Email Archiving and Compliance: Learning from email issues that plague the White House

by Bharat Suneja

Over the weekend, Wall Street Journal reported “White House Probes More Lost Emails” (external links do not work, WSJ.com requires subscription to read this article). The Journal’s John D. McKinnon reports, “The White House, already under pressure to explain missing emails from officials using a Republican Party system, says it is investigating reports that many more emails might have been deleted from its own system.”

A White House spokeswoman said Friday that it is possible several million emails could have been erased. How many million is “several” million? According to Deputy Press Secretary Dana Perino, “a potential 5 million emails were lost“, as reported by McKinnon.

That’s not a small number by any means! Can you imagine the impact of losing as many emails from your corporate messaging systems?

What’s even more interesting, another White House spokesman – Scott Stanzel said “we are aware that some emails may not have been automatically archived on the… server. However, we understand that such emails should have been preserved on backup tapes.”

The Washington Post’s Dan Foomkin writes in his White House Watch column, “Countless e-mails to and from many key White House staffers have been deleted — lost to history and placed out of reach of congressional subpoenas — due to a brazen violation of internal White House policy that was allowed to continue for more than six years, the White House acknowledged yesterday.

The leading culprit appears to be President Bush’s enormously influential political adviser Karl Rove, who reportedly used his Republican National Committee-provided Blackberry and e-mail accounts for most of his electronic communication.”

The political spin is interesting, even amusing to many. Let’s put the political tones and context aside, and think of these as email issues for a moment. There are two issues here:

1) IT/Messaging Operations: missing messages from the archiving system. Is this a case of data loss that happened during “conversion” from one system to another, as stated in the White House response? It would be great to have more technical details, so us messaging types can relate and try to figure out what may have happened, and perhaps how to avoid such issues in our environments. Some may even be interested in knowing which vendors and/or products were involved.

2) IT/Messaging Policy: As indicated in most such reports in the media, many White House staffers used accounts on the Republican National Committee’s (RNC) messaging system, instead of the official White House one. Again, removing the political context from this issue, this could be the worst nightmare for CIOs/Compliance Officers/executives in any organization – users bypassing your organization’s mail system completely, using their personal/external accounts. All such messages that bypass your email system can not be archived by your super-smart archiving systems. You have no control over such messages, or their content.

Unfortunately, there’s no simple technical solution to stop such email abuse – many organizations try different things, like blocking known/public/free web-based email systems, blocking outbound SMTP at the firewall for all computers except authorized internal mail hosts that need to send internet mail, amongst other such measures. Neither of these guarantee the absolute lockout of external mail services or systems – those inclined to do so may find the workarounds, depending on how well you’ve locked down such access.

Nevertheless, such measures do provide some sort of protection from use of “unauthorized mail systems”. Additionally, putting such measures in place is proof that attempts were made in good faith to prevent users from indulging in such practice.

The other piece is Messaging/IT Policy. Some questions to ask: Does your policy explicitly state that users should not use such “unauthorized mail systems” to send/receive work-related messages, or prevent users from using external mail systems at all during work hours or from the office? Is the policy well-publicized in your organization? Do users sign an agreement stating they’ve read, know about and agree to adhere to such policies, when they join your organization and every time the policy changes? Does it communicate the possible consequences of such policy violations?

As a sidenote, as a user I would frown on policies that prevent me from checking my personal email from work – at least during breaks. This may be a job requirement for positions such as those in the White House (or large financial institutions, as noted in the comments – Bharat), but not very practical in many private organizations. A delicate balance has to be found that meets both requirements – that of ensuring all work-related communication happens through the organization’s messaging system, while allowing use of personal email for personal purposes, particularly during breaks/non-work hours.

As it appears, White House staff is governed by such policies – the 1978 Presidential Records Act, according to McKinnon’s report. Ironically, while the elected representatives are all for enacting laws like the Sarbanes-Oxley Act and HIPAA, and the government all too diligent in enforcing them, an important arm of the government doesn’t seem to be in compliance with laws that apply to it.

Messaging folks, and corporate IT & legal departments have a lot to learn from this incident – lessons best learnt from other people’s experiences (…and at other people’s cost?).

I suspect we will continue to hear a lot more more about this issue in days to come.

{ 4 comments… read them below or add one }

Anonymous April 17, 2007 at 10:26 am

i guess you’ve never worked at a large financial investment firm….by policy, no access to external email accounts. This is typically enforced to the best of the filter’s ability. there is nothing to stop you from RDPing into a desktop at home and accessing email there – but this would be in violation of the policy.

Reply

Bharat Suneja April 17, 2007 at 2:39 pm

No, I haven’t had to work in a position that wouldn’t – though, as noted in the post, it’s ok if that’s an organizational requirement for such positions.

Bharat

Reply

Anonymous November 20, 2007 at 7:29 am

I think the White House has a somewhat unique situation on its hands that almost forces them to allow staffers to use the RNC email system. The underlying issue is the RNC system is payed for by the RNC, while the White House system is payed for with tax dollars. Ethically speaking, the White House (and tax payers) should not be paying for the RNC’s internal political communications. But those same politicians still need to interact with non-RNC White House staff and they need to perform non-RNC related duties. So short of preventing RNC associated individuals from working in the White House, there will always be a need for split systems.

Reply

Bharat Suneja January 17, 2008 at 7:11 am

From a compliance standpoint, it’s important that established policies are followed, and messages preserved as dictated by those policies.

Reply

Leave a Comment

Previous post:

Next post: