This is part of a syndicated column John Isaza has created for ARMA chapters. This column is devoted to answering information governance, records management, privacy and related legal questions from Chapter Members or sharing my thoughts on current hot topics. As you read this column, please note that although I am an attorney specializing in these areas of law, these are only his opinions. Isaza’s opinions should not be construed as legal advice. Kindly consult with an attorney for more formal advice.
For this column, I am revisiting Hilary Clinton’s Email-Gate, as the plot has continued to thicken over the management of her email accounts while Secretary of State. As I reported to national news media outlets last March, the act of email comingling is something that may dog her campaign. As predicted, recent reports now reveal that she may have destroyed several emails that could have been relevant to the Benghazi affair, arguing that they were personal in nature and not relevant to the investigation.
Could Mrs. Clinton go to jail for destruction of emails?
Even if there were NO relevant emails amongst the ones she ordered destroyed, the appearance of impropriety alone is a problem. Besides that, there is a pending Federal investigation of the Benghazi affair, which now brings to the forefront sanctions under Sarbanes-Oxley for knowing destruction of information relevant to a pending Federal investigation. Should her opponents ever raise the issue, and the courts ever choose to entertain it, Mrs. Clinton could be facing jail time or millions in sanctions under the little utilized 18 USC Section 1519 (Destruction, alteration, or falsification of records in Federal investigations and bankruptcy), which states:
“Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.”
Fines could be in the millions, and the specter of 20 years in jail is nothing to sneeze at. The question thus becomes, to what extent can you destroy information if you know it is not relevant to the investigation? Should you, instead, preserve the information to avoid the appearance of impropriety as is happening to Mrs. Clinton?
For Mrs. Clinton, she chose to delete the “personal emails,” and I suspect she hopes people and the courts will forgive her. She basically applied the old adage of “don’t ask for permission; ask for forgiveness.” In an MSNBC interview on September 4, that is pretty much what she said,
“At the end of the day I am sorry that this has been confusing to people and has raised a lot of questions but there are answers to all these questions… I should have had two accounts, one for personal and one for work-related.”
Mrs. Clinton argues she did nothing wrong, which could be the case as best practices have evolved tremendously during the past couple of years, after she left her post. She argues that “It was allowed and it was fully above board. The people in the government knew that I was using a personal account.”
Ultimately these are risk-based decisions that organizations with multiple legal holds have to entertain on a daily basis. Questions to ponder include whether the organization can delete say disaster recovery tapes, even if there is pending or threatened litigation. To that question I would simply ask, “how sure are you that the disaster recovery tapes were purely for disaster recovery, and not your de facto records management system?”
With the above as a backdrop, following are some additional related questions that I have fielded over the past few months.
What are some best practices in encouraging — or compelling — the deletion of old emails?
All these issues go the core tension between records retention and the need to dispose of expired data. If the information exists, it is discoverable if it is relevant to the subject matter of the lawsuit or investigation, even if it is merely anticipated or foreseeable litigation. Therefore, it behooves the organization to dispose of needless emails and data before litigation/investigation hits or becomes credibly probable.
If the organization has a retention schedule, and the “record” has expired, then it should be disposed immediately in accordance with the retention policy, unless of course the expired record is subject to a legal hold at the time. Otherwise, the organization opens itself up for liability and discoverability of emails that could be read out of context. The real trick for organizations is to determine which emails are a “record” that must be retained per the policy, versus all other non-record data that can be disposed at any time as long as it is not subject to a legal hold.[1]
Are there any Cyber Security repercussions for comingling personal and work Accounts?
Attempted breaches of mobile devices are on the rise, especially considering that most mobile devices include email accounts. In the first quarter of 2012, for instance, McAfee Labs recorded over 8,000 mobile malware strands, with the vast majority seeking to penetrate Android systems. This was a 400% increase over the previous year.[2] Against this backdrop, the seriousness of a potential breach is palpable, especially in the case of a head of state or corporate officer accessing personal emails in a mobile device, which could have less secure connections than official state business accounts.
If one account in the State Department is hacked, would it put all the people at the State Department using the server at risk?
Not necessarily. The security risk depends entirely on the type of hacking, the target, its breadth, content accessed, etc. In the instance of the Hilary Clinton private emails, for instance, if her personal email account was hacked, the chances of that event putting the entire State Department at risk would be nominal, if at all. Hacking into her email account does not necessarily mean access to her complete rolodex of contacts, though damaging nevertheless to extent any of her contents could be discerned from her email account. It would depend on how she configured her account, and what kind of integration they gave her with other devices such as her laptop, office computer, Ipad, and cloud based servers, if they were in play.
Is there any self-reporting in case something goes wrong (such as a hacked account)?
Depending on the industry of the organization, a hacking incident may be subject to notification requirements to government authorities, third party associates and customers. Basically any organization housing Personally Identifiable Information (PII) could be subject to disclosure requirements, and by extension the individuals of that company. Obviously if you are in the healthcare sector, for instance, data breaches are a serious event that would trigger all kinds of regulatory scrutiny. On the opposite end of the spectrum, even if you are not in a highly regulated PII environment, all breaches need to be vetted. In terms of the individuals within the company, the BYOD policy should include language requiring notification in the event of a breach, including a possible hotline depending on the size and industry of the organization.
How can organization find out if an executive is using personal email accounts for business? Is it typically after something goes wrong (like a lost laptop or a compromised password)?
Typically this is discovered during routine audits. However, audits may be infrequent or recommendations from audits may be ignored. Therefore, for some organizations it takes an embarrassing event to bring attention to the issue. At its core, the biggest problem arises with the ever increasing use of personal devices in the workplace, such as mobile devices, or alternatively for those logging into work from their home computers or laptops.
The issue of BYOD (“Bring Your Own Device”) to work has been on the radar of most large organizations for the last three to five years. Organizations are definitely trying to set policies around BYOD, but they are succeeding only to varying degrees. Presumably, the BYOD policy will stress that personal email accounts are never to be used for personal business. Unfortunately, in practicality this can be a challenge. When a device has multiple accounts attached to it, one can easily foresee the user erroneously sending a work-related email from a personal account. Once that happens, the recipients may reply to all, and the stage is set for a breach in the BYOD protocol.
What are some good tips for a company to prevent use of personal emails or applications for business purposes?
This goes to the core five sections of the BYOD policy, and the related procedures and guidelines. The key areas to cover include: 1) guidance on acceptable uses of personal devices to transact official business, including instructions on distinguishing personal email account usage from official business accounts; 2) a list of the types of sanctioned devices (e.g., Ipad, Blackberry, Iphone, etc.), and rules of engagement with IT; 3) logistics such as whether the company will reimburse for usage of the personal device; 4) a security section that addresses encryption and other features that must be enabled to protect the data in the event of a loss or breach; 5) a section on risks, liabilities and disclaimers to help protect the organization against the employee misuse of the device.
Armed with the BYOD policy, other organizational documents (e.g., Password, Cloud Computing or Social Networking policies) could get into the specifics of training and auditing the policy for compliance, as well as the frequency for these.
Who is at fault for user violation of email protocols?
Ultimately progress and the competition to stay on top of it are at fault. The adoption of technology has far outpaced the ability of organizations to keep up with them, including the State Department or any others in the government or private sector. Consumers and customers demand the immediacy facilitated by technology, so people, processes and procedures take a back seat in favor of adoption. In the ideal scenario, before any organization rolls out or permits any new technology (e.g., Blackberries, email tools, social media, content management, etc.), the organization needs to vet its change management (i.e., a controlled roll-out that ensures proper user adoption and compliance), including its ability to audit and monitor compliance. In today’s fast-paced world, however, the audit and monitoring part of the process is constantly a work in progress. Those looking for “fault” should be looking to fault those who do not learn from their experiences. In those instances, those in charge of the roll out of the program are at fault for not paying attention to system failures.
All that said, a corporate leader confronted with a systematic policy failure, coupled with high level (customer) demands to keep up with technology, faces a losing battle. The key is to strike a balance between controls and business needs. Few organizations have figured this out, so unfortunately for the State Department this could be a catalyst for more attention devoted to the change management and processes involved before the adoption of technology.
John Isaza is a California-based attorney, CEO of Information Governance Solutions, LLC and law Partner at RIMON, PC, a twenty-first century law firm that includes specialty in electronic information governance, records management and overall corporate compliance. He may be reached at John.Isaza@InfoGovSolutions.com or John.Isaza@RimonLaw.com. You can also follow him on Twitter and LinkedIn.