Clinton's shadow IT would not have passed private sector muster

05.03.2015
There are many questions regarding former Secretary of State Hillary Clinton's use of her private email to conduct official business. A leading one is whether the department's IT managers did anything to question or stop it.

Clinton, who was secretary of state under President Obama from 2009 to 2013, used her personal email account with its own domain, clintonemail.com, to conduct official correspondence. The State Department contends there was no prohibition in using a non-State.gov account for official business as long as the emails were preserved. Clinton was following what had been the practice of previous secretaries, the agency said, noting that Secretary of State John Kerry is the first to rely primarily on a state.gov account.

Clinton's ability to routinely use a private email account for official business is not a practice that is sanctioned in the private sector.

"It is the rare company that would endorse their employees using personal email accounts to conduct business," said Jackie Ford, an employment law and privacy attorney at Vorys, Sater, Seymour and Pease LLP. "Most have policies specifically prohibiting that," she said.

These emails are records that may be subject to document retention requirements and subject to discovery in litigation, Ford said. Employees may believe they are being clever in circumventing email policies, but as Clinton illustrates, "most of the time this is going to backfire."

Government policies recognize that sometimes business will be conducted through a personal email account, and when this happens a copy should be sent to an official account to preserve the record. But Clinton appears to have used a private account for most of her official business, and when asked by the State Department for her records, she provided some 55,000 pages.

There was no immediate answer from the State Department as to whether its CIO, or anyone in IT security, raised concerns about Clinton's practices. A former State Department CIO during part of Clinton's tenure, Susan Swart, who is now in a similar post at the International Monetary Fund, deferred questions to the State Department.

Even if the department's IT managers raised questions about Clinton's email practices, or were even aware of them, they may have been powerless to stop them.

"The private sector uses private emails on a regular basis for work," said Robert Hansen, vice president of WhiteHat Labs at WhiteHat Security.

"I see it most frequently in sales, where the salesperson intends to take their contacts, customers and leads to the next job," he said.

What these workers want is "portability," Hansen said. "Many people don't trust their employer not to read their email, and they don't trust the email to be available to them after they depart the company."

The use of private email for business is "rarely sanctioned but it's commonly tolerated," Hansen said.

One reason that IT managers might tolerate private accounts results from the conflict between information security and business alignment, according to Leon Kappelman, an information systems professor at the University of North Texas.

By allowing, or not preventing, the practice of BYOD, or bring your own device, and shadow IT (another name for what Clinton was doing), IT managers are not seen as people who always say "no," Kappelman said.

Shadow IT may be a big security risk, but some IT managers "think it's worth the tradeoff because it makes the customer happier," said Kappelman.

Nonetheless, private companies are advised to keep control of communications policies.

The reality is that it takes a team effort to get effective communications policies, said John Martin, a partner at the law firm Nelson Mullins Riley & Scarborough LLP. Sometimes the compliance effort is initiated by the IT security group, but it also could start with the legal department.

"They are not simply IT issues, they are cultural issues, they are business issues," said Martin, who heads his firm's Encompass E-Discovery and Document Review Solutions group.

(www.computerworld.com)

Patrick Thibodeau