By Jason R. Baron, Of Counsel at Drinker, Biddle & Reath LLP and Co-chair of the Information Governance Initiative
Ralph Losey threw down the gauntlet to the US government in his Ethical Boardroom commentary in 2015.¹
He said that the email system the US government provides its employees is “archaic”, that it is a “national disgrace” and that it is an “insecure, outdated piece of junk”. He went on to make a broader policy point that, in his view, “the reality is that Hillary Clinton has simply done what every other CEO and employee in the US does on a daily basis” by “ignoring the arcane records rules that supposedly govern email use”.
As someone who spent 33 years as a lawyer in the US government – a good portion of which were spent defending the White House and the archivist of the United States in waves of litigation involving email records and in developing electronic recordkeeping policies – I feel compelled to comment on Ralph’s negative perspective on the state of the US government’s email recordkeeping. In light of the excellent initiatives that are going on in public sector space, the glass really should be seen as at least half-full. And there is an important takeaway for the corporate C-suite.
Lest the reader be confused, I am certainly not an apologist for any individual’s or agency’s practices with regard to email. In the very first New York Times story on 3 March 2015 that broke the news on Mrs Clinton’s use of a private email server, I was quoted as saying: “It is very difficult to conceive of a scenario – short of nuclear winter – where an agency would be justified in allowing its cabinet-level head officer to solely use a private email communications channel for the conduct of government business.”
Unlike in the private sector, the US government does have numerous legal requirements that employees need to adhere to, including not only with respect to the Federal Records Act, but also due to the need for strict adherence to the rules for handling classified records on secure communications networks. And the fact that every network in the world faces the danger of being breached does not itself provide a sufficient justification for ignoring special rules in place for government communications.
However, it is also certainly the case that many employees at all levels of organisations increasingly find themselves empowered to ‘shadow IT’ applications – commercial email, storage platforms for documents, and the like, that are not controlled by a traditional IT department. Although it is exceedingly rare for a government employee to install a private email network in their home to set up a unique email address, it is indeed commonplace for all of us to treat every internet-enabled device in our possession (be it a smartphone, laptop, or a traditional PC at the office) as capable of sending and receiving both personal and official communications.
Recognising shadow IT
The Congress of the United States recognised the problem of shadow IT (at least in part) by amending the Federal Records Act in 2014 to require that where officials or employees employed by a federal agency send electronic messages about official business on a private commercial network, they must copy the messages to a government (.gov) account, or transfer the messages to such an account within 20 days (Title 44, U.S. Code, Section 2911).
As for the official email systems used by federal agencies, the IT infrastructure is not generally archaic, as such – the US government uses such proprietary services as Microsoft Exchange, Outlook and Sharepoint and Gmail for business. Rather, the problem at hand has been legacy policies that up until recently have allowed for email records appropriate for longer term preservation being preserved in hard copy form, essentially in traditional file cabinets. This is all now changing rapidly.
“The US government deserves some measure of respect that it is finally charting a smart information governance path forward”
In November 2011, President Obama issued a memorandum to all executive branch agencies, which compelled the government to move towards automated solutions in the recordkeeping space, including in the cloud. Email was specially mentioned as problematic. Following on, the archivist of the US David Ferriero issued a memorandum in August 2012 known as the Managing Government Records Directive, containing a comprehensive set of policy initiatives aimed at advancing the cause of federal sector e-recordkeeping.
In particular, the directive requires that by 31 December 2016, federal agencies will manage all of their email records in an accessible format. In other words, email records will be required to be retained in an appropriate electronic system that supports records management. The archivist of the US has further developed a new ‘Capstone policy’ for email, which agencies are free to adopt, that will ensure that all email from designated senior Capstone officials will be preserved in email archives as permanent records of the United States. All other employees at a Capstone-compliant agency will have their substantive emails saved for at least seven years. If successfully implemented, hundreds of federal agencies will be capturing email in an electronic format (rather than relying on ad hoc print to paper regimes) and those emails will be available to the American public through the US Freedom of Information Act.
The archivist’s directive even more ambitiously states that federal agencies are required by 31 December 2019 to preserve all records – not just email – appraised as ‘permanent’ and created after that date in a digital format, for eventual accessioning in the US National Archives.
These are transformative policies for public sector recordkeeping. Especially with respect to email, these policies will dramatically reduce the burden on individual employees to meet their compliance obligations with the records laws – which is at the very heart of Mr Losey’s complaint that the rules governing compliance are still hopelessly archaic.
Indeed, the US federal government has recognised in policy a key insight that points to a flaw in many types of private sector governance schemes, namely that spending time on policies and technology that rely on individual employees to be trained in performing manual operations to comply with recordkeeping requirements is increasingly a recipe for disaster. Corporate leaders in the C-suite owe it to their organisations to seriously confront the fact that their institutions face massive risk in continuing to adhere to increasingly antiquated recordkeeping and compliance policies that place the burden on individual employees ‘to do the right thing’.
Thought leadership in this area demands that institutions in both the private and public sectors make the prospect of compliance easier by employing automated solutions to manage, preserve and classify information. The US government deserves some measure of respect that it is finally charting a smart information governance path forward for hundreds of thousands of employees. While not as headline grabbing as the Hillary Clinton controversy, it is an important development nonetheless with lessons for all.
About the Author:
Jason R. Baron is Of Counsel in the Information Governance and eDiscovery Group at Drinker Biddle & Reath, LLP, and serves as Co-Chair of The Information Governance Initiative. Jason is an author of scholarly research on the law of information retrieval, and is a frequent keynote speaker in international forums on the subject of the e-discovery and e-recordkeeping. In 2011 he was honored as the recipient of the international Emmett Leahy Award, for career contributions in records and information management.
¹ The Hillary Clinton email scandal: An eDiscovery lawyer’s perspective, Ethical Boardroom Summer 2015 2J.R. Baron & A. Marcos, Beyond BYOD: What Lies in the IT Shadows, Ethical Boardroom, Summer 2015