Hillary Clinton’s Private Email Account is a Compliance Nightmare!

This is rather interesting in light of the fact that she was opposed to similar actions of the Bush Administration. In June 2007, while running for president, she spoke at the Take Back America conference, and decried the use of secret email accounts. Mrs. Clinton felt that the Administration’s use of such accounts “shredded” the Constitution.

Here is a video of Hillary’s comments:

Not only does Clinton’s use of a private email account raise questions about the security risks involved with hosting a private email server for sensitive government communication, but it also appears to be a clear attempt to thwart Federal records compliance and retention policies as applied by the Federal Records Act, as well as to avoid Freedom of Information Act (FOIA) records requests.

The History

Mrs. Clinton’s private email account, clintonemail.com, was first revealed as a result of an investigation into the “Guccifer” email hacking scandal in March of 2013. Guccifer hacked the email account of Sidney Blumenthal, a former senior White House adviser to President Bill Clinton, and later a senior adviser to Hillary Clinton’s 2008 presidential campaign. Mr. Blumenthal sent relatively personal messages (like a get well note after she fell at home and suffered a concussion in December 2012) to Hillary Clinton’s private email, and sent a series of Confidential memos discussing foreign policy matters with subject lines such as “Comprehensive Intel Report on Libya.” Initially, the leak of Clinton’s personal email address seemed like nothing significant, but with this recent disclosure that she exclusively used this private email server for her governmental duties, it takes this security and compliance issue to a whole other level.

The clintonemail.com website domain was established the day of Hillary Clinton’s Senate confirmation hearings. The Associated Press has traced the domain registration to a mysterious identity, Eric Hoteham. A name that does not appear in public records databases, campaign contribution records or Internet background searches. It seems clear that this domain was created solely for the purpose of hosting Clinton’s private and State Department email.

According to Clinton’s staff, her emails were allegedly saved, however, it is not clear what emails were retained, or how and where they were archived. Her aides took no actions to have those personal emails retained on State Department servers, as required by the Federal Records Act. Without the appropriate retention policy oversight, there is no way to know which emails were kept and which were deleted. This is why it is essential that email is retained in a central repository, on government servers. It is not clear how many email messages are contained in Mrs. Clinton’s personal account. And the process her advisers used to determine the emails that should be turned over to the State Department for review —those emails related to her work at the State Department—is unknown.

Trey Gowdy, the Chairman of the Select Committee on Benghazi, commented on the discovery. “You do not need a law degree to have an understanding of how troubling this is. There are chain of custody issues, there are preservation of materials and documents issues…there are best evidence issues, in addition to asking about archives and what safeguards may have been in place to protect this information.”

Security Implications

The act of Clinton’s hosting her own email server may have been a clever way to avoid federal law and FOIA requests, but the fact that she did points to a definite security risk. Why? Her private email account may or may not have included encryption or other vital security measures. This is also troubling because of the sensitivity of the email that she had sent and received. From a security standpoint, the possibility that Clinton, America’s top foreign affairs official at the time, hosted an unofficial, unprotected email server is baffling. This server contained her entire history of electronic communications of her four-year tenure, leaving all of the electronic data vulnerable to hackers.

Chris Soghoian, lead technologist for the American Civil Liberties Union said, “She’s not the first official to use private email and not the last. But there are serious security issues associated with these kinds of services… When you build your house outside the security fence, you’re on your own, and that’s what seems to have happened here.”

It is unknown how much IT manpower was responsible for overseeing the mail server. One could only assume that Clinton’s technological security was lacking in comparison to the IT security team which monitors State Department servers for possible vulnerabilities and breaches.

Beyond the protection of the server itself, the network traffic could have been hacked. A simple WHOIS search reveals that the clintonemail.com domain was registered with Network Solutions, a private domain name registrar. Hundreds of Network Solutions domains were hacked in 2010, just a year into Clinton’s time at the State Department. Anyone who hacked Network Solutions would be able to quietly hijack the Clintonemail.com domain, intercepting, redirecting, and even spoofing email from Clinton’s account.

Did Hillary Clinton’s Private Email Server Violate the Law?

According to the Federal Records Act, letters and emails written or received by federal officials, including the Secretary of State, are considered government records. Any communication must be retained to be submitted to the National Archives. This is necessary to allow records requests under the Freedom of Information Act, so congressional committees, historians, and members of the news media can find the data. The only exception to the law is that certain classified and sensitive materials do not need to be made available to the news media, but they still need to be retained.

This law was recently expanded by President Obama with H.R. 1233, the Presidential and Federal Records Act Amendments of 2014. This law does not apply to the Clinton incident, however, it is important to note its significance for government employee communication.

H.R. 1233 further clarifies the responsibilities of Federal government officials when using non-government email systems. This law strengthens Federal Records Act by expanding the definition of Federal records to clearly include electronic records.

Section 10 of this law: “Prohibits an officer or employee of an executive agency from creating or sending a record using a non-official electronic messaging account unless such officer or employee: (1) copies an official electronic messaging account of the officer or employee in the original creation or transmission of the record, or (2) forwards a complete copy of the record to an official electronic messaging account of the officer or employee not later than 20 days after the original creation or transmission of the record. (3) Provides for disciplinary action against an agency officer or employee for an intentional violation of such prohibition.”

In other words, personal email accounts should not be used for official correspondence and if a personal account is used, those emails must be archived and retained.

Here is why what Clinton did may have violated law

At the end of the day there were clear violations of the federal government’s recordkeeping and transparency rules. We have no way of knowing whether or not all of her government-related emails were actually retained and archived correctly. Is it possible that during Hillary’s entire tenure as Secretary of State that she never once deleted an email? We can only rely on the word of her staff, that all of the email communications related to her government position were identified correctly (or worse, purposefully omitted) and included in the 55,000 pages of emails sent to the state department.

With regard to the eDiscovery and compliance issues of the release of these records, an important question remains. Where is the metadata? What exactly was turned over to the State Department? Is it discoverable? Can it be quickly and easily searched?

Are you compliant?

H.R. 1233 strengthens the requirement that Government employees must not use personal email accounts for official correspondence. All email communication must be retained and accessible. If a personal email account is used for official government business, those messages must be submitted to be archived, “… not later than 20 days after the original creation or transmission of the record,” and disciplinary action should be taken.

Other regulations, such as FINRA, SEC 17a-4, SOX, HIPAA, Dodd-Frank Act, and the FRCP, require that all organizations should archive electronic communication data. Failure to do so, as we have seen from this case, can cause major problems, including: loss of sensitive data, lack of oversight of employee communication, fines and sanctions, damage to reputation, and financial losses.

Retain Unified Archiving

Retain archives all email communication data, in addition to social media, web searches and mobile messaging data, in one central archive. This archive is easily accessed, searched and exported. By archiving electronic communication and allowing this data to be easily accessed, Retain will help ensure that you have oversight of employee communication, that scandals are avoided, that your data is secure and that you will be compliant with the regulations regarding the management of electronic communication data.

For more information on Retain, visit www.GWAVA.com/Retain

Learn More about Retain Unified Archiving!

Photo Credit: Kevin Siers

Jeff Schultz
Share this post:
Tweet about this on TwitterShare on FacebookShare on LinkedInGoogle+

Leave a Reply

Your email address will not be published. Required fields are marked *