Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

The separation of email and state
SECURITY SHELF

The separation of email and state 

While serving as U.S. Secretary of State, Clinton used a personal email account for both personal and business purposes. Her excuse? “I opted for convenience to use my personal email account. I thought it would be easier to carry one device for my work and personal email account,” she told reporters in March 2015.

U.S. record-keeping laws require government employees to preserve correspondence on departmental servers. Emails are government records and, as such, as supposed to be retained. United States National Archives and Records Administration rules are clear, “employees should not generally use personal email accounts to conduct official agency business.”

This is not a case of a senior civil servant occasionally reaching for a personal device. CNN reported that according to a senior state department official, “Hillary Clinton did not have a State Department email account while she served as America’s top diplomat … and instead used a personal email account during her four years on the job.”

It is naive to believe Clinton thought this was acceptable and that it went unnoticed by senior officials at the State Department and White House. It is more likely that Clinton decided not to follow the rules and nobody challenged her.

Clinton’s convenience argument does not hold water. It might be believable if she was using a popular cloud-based email service. But she wasn’t. She used an email server in her own home. Someone had to purchase, install, and maintain the hardware and software. It likely required a business Internet service; most ISPs do not allow home Internet users to run an SMTP server. Running an email server at home is expensive and anything but convenient.

There is a better explanation. As Secretary of State, Clinton was privy to intelligence information and most likely aware of email monitoring by U.S. and foreign governments. She certainly knew how easily U.S. government agencies can obtain access to data held by cloud providers and that State Department IT staff can access email traversing State Department servers. A more plausible explanation is that Clinton wanted to maintain physical control of her email system and archives.

Virtually every employer require employees to use an assigned business email account for business purposes. Most employees would not even consider setting up an email server in their home and using it instead. But some politicians and executives believe that the rules simply do not apply to them.

There are many good reasons that everyone should keep their work and personal email separate:

  1. Executives set the tone for corporate culture. If they fail to abide by corporate policies, it sends a clear message to the rest of the organization that the policies are not important. Executives must lead by example.
  2. Organizations must manage records. In some circumstances, it is advisable to retain emails for a short period of time. Other organizations must retain emails for decades. Email record retention strategies require emails to be processed by corporate servers.
  3. In the event of legal action, using a personal email account for business could bring other personal emails into scope. For example, if investigators discover that the CEO routinely communicates from a personal email account, it is likely that they will seek access to the account.
  4. Inappropriate use of business email reflects poorly on the employer and may result in liability or disciplinary action.

Clinton was not the first, and she won’t be the last. Executives violating their own organization’s IT policies is surprisingly common. Hopefully the media exposure Clinton received will cause everyone to carefully consider the separation of email and state.

Have a security question you’d like answered in a future column? Email eric.jacksch@iticonline.ca.

Related posts