Digital Detectives

Hillary Clinton’s Emails and the Looming Issue of Shadow IT

“It is very difficult to conceive of a scenario — short of nuclear winter — where an agency would be justified in allowing its cabinet-level head officer to solely use a private email communications channel for the conduct of government business.”
– Jason R. Baron to the New York Times

On March 2nd, 2015, The New York Times published a breaking story about Hillary Clinton, who used a private email account to conduct government business. Due to The Freedom of Information Act, many people questioned whether Clinton acted inconsistently with her federally mandated record keeping obligations. Furthermore, is this a wakeup call for companies and governmental entities who are not controlling shadow IT, the practice of employees using private devices and softwares at work?

In this episode of Digital Detectives, Sharon Nelson and John Simek interview Jason R. Baron, of counsel to Drinker Biddle & Reath, LLP and co-chair of The Information Governance Initiative, about the Hillary Clinton controversy and the future of Shadow IT, BYOD, and information governance.

Topics Include:

  • Federal records collection and keeping policies
  • Unmarked classified information on Clinton’s private server
  • Federal, state, and other public figures using personal email for public purposes
  • Shadow IT and BYOD policies for companies and governmental entities
  • The bigger picture of big data and information governance
  • Whether Clinton’s actions were legal

Jason R. Baron is of counsel to Drinker Biddle & Reath, LLP, practicing in their Information Governance and eDiscovery Group, and is co-chair of The Information Governance Initiative, a think tank and vendor neutral consortium. Previously, he served as director of litigation at the National Archives and Records Administration, and as a trial attorney and senior counsel at the U.S. Department of Justice.

View transcript

Digital Detectives: Hillary Clinton’s Emails and the Looming Issue of Shadow IT – 9/5/2015

 

Advertiser: Welcome to Digital Detectives, reports from the battlefront. We’ll discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches. Not theory, but practical information that you could use in your law practice. Right here on the Legal Talk Network.

 

Sharon D. Nelson: Welcome to the 60th edition of Digital Detectives, we’re glad to have you with us. I’m Sharon Nelson, president of Sensei Enterprises.

 

John W. Simek: And I’m John Simek, vice president of Sensei Enterprises. Today on Digital Detectives, our topic is, Hillary Clinton’s Emails and the Looming Issue of Shadow It. We’re delighted to welcome as today’s guest our friend Jason Baron. Jason R. Baron is of counsel to Drinker Biddle & Reath, LLP, practicing in their Information Governance and eDiscovery Group, and is co-chair of The Information Governance Initiative, a think tank and vendor neutral consortium. Previously, he served as director of litigation at the National Archives and Records Administration, and as a trial attorney and senior counsel at the U.S. Department of Justice. Jason’s many honors include the 2013 Justice Tom C. Clark Outstanding Government Lawyer Award given by the Federal Bar Association. Most recently, in connection with the controversy over Hillary Clinton’s private email account, he has appeared on Good Morning America, the NBC Nightly News, MSNBC’s The Last Word with Lawrence O’Donnell, CNN, NPR’s All Things Considered, and has been quoted in the New York Times, Time Magazine, the Wall Street Journal, Washington Post, and numerous other media outlets. Thanks for joining us today, Jason.

 

Jason R. Baron: Thanks, I’m delighted to be back.

 

Sharon D. Nelson: We’re glad to have you back, Jason. And first and foremost, I think it might be of some interest to our listeners for you to tell us how you were drawn into being quoted in the very first article to break the story about Hillary Clinton’s private email network which was in the New York Times on March 2nd of this year.

 

Jason R. Baron: Well, Sharon, I actually was drawn into it by a call from Michael Schmidt who was the reporter who pinned the first article that broke the story. And he and I were talking off the record the weekend before, but the story broke on a Monday evening and I gave a quote which got me noticed, I guess, because I said that it is difficult to conceive short of nuclear Winter how the state department could allow Ms. Clinton to exclusively use a private serve for the conduct of official business. And that led to my fifteen minutes of fame.

 

Sharon D. Nelson: I think it’s still going on.

 

John W. Simek: Well, Jason, we know that there have been hundreds of articles on the topic, I know I’ve read quite a few of them, I know Sharon has too and I’m sure you have. But from your perspective as an expert on the federal records keeping, what’s your take on whether Ms. Clinton acted inconsistently with her record keeping obligations?

 

Jason R. Baron: Well what I should have said in response to Sharon’s first question is that I had devoted about twenty five years of my career to electronic records, email litigation, white house email. And so it was sort of a natural for New York Times to give me a ring along with other government types. Now I have spent a fair amount of time thinking and writing about what has occurred here. The story is still evolving, but in essence, the first thing is that it is not against government policy to use a private email account like GMail, or Yahoo, or even at the extreme set up a private server although that is highly, highly unusual, especially for a high level official, too. It’s not per say annihilation of the federal records. However, there are obligations on the part of all federal employees, whether you’re a high official or just a regular employee like I was to make sure that if you are communicating in email or other communications and other applications that create federal records that are signed under statute, that are records that are about the transactions of government and government business. You have an obligation to copy them or to move them to an official record keeping system. While it wasn’t per say a violation on the outset, under the records laws – let’s put aside security issues at the moment – there were some obligations going forth and the 2009 NARA recs that were in place during the time that Ms. Clinton was in office, their 36 CFR 1236.22 and they still exist. They say that agencies that allow employees to send and receive official email messages using a system not operated by the agency must ensure – note the word must – that federal records central to systems are preserved with the appropriate agency record keeping system. So to come down any individual to exits office to make sure those messages are appropriately preserved, and the regulation does not presume that that obligation is to be delegated to somebody else just because you sent or received messages that you think might be archived somewhere else or saved by someone else. It’s everyone’s obligation to accept and ensure that their own messages sent or received on a private system get an appropriate record keeping system. The statute was amended after Ms. Clinton left office in 2014 to put a time on this 20 days in effect for doing that. She waited 18 months and eventually did return 30 thousand email messages while deleting 30 thousand others. The messages that she returned mean that she has now acted consistently with the intent of the 2009 recs. She gave back to the government official communication and certainly that’s another good thing. But I think there are some very troubling issues involving access to records under the Freedom Of Information Act while she was at office that there were obstacles for her having set up a private system. And the entire scheme is so highly unusual to raise legitimate questions for the government type like myself. It has nothing to do with partisanship, it has nothing to do with political party. The issue is really good government and what we would expect. And now I have answered that question at length without discussion classified information.

 

Sharon D. Nelson: Well that’s a great segway to my next question which is about the recent hoo-ha about unmarked classified information or maybe classified information that was retroactively marked classified. And that was residing on her server, so I’m a little confused with the recent stories and what they mean. So can you comment on what those stories and how you’re sorting them out?

 

Jason R. Baron: Well I can, although I must say to everyone listening that if I put myself in the S in the subject matter expert category record keeping, I don’t on national security issues. And so while I was a lawyer in government – and I did hold and TS/SCI clearance – we should put a little tab in there. Now the fact is that there are rules and regulations in place for ensuring the security of highly classified information. And whether information is marked or unmarked, it needs to be secure, and not all information that’s classified is marked as classified. So there are legitimate issues about setting up a private server that might not have been cleared by any government IT staff to actually serve as a convulent as sensitive or classified information. Now as it turns out, there are multiple laws here that are pushing the state department to essentially go through a declass exercise involving a number of agencies of government with equities in the substance of the communications that went back and forth on Ms. Clinton’s server. And we have seen reports in the press that at the moment, approximately 300 emails have been identified or flagged as potentially having classified information in them. And that number may change over time as more emails out of the 30 thousand that she gave back are reviewed. So the process is going forward, there are a lot of stories about the FBI getting involved. I think there are serious issues to work through and we will know soon what – hopefully soon – what government agencies I believe may or may not have happened with respect to classified information on that server.

 

John W. Simek: Well Jason, from a lot of the news reports most people know – at least I’ve heard – that Hillary Clinton wasn’t one of the first public figures to use private email for public purposes. But in your view, how widespread was that practice and what are the implications for open government and can you maybe enlighten us a little bit about some of the other famous folks that might have been doing this?

 

Jason R. Baron: Well, it has certainly come to my attention since the first day of the story that others – both in the federal government and in state and local institutions as well as elsewhere – have from time to time used private services to conduct public business. A survey I did before I came in at NAGARA/CoSA in Austin in July showed that many governors including Jeb Bush and others have been involved in communicating by means of a private email account or private services and communicated about official matters. And you can go down the list of governors, there are many that fall into the category of having different times each time done so. There are differences with Ms. Clinton because she was secretary of state and because of the very high level of communication that she’s involved in with the potential of classified information being sent or received. But putting that aside, there is this larger set of public figures that we know. And it’s not just federal and state, it’s also – I was on APR a couple of weeks ago talking about a university chancellor in Illinois who resigned after university business had been conducted on private services. And so what we’re seeing is an emerging phenomenon with really large implications for open government, whether it’s a public university or a state local government or in the federal government. How do we deal with the fact that the Freedom of Information Act is a vehicle for the public right to know about what the government is doing. And if we’re allowing individuals – there are some good arguments for – to use these private services to communicate and they do so for public business. How do we ensure that there is a transparency in openness in the conduct of government? These are vexing issues that we’ve come to before with the ability that we all have. We’ve all been enabled by our CEO and our IT staff to go to the internet from our desktop and from a variety of multiple licenses.

 

Sharon D. Nelson: Well you’ve written before – I think about the emerging phenomenon that you’re talking about is Shadow IT and you were kind enough to send me an article you had written called Beyond BYOD, What Lies In The Shadows? So can you explain to our audience what Shadow IT is all about and the dangers it presents?

 

Jason R. Baron: We’ve been talking about it and I was leaving you the punchline of Shadow IT. So the article that you refer to is in the Ethical Boardroom which is a pretty neat magazine. So if you go to EthicalBoardroom.com, I don’t get any royalties for saying that, but you can take a look at the Summer 2015 edition and my article’s there. The issue is that for a long time, the IT shops in corporations and public, private universities, have controlled for the most part the way we’ve communicated. They set up email that works and we communicated on those government networks with a .gov account or .edu account. What has become very much a phenomenon is everyone or many people having access to such services as GMail or Yahoo or DropBox or Box or Google Docs where various companies make it extremely easy to store information and to share it on a collaborative basis and to communicate. And we’re all familiar in our private lives for doing so. It now seems obvious in retrospect that if you turn on these applications, if you allow a portal to individuals sitting in their offices with their desktop or on mobile devices of all kinds, they’re going to use it. They’re going to communicate the best way they know. In fact, the shiniest new objects sometimes are not the ones that the government gives people but the ones they have in their own hands. So we have an intersection here. I know you’re going to ask about BYOD and Shadow IT. For the Bring Your Own Device policy, your own smartphone or whatever, where you’re both communicating for personal matters as well as corporate business or official business. But on the Shadow IT side, you have all these applications that you are able to access from the desktop as well as from mobile. So it’s not just a BYOD issue, it’s a shadow app issue that I’ve mentioned for a lot of ways that we store documents and communicate. So all of this is not controlled by the IT staff that are sitting in the basement in a Cloud world. The IT staff is less and less controlling of the kind of communications that we all are sending out and receiving. And because of that, there’s some very important issues that we need to confront about what it is that we are allowing people to do and how do we even attempt to govern the situation that we find ourselves in.

 

John W. Simek: Well, before we move onto the next segment, let’s take a quick commercial break.

 

John W. Simek: This is normally the spot in our show where we hear words from our sponsors. This potentially represents a unique opportunity for you. Digital Detectives is seeking sponsors. You can hear your advertisement right here. If you’re interested, contact the team at Legal Talk Network at info@legaltalknetwork.com.

 

Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is, Hillary Clinton’s Emails and the Looking Issue of Shadow IT. Our guest is Jason Baron. Jason is of counsel to Drinker Biddle & Reath, LLP, practicing in their Information Governance and eDiscovery Group, and he is also a co-chair of The Information Governance Initiative, a think tank and vendor neutral consortium. So Jason, what recommendations do you have for organizations that are now confronting the fact that their employees are much more than occasionally using what you call Shadow IT applications in practices?

 

Jason R. Baron: One possibility which I think is disfavored is to essentially prohibit individuals from going to the internet. That shuts down the ability to use such services as GMail or Google Docs. I think many institutions could face a mutiny on their hands if they actually attempted to do that. Although in some cases, in some extreme settings, that might be the way to block. But of course, individuals have their own devices and they will invariably find ways around such policies. The first point here is that one needs to step back and develop a robust information governance policy that covers the emergence of Shadow IT in the workplace. And the policy should really address do’s and don’ts when it comes to handling company information about encrypting emails where appropriate, about not uploading confidential company information to public Cloud storage, and a variety of concerns that go to data security and privacy issues. The second is that you need to educate employees that the corporation or the institution, public, private, really does have obligations to some external stakeholders whether it’s because of regulatory compliance issues or because of the Freedom of Information Act clause that demand that official communications be copied or migrated into an official record keeping system. The National Archives read says that for federal employees and their state counterparts. And so employees need to understand that for goodwill, they’re communicating for reasons of efficiency and because they need to for excellency, for whatever reasons that they really do need to take an extra step to make sure that those communications are captured in an official records keeping system. There may be IT solutions that can be put into effect that are there to protect company information. Companies can make devices easier to use so that copying of information can take place. Companies need to look at their policies and periodically reevaluate them to make sure that they’re keeping up with the latest technologies that individuals use. And the one thing in the article that I emphasized is practice what you preach, and I said to the executives in the C-Suite reading this article, “If you won’t do it, they won’t do it.” Use your own Shadow IT practices as a bellwether for what will invest with your company’s culture. I think we all need a senior level of organization to set a good example for everyone else. And those are some ideas and I’m sure listeners may have others. This is, however, not an issue that could be solved with a three page policy statement. It really does take an engagement on the part of the C-Suite to think through what the culture of an organization is and what should work in any particular workplace.

 

John W. Simek: So Jason, how do you see these issues that we’ve been discussing with all the Shadow IT and these rogue employees that are doing all their own thing out there. How does that play against the larger backdrop of information governance?

 

Jason R. Baron: I’m glad you asked that, John. I, as you know, and what you said is that I have the privilege of co chairing something called the Information Governance Initiative, and we – Barclay Blair, Bennett Borden, and others that are associated with this initiative, all of our sponsors – we are trying to engage in a smart dialogue in the space. For example, we had a summit in Chicago for chief information governance officers. And people were carrying business cards with information governance in their titles. And so it seems to us that we need champions for information governance. We need people to step up in institutions, public and private, and say we need policies. We need to look at new technologies that exist, we need to integrate what’s going on in the area of access under the public records laws as well as privacy and security considerations. And essentially take a holistic look at the big data environment we’re in. We’re not just in record settings anymore, we’re in a big data world and we need people to be champions inside of institutions. And so the Information Governance Initiative is pushing the idea of the chief idea officer. It doesn’t need to be that title but somebody needs to step up and perform that function. I’m very proud of the papers we’re pushing out and the dialogue we’re having and we’ll continue to do so with respect to IT issues.

 

Sharon D. Nelson: Jason, I’m going to ask you a couple of quick questions here in a row. The first one is it seems to me that I’ve been hearing about Hillary Clinton and her emails and that server more and more and more and it doesn’t seem like that’s going anywhere. Does this seem to you at least like something that is going to continue to dog her?

 

Jason R. Baron: I don’t have a crystal ball with respect to politics. I do know that I’m personally delighted when I wake up in the morning and I see the Federal Records Act on television in the New York Times. Really, this is a wake up call for the kind of issues that I have been talking about, lecturing about for a couple of decades. And so it’s exciting to hear people talk about the 2009 Regs versus the 2014 amendments and what it all means – at least to some of us. But more seriously, it does function as a call. When leaders of agencies in the federal government see the kind of controversy that email is all about. Controversies can be generated by email. If they hadn’t known before, they certainly know now that these are issues that really need attention. And so while the world is filled with very large problems, one issue for government is sort of making sure that – at least in this country – we have an open government and that we have good practices in place that keeps it in forms of citizenry close to what’s going on in terms of government activities. And so it’s a very important issue for histories to get this right. It’s not just one individual, it’s every executive in government and every employee in government to make sure that we are preserving the records of this nation. So that’s on the public side and it’s a wakeup call for the private sector too, because the Shadow IT practices are not just a public phenomenon, it’s a private corporation phenomenon as well and many are regulated and audited and there are concerns about what can be done off the books with respect to communications networks, so it’s a wakeup call for everyone.

 

Sharon D. Nelson: Let me ask you a followup question to that, and I think that there’s maybe some misunderstanding by the public at large. One of the issues that has come up is the fact that after Ms. Clinton turned over all the emails, she then had her server wiped. As far as I can tell, there’s nothing illegal about wiping that server once all the emails were turned over. Would you agree with that?

 

Jason R. Baron: I’m going to give a lawyerly answer to that which is, it depends. And I think Ms. Clinton has the better of the argument with respect to normal practice, which is that under the 2014 amendments to the Federal Records Act, when you’re communicating on a private system, the official or the employee that has done that in the first instance is expected to move those communications to an appropriate record keeping system. So the entire statutory scheme relies on the good faith of the individuals to make choices as to what’s personal and what’s not. The official would be migrated or copied to a record keeping system and the personal could be left behind and deleted at will. That is the normal case. Now there’s some particular circumstances here that would caution perhaps different answers. And I don’t presume to act as Ms. Clinton’s lawyer, she has very good lawyers in place. But there were a set of circumstances that certainly raised eyebrows given the notoriety of the issues at stake, various subpoenas that may or may not have been out there or anticipated as to whether or not it was a good idea to delete half of the emails in her possession. But I don’t want to step over into a different swimming line here, I really want to keep with what is in the normal course of statute that allows her to have done that. So to answer your question, it is not, per se, illegal. But would I have advised her to do it, that’s a different question. And that we can talk offline about.

 

Sharon D. Nelson: And I do thank you for answering that because as you know, John and I are very animated on the subject of politics and we’re usually on opposing sides of the fence. So you’ve given me dinnertime conversation for tonight. Thank you, Jason.

 

Jason R. Baron: You’re welcome.

 

John W. Simek: Jason, it cracks me up too. You get all excited over the Federal Records Act and Sharon and I get all excited over data breaches and security issues. So I guess each of us needs to get a life here. But tell us a little bit about the Info Gov Conference that’s coming up at the end of September 2015 in Hartford. I think our listeners would like to hear about that.

 

Jason R. Baron: So this year, the Information Governance Initiative is running the Info Gov Con, as we call it, and everyone can go to InfoGovCon.com and take a look. It’s a conference over three days, it’s a half day on September 29th, it’s a whole day on September 30th, and a half day on October 1 in Hartford, Connecticut at the convention center. What Barclay Blair has done is really quite remarkable. He crowdsourced a couple of dozen topics and selected the ones that were most popular and we have been attempting to fill in the spots and get really good speakers. Not just the usual suspects from the ediscovery world, but people who represent data science and other disciplines. All of whom have something to say about information governance, which of course is an umbrella term for a whole variety of not just record keeping, but privacy, security, access, analytics, and the like. So we think we’re going to have a great gathering of people that from across a number of disciplines and we’re excited about having people show up in Hartford. So to everyone listening, please consider coming to this conference. I think it will be a really good experience.

 

Sharon D. Nelson: Well good luck at the conference. Have a ball and thank you again for joining us today, Jason. It’s always wonderful to talk with you and you always have terrific thoughts to share with the audience and this of course has been a burning issue. And the issue of Shadow IT certainly needs a lot more light shed on it. So I thank you for being with us.

 

Jason R. Baron: Thank you Sharon and John.

 

John W. Simek: Well that does it for this edition of Digital Detectives; and remember, you can subscribe to all of the editions of this podcasts at LegalTalkNetwork.com, or in iTunes. if you enjoyed this podcast, please review us on iTunes.

 

Sharon D. Nelson: And you could find out more about Sensei’s digital forensics, technology and security services at www.senseient.com. We’ll see you next time on Digital Detectives.
Advertiser: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on LegalTalkNetwork.com and in iTunes.