Early this month, the New York Times broke the story that Hillary Clinton exclusively used personal email for work purposes during her tenure as President Obama's Secretary of State. This practice was in potential contravention of federal recordkeeping laws, as well as information security best practices.
It later emerged that Clinton hosted her personal email account and associated domain (clintonemail.com) on her own private server at her Chappaqua, N.Y., residence. Other government officials, as well as Clinton's daughter Chelsea, also had their own email accounts hosted on this server.
[ What other government officials have caused cyber security consternation? Read Clinton Email Fail: Worst Government Security Flubs. ]
Potential political and legal fallout aside, the clintonemail.com saga highlights a problem all too common in the enterprise -- the use of personal email for business purposes.
"This is a wake-up call for all executives to realize the sensitivity and trappings of corresponding in electronic environments," said John Isaza, head of the information governance and records-management practice at California law firm Rimon, in an email interview with InformationWeek. "Working from personal email accounts is much more common than pundits would think." So-called Shadow IT has long been a growing problem in the enterprise -- long before the New York Times story broke.
"Imagine if Gmail gets hacked. Imagine all the confidential business information on Gmail," Sean Mahoney, a partner at K&L Gates, told attendees at the NRS Technology and Communication Compliance Forum in Boston in November 2014. "We're all kind of guilty of this … If Gmail gets hacked, it's a sorry day for the US, I think -- a sorry day for the world."
(Gmail is not the only game out there for hackers, of course. Longtime Clinton adviser Sidney Blumenthal had his AOL account hacked two years ago, resulting in leaks of sensitive Benghazi-related email correspondences between Blumenthal and Clinton.)
Isaza told InformationWeek that the shadow cast by Shadow IT can often be inadvertent.
"It is easy to respond [to an email] from a portable device … without realizing it is going out from a personal account," said Isaza. "Presumably, the [organization's] BYOD policy will stress that personal email accounts are never to be used [for] business. Unfortunately, in practicality this can be a challenge. When a device has multiple accounts attached to it, one can easily foresee the user erroneously sending a work-related email from a personal account. Once that happens, the recipients may reply to all, and the stage is set for a breach in the BYOD protocol."
Unfortunately, there is only so much that organizations can do to police this sort of thing. For instance, employers cannot monitor personal email accounts without potentially subjecting themselves to violations of privacy laws such as HIPAA.
Still, Isaza emphasized the importance of having in place a comprehensive BYOD policy (or anti-BYOD policy, as the case may be) for compliance purposes.
"Key areas to cover include guidance on acceptable uses of personal devices to transact official business, including instructions on distinguishing personal email account usage from official business accounts, [and] a section on risks, liabilities and disclaimers to help protect the organization against the employee misuse of the device," said Isaza. "Armed with the BYOD policy, other organizational documents … could get into the specifics of training and auditing the policy for compliance, as well as the frequency for these [audits]."
In his NRS presentation, Mahoney pointed out that vendors and other third parties with which an organization works should be surveyed for compliance under the organization's own policy -- and build such policy into third parties' contractual requirements.
Equally important, in any case, may be fostering a corporate environment where employees don't have to panic about how they can access their documents and complete their work (e.g., "There's a giant storm coming! How am I gonna get this project done?" as Mahoney put it). Effective cloud deployments can be helpful here.
With Shadow IT instances occurring at the highest levels of government, the threats of the phenomenon to the enterprise are clearly not going away anytime soon. "This is a reality and a change management gap that companies need to address," said Isaza. "Ultimately, it is about security of the data and communications."
How does your organization deal with the use of personal email accounts at work? Do you have any additional tips for IT on how to handle Shadow IT in the enterprise? Tell us all about it in the comments section below.
Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.