and the Benghazi Committee. She says she turned over 30,490 work-related emails to the State Department, and deleted 31,830 emails deemed personal.

Why is This So Bad? Personal Email Has Inadequate Backups & Security, and Calls Your Motives Into Question

"For the most part people don't use personal e-mail for work if they're being above board,"
Robert Douglas, Quoted by CNN Money, 3-3-2015.

Suspicion: By merely setting up the email server, Clinton undermined her own position as Secretary of State. Doing so creates a cloud of suspicion around all of her communications—one she’s now fighting.

Poor IT Security: A personal email server is not covered by enterprise-grade data backup, archiving, and network security. It’s outside the reach of IT governance—not to mention Freedom of Information Act (FOIA) disclosure requirements. IT experts have already determined that the security on the server was not properly set up and could easily be hacked.

In fact it was. By a Romanian hacker calling himself "Guccifer" (real name Marcel Lazăr Lehel). Using only a computer, cellphone, Internet connection and persistence, Lazar launched scores of attacks against public figures like Hillary. He distributed many of her emails regarding the Benghazi attack in 2013.

"Guccifer" was only an amateur though, and is now in jail for his hacking efforts. If an amateur could steal data from the Clinton email server…imagine what the professionals found without leaving a trace behind.

Easy Target: Hillary’s sensitive diplomatic activity & the server’s poor security made her an easy target for data theft by hackers, and by foreign countries hunting for intelligence data. Former head of the Defense Intelligence Agency Lt. Gen. Michael Flynn, said that the chances Hillary Clinton's private emails were hacked is "very high."

The same is true for employees using personal email accounts like Gmail or AOL for work—easy targets.

Fox Guarding the Henhouse: Hillary deleted 30,000 emails from her server that she determined to be "not work related". Such a power should not be within an employee’s or diplomat’s discretion. In the private sector, when a discovery request is submitted, a legal hold is placed on all email accounts until the accounts are reviewed by authorized parties.

Operating Outside of IT Governance: No diplomat, C-level executive or employee should be operating outside of a company’s IT governance. Company intellectual property belongs on the company's servers under their control. Ultimately, the company is responsible for acts you commit while in their employ, which is what led to the Sarbanes-Oxley Act. Hillary was well aware of this when her State Department sent staff a cable in March 2011 underscoring the need to avoid personal email for work.

The Problem: Federal Records Law Requires Email Preservation

Some reporters & commenters claim Mrs. Clinton explicitly violated federal law by conducting government business through a personal email account.

If she was still the Secretary of State, this would be true. The U.S. Government currently requires all official email be subject to preservation/discovery. However, while Mrs. Clinton was Secretary of State (2008-2012), there was no explicit requirement for conducting all government business through government-monitored email. (It was clarified later on, in 2013 and 2014.)

So technically speaking, she did not violate federal law in this respect. What Clinton DID do was circumvent rules concerning federal records management.

The State Department requires government emails be kept for records purposes.
  1. From the State Department Foreign Affairs Manual: "All employees must be aware that some of the variety of the messages being exchanged on E-mail are important to the Department and must be preserved; such messages are considered Federal records under the law."
  2. What kinds of emails?  "Records that document the formulation and execution of basic policies and decisions and the taking of necessary actions; records that document important meetings; records that facilitate action by agency officials and their successors in office."

What IT Can Do to Control the Use of Personal Email Accounts for Work

In a business setting, maintaining secure email is partly a matter of IT administration and partly of company policy. Here are 7 recommendations on both policies and IT actions to stop anyone using personal email for work.
  1. All employees are issued and instructed to use domain-based emails and notified of secure email policies on their first day of work.
  2. Create an internal IT policy – Any employee receiving a work email from another employee using a personal email address must report the employee to HR.
  3. Notify employees that any personal email accounts used for company business may be subject to discovery.
  4. Prohibit IT from setting up contact addresses (emails to an employee’s domain email address which are forwarded to a personal email account, but do not leave an archive on the corporate mail server).
  5. Implement a content filter, like Websense. If employees are going to Gmail.com all day, they may be using personal email for work. Block Gmail, Yahoo, AOL, etc. using the content filter so employees can’t access webmail from inside the company network.
  6. Directors of Departments get quarterly automated reports from IT, showing employees’ mailbox sizes & their net changes. Hmmm, Bob Smith’s mailbox hasn’t gotten bigger in 3 months…
  7. Use enterprise email solutions with e-Discovery capability, like Exchange Server 2013.
What's e-Discovery? It’s a feature in Exchange Server 2013 & Exchange Online. It allows the Exchange administrator to perform discovery searches for relevant content within mailboxes.

This helps an organization fulfill legal search & discovery requirements--a critical obligation for which all U.S. businesses must prepare.

In-Place e-Discovery (Overview & Details) - Microsoft TechNet

Personal email accounts not located on an Exchange Server are outside of e-Discovery searches. Unreachable for search & discovery. But that doesn't excuse the business from liability related to those emails.

If legal information is stored there and you cannot reach it? YOU are in violation of the law.

Mrs. Clinton’s actions flout e-Discovery protections like these. Which illustrates the threat to any organization allowing employees to use personal email: a business, a nonprofit, or the U.S. Government.

If you don’t control the email account, your business has a security hole. And it’s a risk for which you are legally liable!

Note: Products like Gmail and Google for corporate email do not support discovery and do not archive email when deleted by an employee.

The Story Continues for Hillary. What About Your Business?

Whether you have something to hide or not, using personal email for work raises suspicions.

Mrs. Clinton turned over 30,000+ emails, yes. But now Rep. Trey Gowdy, head of the committee investigating the Benghazi attacks, has requested she turn over the entire email server for scrutiny by a third party. As of March 27, Politico.com reports that Mrs. Clinton already wiped the email server "clean".

It doesn’t mean all data on the hard drive is totally gone...but it makes verifying that she did turn over all relevant emails much more difficult.

Imagine if an employee deleted their personal email account, after copying your intellectual property! You might never know. Until a competitor pops up with a product suspiciously similar to yours...

Do you allow any employees to use personal email for work? If so, we advise changing your policy immediately. It's unsafe for legal purposes and exposes your business to too many dangers.

Related Articles:
"The Dangers of Using Personal Email for Work" – WOOF! (September 2013)
Hey Hillary, Most of Us Can’t Use Personal Email for Work – CNN Money (March 3, 2015)