Skip to content Skip to navigation menu
Your browser is not supported by this site.
Please update to the latest version, or use a different browser for the best experience.
×

Corporate Counsel Connect collection

May 2015 Edition

Hillary Clinton's e-mail woes: A lesson in managing employee IT use

Craig J. Blakeley, and Jeffrey H. Matsuura, Alliance Law Group LLC

Craig J. Blakeley and Jeffrey H. MatsuuraHillary Clinton is the target of criticism for use of a private electronic mail system during her tenure as United States Secretary of State. Critics contend that her use of the private e-mail system for official communications raised important network security and government transparency concerns. Clinton argues that her actions were entirely consistent with the information technology policies and procedures then in effect at the State Department. This controversy highlights the important information technology management challenges raised for organizations by the highly popular “Bring Your Own Device” (BYOD) strategy for computer and communications technology use.

The Clinton problem

Hillary Clinton acknowledges that, while serving as Secretary of State, she used a private e-mail system instead of the State Department network for her official communications. That private system reportedly included a dedicated server owned and controlled by the Clinton family. Clinton notes that use of a private e-mail platform was permitted by State Department information technology use rules at the time she served at the State Department. One of her predecessors as secretary of state, Colin Powell, reportedly acknowledged that he too used an e-mail system other than the State Department's network for his official communications.

Clinton critics argue that use of a private network raises important security and transparency issues. They note that private e-mail platforms may be less secure than U.S. government systems, thus making the communications routed through and stored in the private networks potentially less secure than those processed by U.S. government e-mail networks. In addition, critics contend that private e-mail systems may not provide for message archiving and documentation consistent with U.S. government communications storage requirements, thus making the official communications processed through the private platforms less accessible to government officials, the media, scholars, and the public. The critics suggest that use of private e-mail systems may, as a result, undermine important efforts to facilitate transparency of official communications and records.

The BYOD challenge

Many organizations now permit their employees to use communications devices (e.g., smartphones) and computing equipment (e.g., laptops and tablet computers) owned by the employees or third parties for their work activities. Some organizations also rely on employee use of communications and computing services (e.g., e-mail and “cloud” computing) and platforms (e.g., social media) that are provided by outside parties, including companies such as Google, Amazon, and Facebook. In many instances, BYOD use is the result of decisions by individual employees or groups of employees, not the result of a strategic management decision.

The BYOD approach can offer advantages for organizations. For example, the BYOD strategy can help organizations to reduce their direct information technology costs by shifting some of those costs to outside parties. It can also enable information technology systems to be more flexible and responsive to the changing operational needs of any organization. The BYOD approach can also permit enterprises to outsource some of their information and communications technology development, support, and upgrading operations to major technology product and service providers at no cost or at minimal cost.

The BYOD strategy also carries significant challenges. The primary challenge is loss of control over critical information and communications technology operations. In an environment in which individual employees or groups of employees make independent decisions regarding choice of computing and communications equipment and services to be used for official business activities, it is likely that the organization involved will lose management control over technology use. This loss of control will almost certainly result in substantially greater risk of data security and information privacy breaches, as well as increased threat of inappropriate use of intellectual property and other proprietary materials.

Hillary Clinton's experience provides an extreme example of the problems associated with BYOD. Admittedly, most employees involved with BYOD activities are not senior United States government officials. In addition, few BYOD cases involve an employee who uses en e-mail server owned and controlled by the employee. It is far more common that the employee is simply using e-mail or other information technology services provided by a third party such as Google or Microsoft.

Although the Hillary Clinton situation is an extreme form of BYOD, it offers a useful illustration of the difficulties associated with the BYOD approach. As the debate associated with Clinton's BYOD experience escalated, it became clear that she was not the only senior political player involved with BYOD. As noted previously, Colin Powell indicated that he too had used an external e-mail system while Secretary of State. Even the highly vocal critic of Hillary Clinton's BYOD activity, Jeb Bush, reportedly acknowledged that he had also used an external e-mail platform while serving as Governor of Florida.

Managing BYOD

The Hillary Clinton case highlights the need for effective policies and practices regarding use of devices and services provided by parties outside of an organization. Each organization should develop specific rules and practices describing what, if any, level of BYOD use is permissible. Those rules, policies, and practices, should be clearly and frequently communicated to all employees and contractors. They should also be updated and enhanced as appropriate on a regular basis to reflect evolving technologies. Decisions regarding BYOD use should be revisited on a regular basis.

Each organization should consider the option of a total prohibition on the use of devices and services provided by the employee or an outside party for official business purposes. Although many organizations will likely determine that some BYOD activities are productive and appropriate, every organization should give careful consideration to the possibility of relying totally on information and communications technologies and services provided by the organization.

If some form of BYOD is to be permitted, the organization must enforce mandatory practices and procedures enabling it to retain effective control over all devices and services. These practices and procedures should include mandatory review and approval of all devices and services by a specifically designated individual or unit within the organization prior to use. Even after receiving internal approval, all devices and services should be reexamined on a regular basis and recertification should be required.

Each organization that permits BYOD should retain the right, exercisable at its sole discretion, to prohibit use of any device or service at any time, even if that device or service was previously approved. Employees and contractors should be briefed on the BYOD policies and requirements periodically, and they should be required to comply with those obligations at all time, as a condition of employment. Each organization should reserve the right to terminate employment or contractor status based on failure to comply fully with BYOD policies, practices, and procedures.

BYOD strategies can be productive and effective for some organizations, however, they may be totally inappropriate for others. Each organization must make its own determination regarding use of the BYOD approach. If BYOD is permitted, the organization involved must recognize that this strategy carries significant risks and can be both difficult and costly to enforce effectively. Failure to manage BYOD operations diligently can threaten the success and survival of any organization.


BUILT FOR YOU - CLEAR for enhanced due diligence - GO