No matter what you think about Hilary Rodham Clinton’s past accomplishments and future potential, she has provided us an example of bad behavior that can be a learning experience for all of us.
To remove the positive or negative association of Madam Secretary Clinton, I will use “Anne Chamberlain” as the name of a potential employee of your company. Anne held a very high position in your company for many years, with intimate access to your most sensitive proprietary and confidential information including product plans, marketing strategies, competitive analysis, and your internal decision making processes. After she resigned from your company, you find out that the entire time she held this high position she was using her personal email account for most of her business emails, both within your company and with customers, partners, and even competitors. She used her own personal servers under her own physical control to manage and handle that email account. The result is that you have no access to any of those emails she sent or received.
When your CSO (Chief Security Officer) approached Anne, she said it was more convenient for her to use her own smart phone and her own email account. Her final response was “What difference at this point does it make?”
It makes a big difference.
While your company does permit BYOD (Bring Your Own Devices) to be used for both personal and business purposes, you do have strict security and data life cycle management policies. Your Life Cycle Management policy covers the rules about the creation, update, storage and destruction of all corporate records, including emails. These policies protect your company by enabling it to quickly and accurately find information to meet compliance, tax and other governmental requirements, efficiently run your business, manage contractual obligations, and respond to court discovery orders. Since you have no record of Anne’s emails, either sent or received, you will not be able to include them in support any such activity. Since Anne has refused to allow your IT department access to her personal servers, if a court ever found out that she was storing required documents on those servers relevant to some court or government request, the court could confiscate and search the servers. Since Anne’s servers are probably not following your data life cycle management policies, there are likely emails on that server which should have been deleted that may now be publically exposed as a result of the court action.
You also have a concern about the security of Anne’s emails. You have seen some reports that surmise that her server was hacked, perhaps by a foreign cybercriminal group, and that some of her emails may have been sold to your competitors. Again because you have no access to her servers, you have no way to determine if they were hacked and what, if any, damage it may have caused. You do know that her servers were not maintained to the same security levels as your own email servers.
Anne has promised to give you all of her business-oriented emails. Since there are thousands of these emails, you are concerned about how long it will take her to complete what is to her a low priority task. Worse, she is deciding what is a business-oriented email. While she may get 95% of it right, she will likely miss some emails that may be critical to your company later. A court may decide that you failed to disclose some emails and your company, not Anne, will face the consequences of that.
What do you do?
You really can’t outlaw personal devices for business use. It won’t happen; your employees and contractors, and probably you too, are really dependent on smart phones and tablets. Providing a corporate device is expensive and, like Anne, most people do not want to carry two devices that perform the same functions. But you can require some fairly simple procedures:
- Require all business-related emails to be done on your corporate email account. It is really easy to set up a second email account on a smart phone or tablet. On my iPhone and iPad I have a personal email account, my own company’s account, and separate accounts for each company I am working with at any time.
- Require that your company’s email account have your approved email signature block on each outgoing email. Again, it is easy to set up a separate signature for each email account on a device, including logos and the “fine print.” If you have a very complex corporate signature block, your IT department can set up a single image for the majority of the signature area and provide simple instructions for the common smart phone environments. If nothing else, this provides a clear signal to the person writing the email that they have the correct email account.
- Require that all outgoing emails on your corporate account are automatically forwarded to the employee’s corporate account. This ensures that you have a copy of all of those sent emails. In general this also makes it easier for the employee; they don’t have some outgoing emails on their tablet, some on their desktop, and some on their smart phone.
- Require that all emails be deleted from personal devices after a relatively short period, probably thirty days. They are still available to the employee through your email server, but it is one less place you need to search for necessary documents and it reduces the possible loss if a personal device is lost or stolen.
- Update your security and life cycle management policies to include personal devices.
- Include a section on the importance of protecting and managing company data and your email policy in your new employee orientation, and as part of your annual training session on security and ethics.
- Why did no one notice and report Anne’s behavior? Everybody should be looking for internal emails that come from an employee’s personal account. The easy thing to notice is that the signature block is “Sent from my iPhone” instead of your corporate signature. It is also easy to note that the sending email is from Anne.Chamberlain@me.com.
This stuff is, unfortunately, important. Email is one of the main vectors for cyber attacks. In today’s environment, most corporate communication is done through email. If you lose control of your email traffic you have lost control of your company.
The last word:
The US Federal Records Act at the time Madam Secretary Clinton served as Secretary of State did not categorically prohibit federal government officials from using personal email accounts. The Act applies to all federal agency employees who are not within the White House itself and requires the comprehensive documentation of the conduct of official business by regulating the creation, preservation and disposition of agency records. If an employee used her personal email account, she was required to forward that communication into her agency’s official records system. Secretary Clinton could have done that by having her personal device automatically forward all outgoing emails to her US DOS email account, and having her personal server forward all incoming emails to her US DOS email account. She did neither.
By coincidence, Anne Chamberlain was the name of the wife of Neville Chamberlain, Prime Minister of the United Kingdom from May 1937 to May 1940. Prime Minister Chamberlain’s reputation is largely damaged by negotiating with Adolf Hitler to sign the Munich Agreement, and for failing to prepare his country for war. The Munich Agreement permitted Nazi Germany’s annexation of portions of Czechoslovakia, although, strangely enough, the Czechoslovakia government was not invited to the negotiations. The majority of inhabitants of these areas were German-speakers, so it is clearly logical that Germany should take over their control.
An argument someone else may be using today.
Keep your sense of humor.