NEWS ANALYSIS: Regardless of your politics, there are plenty of reasons to think of Hillary Clinton and U.S. Secretary of Defense Ashton Carter as poster children for bad email security.
Here it is nearly a year after the disclosure that former U.S. Secretary of State Hillary Clinton, currently seeking a new job, had violated a series of regulations about the use of government email and we're still seeing more damaging revelations.
Compounding the issue are recent reports that current U.S. Secretary of Defense Ashton Carter used his personal email account after he took office, even though he knew it was wrong. Why can't high government officials follow clearly-established policies for email security and preservation?
Ms. Clinton has claimed various excuses as to why she didn't use government email channels saying that it was more convenient to use her own, or that all of the other secretaries were doing it, or that she didn't use it for classified information, anyway.
Subsequent revelations have shown her claims to be inaccurate, but I'll leave it at that. Mr. Carter, who says he knew better, apparently used his personal email for expediency, because it was on his iPhone.
As entertaining as this political reality show may be in Washington, you really don't want your company to be like that. You especially don't want to find out that your key employees are carrying sensitive company information around on their personal phones, and you don't want to find out that information that's subject to compliance regulations is somehow showing up on Gmail.
This means that you need to examine your own email practices, and your company's practices and policies. In addition, you also need to pay attention to what your employees are actually doing and, if you see them violating your company email policy, you need to take corrective action.
Your company should have a communications policy in place. If it doesn't, it should set one up soon. If you really don't care where your company data goes or who has access to sensitive internal information, then you don't need a policy. But you might need a lawyer, sooner rather than later. While you have to decide what will work for your company's culture, there are a couple of things to keep in mind.
First, you need to reflect on your company's exposure to regulations for data protection. If you handle sensitive information that belongs to others, whether it's credit, health, financial or any other type of data that's subject to compliance rules, then you will need an email policy, and it needs to satisfy those compliance requirements. It needs to be in writing and it needs to be enforced.
Second, if your company has other sensitive information in the form of customer lists, inventory, trade secrets or personnel files, then you need a policy. While the loss of some of those items may not be illegal, it could cost you your business. The loss of sensitive personal information could attract the worst possible type of attention from unfriendly lawyers.
Third, every business handles money, usually lots of it that you need to keep safe—otherwise, you won't have any.
↧