Email Archiving and Compliance: Learning from email issues that plague the White House
Posted by Bharat Suneja at 12:27 PM
A White House spokeswoman said Friday that it is possible several million emails could have been erased. How many million is "several" million? According to Deputy Press Secretary Dana Perino, "a potential 5 million emails were lost", as reported by McKinnon.
That's not a small number by any means! Can you imagine the impact of losing as many emails from your corporate messaging systems?
What's even more interesting, another White House spokesman - Scott Stanzel said "we are aware that some emails may not have been automatically archived on the... server. However, we understand that such emails should have been preserved on backup tapes."
The Washington Post's Dan Foomkin writes in his White House Watch column, "Countless e-mails to and from many key White House staffers have been deleted -- lost to history and placed out of reach of congressional subpoenas -- due to a brazen violation of internal White House policy that was allowed to continue for more than six years, the White House acknowledged yesterday.
The leading culprit appears to be President Bush's enormously influential political adviser Karl Rove, who reportedly used his Republican National Committee-provided Blackberry and e-mail accounts for most of his electronic communication."
1) IT/Messaging Operations: missing messages from the archiving system. Is this a case of data loss that happened during "conversion" from one system to another, as stated in the White House response? It would be great to have more technical details, so us messaging types can relate and try to figure out what may have happened, and perhaps how to avoid such issues in our environments. Some may even be interested in knowing which vendors and/or products were involved.
2) IT/Messaging Policy: As indicated in most such reports in the media, many White House staffers used accounts on the Republican National Committee's (RNC) messaging system, instead of the official White House one. Again, removing the political context from this issue, this could be the worst nightmare for CIOs/Compliance Officers/executives in any organization - users bypassing your organization's mail system completely, using their personal/external accounts. All such messages that bypass your email system can not be archived by your super-smart archiving systems. You have no control over such messages, or their content.
Unfortunately, there's no simple technical solution to stop such email abuse - many organizations try different things, like blocking known/public/free web-based email systems, blocking outbound SMTP at the firewall for all computers except authorized internal mail hosts that need to send internet mail, amongst other such measures. Neither of these guarantee the absolute lockout of external mail services or systems - those inclined to do so may find the workarounds, depending on how well you've locked down such access.
Nevertheless, such measures do provide some sort of protection from use of "unauthorized mail systems". Additionally, putting such measures in place is proof that attempts were made in good faith to prevent users from indulging in such practice.
The other piece is Messaging/IT Policy. Some questions to ask: Does your policy explicitly state that users should not use such "unauthorized mail systems" to send/receive work-related messages, or prevent users from using external mail systems at all during work hours or from the office? Is the policy well-publicized in your organization? Do users sign an agreement stating they've read, know about and agree to adhere to such policies, when they join your organization and every time the policy changes? Does it communicate the possible consequences of such policy violations?
As a sidenote, as a user I would frown on policies that prevent me from checking my personal email from work - at least during breaks. This may be a job requirement for positions such as those in the White House (or large financial institutions, as noted in the comments - Bharat), but not very practical in many private organizations. A delicate balance has to be found that meets both requirements - that of ensuring all work-related communication happens through the organization's messaging system, while allowing use of personal email for personal purposes, particularly during breaks/non-work hours.As it appears, White House staff is governed by such policies - the 1978 Presidential Records Act, according to McKinnon's report. Ironically, while the elected representatives are all for enacting laws like the Sarbanes-Oxley Act and HIPAA, and the government all too diligent in enforcing them, an important arm of the government doesn't seem to be in compliance with laws that apply to it.
Messaging folks, and corporate IT & legal departments have a lot to learn from this incident - lessons best learnt from other people's experiences (...and at other people's cost?).
I suspect we will continue to hear a lot more more about this issue in days to come.