Clinton's shadow IT would not have passed private sector muster

Did the State Department CIO have the power to stop Clinton?

030415blog hillary clinton checks her email

Former Secretary of State Hillary Clinton checks her email in 2011.

Credit: Kevin Lamarque/Reuters

There are many questions regarding former Secretary of State Hillary Clinton's use of her private email to conduct official business. A leading one is whether the department's IT managers did anything to question or stop it.

Clinton, who was secretary of state under President Obama from 2009 to 2013, used her personal email account with its own domain, Clintonemail.com, to conduct official correspondence. The State Department contends there was no prohibition on the use of a non-State.gov account for official business as long as the emails were preserved. Clinton was following what had been the practice of previous secretaries, the agency said, noting that current Secretary of State John Kerry is the first to rely primarily on a State.gov account.

The State Department's policy of not preventing an employee from using a private email account for official business is not a practice that would be sanctioned in the private sector.

"It is the rare company that would endorse their employees using personal email accounts to conduct business," said Jackie Ford, an attorney specializing in employment law and privacy at Vorys, Sater, Seymour and Pease. "Most have policies specifically prohibiting that," she said.

Email messages are records that may be covered by document retention requirements and subject to discovery in litigation, Ford said. Employees may believe they are being clever in circumventing email policies, but as Clinton's situation illustrates, "most of the time this is going to backfire," she added.

Government policies recognize that sometimes business will be conducted through a personal email account, and when that happens a copy should be sent to an official account to preserve the record. But Clinton appears to have used a private account for most of her official business, and when asked by the State Department for her records, she provided some 55,000 pages.

There was no immediate answer from the State Department as to whether its CIO, or anyone in IT security, raised concerns about Clinton's practices. A former State Department CIO during part of Clinton's tenure, Susan Swart, who is now in a similar post at the International Monetary Fund, deferred questions to the State Department.

Even if the department's IT managers raised questions about Clinton's email practices, or were even aware of them, they may have been powerless to stop them.

"The private sector uses private emails on a regular basis for work," said Robert Hansen, vice president of WhiteHat Labs at WhiteHat Security.

"I see it most frequently in sales, where the salesperson intends to take their contacts, customers and leads to the next job," he said.

What these workers want is "portability," Hansen said. "Many people don't trust their employer not to read their email, and they don't trust the email to be available to them after they depart the company," he explained.

The use of private email for business is "rarely sanctioned but it's commonly tolerated," Hansen said.

One reason that IT managers might tolerate the use of private accounts results from the conflict between information security and IT-business alignment, according to Leon Kappelman, an information systems professor at the University of North Texas.

By allowing, or not preventing, BYOD (bring your own device) programs and shadow IT (another name for what Clinton was doing), IT managers are not seen as people who always say no, Kappelman said.

Shadow IT may be a big security risk, but some IT managers "think it's worth the trade-off because it makes the customer happier," said Kappelman.

Nonetheless, private companies are advised to keep control of communications policies.

The reality is that it takes a team effort to get effective communications policies, said John Martin, a partner at the law firm Nelson Mullins Riley & Scarborough. Sometimes the compliance effort is initiated by the IT security group, but it also could start with the legal department.

"They are not simply IT issues, they are cultural issues, they are business issues," said Martin, who heads his firm's Encompass E-Discovery and Document Review Solutions group.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.