The recent revelation that Hillary Clinton did not use an official government email address during her four years as Secretary of State teaches us important lessons about having a sound business email policy.
The intersection of business email policy and information security was brought to the forefront recently, when during a House Committee investigation into the attack on the American Consulate in Benghazi, it was discovered that former US Secretary of State Hillary Rodham Clinton used her personal email account for government business correspondence.
Rather than using an official state department email account, Clinton sent email messages from a personal account during her four years as US Secretary of State. Making her case even more interesting is the fact that she did not use a commercial email platform like Gmail or Yahoo, but, according to TechTarget, used her “own domain on a personal server, believed to be housed at or near the Clinton family residence in Chappaqua, New York.”
The issue for most businesses is not their employees using a personal email server like Clinton did, but rather using a commercial platform like Gmail, Yahoo, Verizon or Comcast for work-related correspondence on personal accounts.
When employees use personal email accounts for work-related correspondence, it takes control of the information away from the business and leaves it vulnerable to security breaches. It also means that the company does not have the ability to retain copies of the correspondence, something that is often required by industry regulations. When it comes to a business email policy, the two driving forces behind it are compliance and security.
One of the biggest concerns with Clinton’s use of personal email was information security. As the Secretary of State, her correspondence likely involved sensitive information. While she claimed there were no security breaches on her email server, if employees are using personal email to relay sensitive information, then their business is at the mercy of that employee’s personal email provider to utilize the proper security measures.
Michael Young, IT Security Engineer at Miles Technologies, says that one of the main driving forces behind a company email policy is to help mitigate some of the risks associated with using a personal account. “By bypassing corporate email and corresponding through personal accounts, employees are placing both themselves and the organization at significant risk,” he says. “Intentional or not, it creates a serious lapse in accountability that can lead to big problems.”
The other main concern with Clinton’s personal email account usage was compliance with the Federal Records Act. In 2014—after Clinton’s tenure as secretary of state had already ended—an amendment to the act was signed banning the use of personal email accounts for government correspondence. According to experts, the previous language of the amendment did not explicitly ban this, which is why Clinton may not face legal ramifications.
Recently, the State Department increased its effort to abide by federal record-keeping practices, and, according to the New York Times, “Mrs. Clinton’s advisers reviewed tens of thousands of pages of her personal emails and decided which ones to turn over to the State Department. All told, 55,000 pages of emails were given to the department.”
While different industries have their own regulations and requirements, in order to maintain compliance, many businesses must keep all email correspondence archived and stored in case it is needed. For example, an e-discovery (“any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case”) may require a business to provide records of correspondence as part of a legal investigation.
If individuals are corresponding via their personal email accounts, their company cannot control whether those messages are being properly backed up and archived. Not only are backups pertinent for compliance purposes, but they can also protect your company if you are hit by a virus or ransomware like Cryptowall 2.0. If you do not have backups for recovery purposes, then you cannot recover from such attacks.
Security and Convenience
So why did Clinton decide to use her personal email account for government correspondence? According to her, it was a matter of convenience. “I thought it would be easier to carry just one device for my work and my personal emails instead of two,” Clinton said in a recent press conference to address the situation.
Whether you are the secretary of state or an employee of a local small business, you want to be able to do your job productively even if you are outside of the office. Security vs. convenience is always an area businesses have to balance, and when it comes to mobilizing a workforce, areas like mobile device management and data loss prevention become important concerns. Should your email policy strictly forbid usage of personal email in all scenarios, it is imperative that your employees can easily access your corporate email from anywhere so they are not tempted to use personal emails because of convenience. Almost all mobile phones can be configured to allow access to both personal and business email accounts.
Companies invest in their business e-mail infrastructure to keep their communications safe and secure, but those investments will be wasted if users are not abiding by the policies. If your company does not have a clear-cut policy for email usage, take actions to develop one and share it with your employees.
If your in-place policy is unclear, ambiguous or your employees simply do not know about it, take the time to educate them. Going forward, make sure a discussion of the email policy is highlighted as a part of your new employee onboarding process so all employees are aware of it. Your employees could be violating a policy or putting your company at risk without even knowing it. Don’t let that come back to bite you.
What are your experiences with a business e-mail policy? Do you have one in place? If so, what are some of the challenges involved with enforcing it? Share your thoughts with us in the comments below.