Blurred Lines: When Personal and Business Email Converge
The political world has been making global headlines around trouble over email usage. Former U.S. Secretary of State, Hillary Clinton, has been scrutinized for deleting 31,830 emails. Why?
This attitude toward using one email address as a catch-all for personal and work communication is common, especially when it comes to senior-level government officials and corporate executives. There are, no doubt, many individuals in senior positions around the world who believe their seniority gives them the ability – and sometimes right – to side-step established corporate policy and procedure. This is exaggerated by the fact that, in many cases, junior staff members are tasked with setting up this one-off functionality, and they are not likely to call out the security risks to senior-level executives and officials (or simply say “no”).
The emails were stored on a private, home-based server during her time at the U.S. State Department, and a single account was being used for both personal and government-official email communication. When asked about the controversy, Clinton said she thought it would be easier to use one email address. Former Florida Governor, Jeb Bush, was caught using his private email address to discuss confidential security and military issues. And according to a New York Times article, it took Bush more than “seven years to comply with a Florida public records statute” on email disclosure.
There’s one thing the Clinton and Bush email controversies should teach us: Seniority shouldn’t be a reason for allowing or perpetuating the breach of any corporate policies. One for all, and all for one. Everyone within an organization should adhere to the same rules, policies and standards when it comes to email usage. Otherwise, a false sense of security takes hold, and mistakes can be made. For instance, data can be easily deleted, lost or leaked without a trace when outside the control of the corporate IT team. When an email server is installed at a residence versus a secure data center, there is no clear distinction between personal and work email, nor are there the same guarantees of security and privacy. This drastically increases the likelihood of confidential documents and messages reaching the inboxes of the sender’s personal network – and there are no security and retention policies in place to track, protect and retrieve the wrongfully-transmitted data. In a post-Snowden and – NSA world, we should doubt the security of anything outside the best standards of established technology.
There’s also a compliance issue to consider. Official IT administrators likely can’t access data that resides on an at-home server in the same way they would with a server in their own data center, which will compromise e-discovery requests. This also complicates subpoenas and other legal requests for information – if the data doesn’t reside in a government or corporate data center, who rightfully has access to it? Who has the right to delete email archives? Without clearly-defined policies, the answers to these questions remain unclear.