Organizations Need to Possess Executive Email Records

Ben Wright, Guest Writer, Attorney and SANS Institute Instructor

A few years ago we learned that former US Secretary of State Hillary Clinton handled all of her official State Department email through a personal email account rather than through the State Department’s official system. Experts have raised questions whether Clinton complied with government records law.Her practice raises issues for her employer, that is, the Department of State. Her records implicate her employer. The Department of State could be held accountable in court or in Congressional investigations for statements and directives she made as she worked in her official capacity.

For example, in Wood v. Town of Warsaw, N.C., No. 7:10-CV-00219-D, 2011 WL 6748797 (E.D.N.C. Dec. 22, 2011), a municipal government was held accountable for records created stored by a manager on his home computer.

Employer At Disadvantage

An employer like a government agency or a private business is at a disadvantage if the official records of its executive are not under the control of the employer. When legal and internal control issues arise, the employer is not able to resolve those issues if it does not possess the records. Those records might be relevant to resolving a dispute involving the hiring or firing of other employees (which was the topic in the Wood case above). Those records might be important for resolving questions around misconduct, embezzlement, internal control or contract negotiations with vendors and customers.

In the case of Secretary Clinton, she maintains that she will turn over email records to her former employer as necessary.

But what assurance does an employer have that a former executive will protect old records? In the event of a conflict, how does the employer know that a former executive will not lose, hide, withhold or destroy records?

Central Archive is Preferred

An enterprise needs to possess its records. It needs to control them and protect them. It needs to be able to search them. The enterprise cannot do all that when the records are somewhere, out there in a personal account belonging to a former executive.

An enterprise is therefore wise to insist – by policy and contract — that executives use official email to conduct business. It is wise to keep records of that official email for a substantial period of time (years, not months). Furthermore, the enterprise is wise to keep those records in a central archive, controlled by the IT department rather than by the executive. Records kept in a central archive cannot be manipulated by the executive.

eDiscovery on Email Records

Records in a competent central archive can be searched easily. Therefore, when the enterprise is required to respond to e-discovery requests in litigation or other investigations, it can quickly and inexpensively comply with those requests. It can persuade an outside authority like a court that the enterprise should not be forced to engage in deeper, more expensive eDiscovery, hunting for miscellaneous records in all the random places they may exist.

Benjamin Wright is a practicing attorney based in Dallas, Texas, and an instructor at the SANS Institute teaching a 5-day course titled “Law of Data Security and Investigations.”