Looking back at 2016: Can Hillary’s emails teach us anything?
by Andy Cobb, PhD, CCE
While many cases that affected the practice of electronic discovery popped up in 2016, no eDiscovery topic got more attention or had more impact than the Hillary Clinton email server saga. Are there some lessons we can all take away from the Hillary email debacle? Yes. But before we discuss those lessons, let’s refresh our memories on what happened during the Clinton email debacle according to the USA Today’s summary:
March 2, 2015: The New York Times reports that Hillary Clinton used a private email server while serving as Secretary of State.
March 10, 2015: Clinton defends her use of a private server, saying it was for “convenience” so she could use a single device for personal and business use. “Looking back, it would have been better for me to use two separate phones and two separate e-mail accounts,” she said. “I thought using one device would be simpler. Obviously, it hasn’t worked out that way.”
July 24, 2015: The inspectors general at the State Department and Director of National Intelligence ask the Justice Department to review whether classified information was compromised in Clinton’s use of private email.
August 2015: A federal official confirms the FBI is investigating.
Aug. 11, 2015: Clinton’s campaign says she has directed that her server be turned over to the Justice Department
May 25, 2016: The inspector general at the State Department issues a report critical of Clinton’s use of private email, saying department policies dating to 2005 require that “normal day-to-day operations” be conducted on government computers.
July 1, 2016: Attorney General Loretta Lynch says she will accept recommendations from the FBI and career prosecutors in the email case in an attempt to dispel criticism of her potential conflict of interest after she met with former president Bill Clinton on a Phoenix tarmac.
July 2, 2016: Clinton is interviewed by the FBI for 3-1/2 hours in Washington, D.C.
July 5, 2016: FBI Director James Comey announces the recommendation not to prosecute Clinton.
October 28, 2016: In a letter to Congress, Comey says the FBI is reviewing new emails related to Clinton’s time as secretary of state, according to a letter sent to eight congressional committee chairmen. The emails are discovered as part of an investigation into Anthony Weiner and were sent or received by Clinton aide Abedin.
November 6, 2016 — Based on a review of the newly discovered emails, Comey tells lawmakers that the agency has not changed its opinion that Clinton should not face criminal charges.
Sifting Through the Talking Points
After all of this, Clinton’s campaign Communications Director, Jen Palmieri said she was “glad this matter is resolved.” Trump, however, pushed back against the announcement: “Right now, she is being protected by a rigged system,” Trump said Sunday night at a rally in Michigan. “It’s a totally rigged system. I’ve been saying it for a long time. You can’t review 650,000 new emails in eight days. You can’t do it, folks.”
Actually you can – easily. And you can do it in a matter of a couple of days. It’s a matter of filtering emails by metadata (fields such as: to, from, dates, etc.). 650,000 emails become a few hundred with some smart filtering and maybe some keyword searching. Which brings us to Comey, who said the email review wouldn’t be complete until after the election. This is what we call managing expectation in our industry.
What Can we Take Away from how this played out?
From an information governance and Ediscovery perspective, Clinton’s use of a personal server to send State Department messages, some of which were at some point deemed classified, was clearly a mistake. One must keep in mind that the records/emails policies of the state department were fluid from 2000 through 2014, when they were strengthened. We’ve seen this same tightening of records retention policies in the private sector over the past decade, with the appending of the Federal Rules of Civil procedure and court decisions. Clearly she didn’t err on the side of caution, which is always the best policy. Our advice would have been to keep the email sets entirely separate – separate email accounts, separate physical server, separate service provider, separate location. Notice the emphasis on separate. There is a lesson here for all of us: keep professional and personal emails separate. At the very least, in the event of an inquiry, this practice prevents the work of having to sort out which emails are professional and which ones are personal.
BYOD and Hillary
If there was one trend that emerged in 2016 for which Clinton’s personal/State Department emails were a metaphor, and a serious topic that will remain a concern for information governance past 2016, it’s the critical importance of BYOD (Bring-Your-Own-Device) policies. These policies are designed to address issues related to an organization’s data being stored on devices that are owned by employees or associates, rather than being owned by the organization. Even though an individual may have two different email addresses, they may still have one device in a BYOD-friendly environment. So a client using their own personal device for professional and personal communication can, at the very least, complicate discovery.
For example, say a client sends you, their attorney, a question via text and a privileged conversation ensues. The following week, opposing counsel issues a discovery request for client’s phone because they believe there are relevant, non-privileged communications relating to the legal matter at hand. Now you must take the extra step (and the client must incur the extra cost) of reviewing the information on the phone since you knew there were protected text messages and possible emails, before other information is turned over.
The key, as was missing with Clinton’s handling of her emails, is to have in place, and follow, good records retention and BYOD policies outlining how communications should be preserved and managed. Ideally, IT (Information Technology) and the legal department should collaborate on policies for the security of corporate data (and devices that data could be transferred to/ accessed from). Specifically, policies that contain the following elements can make a big difference:
-Restrictions on usage of devices on unsecure networks, which can be common attack venues for hackers
-Encryption of sensitive corporate data should be implemented to prevent access by those other than the end-user and/or select IT staff
-Regular audits of the system to ensure securities are in place and effective
-The capability to remotely wipe a lost or stolen device
Additionally, from a legal standpoint there are certain guidelines that can prevent lawsuits arising from an employee’s loss of data. Some of those measures can be captured in an agreement signed between the employer and each employee with elements such as:
-Acknowledgement by the employee that personal data on BYOD devices is subject to potential exposure during discovery proceedings
-Acknowledgement that the data on the device may be wiped if the device is lost or stolen
-An indemnity clause, stating that while the employer will make efforts to protect employee’s personal data on devices, the employee acknowledges that data placed on the device is at risk of deletion
-Acknowledgement that the employer has the right to audit device(s) upon request
Hillary Clinton’s email server has brought into the public eye the complications of having personal and professional communications in the same location (and may have cost her the election!). Unfortunately, this issue is not limited to presidential candidates; it can have major impacts on individuals everywhere involved in discovery for legal matters.
Andy Cobb is a Partner with One Source Discovery, a full-service eDiscovery firm, and is the creator of the patent-pending BlackBox remote forensic collection software tool. He has served as a consultant on eDiscovery matters, provided expert testimony on various computer forensics matters and published numerous technology journal articles.