Obscure Email Security Issues: Whitehouse Provides Lessons in Email Management Practices and Using Non-Business Email Accounts to Conduct Business

So much is in the news lately related to information assurance it is hard to pick which one to share my thoughts about. However, the misuse of email, managing email, and the maintenance of email systems, which I know I’ve already talked about recently, just keeps bubbling to the top of concerns.
Throughout last week and over the weekend while watching the news programs, listening to the political pundits, and reading various news magazines there has been much talk about how perhaps millions of Whitehouse emails have seemed to have vanished, along with discussion about the use of non-Whitehouse systems for Whitehouse business emails.

The White House is currently being accused of a couple of things:
* Improperly trying to hide emails about government business by using unofficial email accounts.
* Losing 5 million emails from the Whitehouse email system.
As I read these reports and listen to the discussions I think about how routine basic email maintenance and retention is, or should be, by now in all organizations. Strong policies and procedures are necessary to effectively manage email. You would think such basic email management, security and retention practices for the Whitehouse would be exemplary. You would think.
Regarding the use of a non-Whitehouse system to communicate government-related emails…
During the first few months of 2007 the White House was accused of trying to hide emails about government business, that are subject to the Presidential Records Act, by using unofficial email accounts. The Presidential Records Act requires that all communications about and from the U.S. president and vice president must be retained.
Those emails contained information about many interesting things, such as Republican re-election campaigns and the December 2006 firings of federal prosecutors in eight cities. These emails were discovered on the Republican National Committee email domain, gwb43.com, which is not part of the official White House communications system that is configured to retain communications in compliance with the Act. Emails with information reportedly subject to the act had been used from this domain since February 2003. Apparently at least one of the emails had been forwarded to the White House email system, which led to this discovery, giving the impression to many folks that the administration was trying to “skirt the law governing preservation of presidential records.”
Do any of your personnel use their personal email accounts for business communications? Do they use them to communicate with your customers? I know of at least two large organizations that discovered some of their employees had forwarded all their business email to their personal email addresses so that they could answer them while they were on extended leave or vacation and not have to go through the “hoops” to get set up for the organizations’ remote access solutions. This creates significant problems.
· Others may be able to access business email that contains PII.
· The personal email system may not be secure, leading to such things as having customer and personnel emails being harvested for spam, DoS or malware attacks.
· Answering customer communications from personal email accounts does not only look unprofessional to the customer, it puts your customer communications out of the control of your organization, leaving you without the ability to monitor or log such communications.
· Customers may start communicating with the personal email accounts instead of with your business accounts.
· Personnel may mistakenly send personal, and possibly inflammatory, communications to customer accounts.
· Allowing such communications to be sent outside the corporate-controlled communications system could be viewed as not following a standard of due care to protect customer information, making your organization vulnerable to noncompliance with applicable laws and regulations and potentially subject to civil actions from upset customers if bad things happen to their information as a result.
Regarding the claimed loss of 5 million email messages from the Whitehouse system…

“”Millions of White House e-mails may be missing, White House spokeswoman Dana Perino acknowledged Friday. “I wouldn’t rule out that there were a potential 5 million e-mails lost,” Perino told reporters.”

Very few email systems within competent organizations today would not be regularly backed up, with several iterations of backups on multiple backup media, and stored somewhere. There are also all the client-side email archives that exist. Whenever an email is sent to someone, it is propagated and stored in potentially many different places. It is doubful the emails are permanently lost; misplaced, perhaps, but even that, based on the scale of emails involved, is incredible.
As Senator Leahy put it

“You can’t erase e-mails, not today. They’ve gone through too many servers. They can’t say they’ve been lost. That’s like saying, ‘The dog ate my homework.’ ”

Indeed. In fact, with today’s technology it is much more difficult to completely delete an email after it has been sent to someone than it is to keep it lingering on various systems scattered hither and yon.

“Perino told reporters that the e-mails from those accounts should have been saved, but said policy has not kept pace with technology. She said computer experts were trying to retrieve any records that have been deleted. “We screwed up, and we’re trying to fix it,” she told reporters.”

As stated on This Week with George Stephanopolous,

“Perino admitted that as BlackBerries have become more “ubiquitous, the policy wasn’t always followed correctly.””

Many organizations are struggling with how to successfully manage email messages that can be stored in as many locations, and more, as there are personnel using the email systems. It really is a matter of managing email now, not just retaining and deleting it; trying to keep accurate track of email messages is about as easy as herding grasshoppers when client devices are storing the messages.
Have your email policies kept up with technology, and with retention and e-discovery requirements? I discussed the new e-discovery rules a few weeks back.
All organizations need to periodically review their email policies and also their procedures to ensure they are still effective and applicable. Think about…
· How long do you retain your email messages, including on backups?
· How do you ensure your client-stored messages, such as on desktops, laptops, blackberries and so on, get backed up and stored?
· Do you use procedures to automatically delete messages after they reach a certain age? If so, is this is compliance with your applicable laws and regulations?

Tags: , , , , , , , , , , , ,

Leave a Reply