Hillary's convenient disruption of good governance

By Avron Welgemoed

Like a train wreck happening in slow motion right in front of us, Hillary has tried desperately to explain the rationale behind adopting convenience ahead of governance.

It’s far easier in today’s information overloaded world to be lured into using the latest technology and Cloud-based applications, for the incredible convenience they provide. Convenience that lets you get to your information from anywhere, anytime, be able to mash it up and merge it to use for completely new purposes. Convenient, easy to use, easy to deploy and most of the time you know that the IT department will probably just not be helpful, take forever or more likely, will just say no.

Hillary’s justification was a simple one, “I didn’t want to carry around multiple devices, so I used one email account for convenience”. That, despite being the Secretary of State for the most powerful nation in the world, was apparently justification enough.

So why is everyone getting het-up over this, she produced copies of 30,000 emails that were work related and deleted the other 31,000 private ones, didn't she? Yes, she did, but this is where the debate about transparency and governance subversion starts, and what she may have unknowingly got herself into. Her desire to find a more convenient way, has proved to be a major disruption of very significant governance fundamentals that very few businesses could justifiably get away with.

In return for that convenience, she may have inadvertently sacrificed crucial information controls, managed security and management scrutiny. How did she deal with classified information, control access or ensure complete records?

What about classified information? Although she denies it, in a position like hers, dealing with State Department staff and foreign officials, it is unlikely that there was not a fair amount of classified or privileged information being exchanged.

In our real business world, there is always a large proportion of information that contains commercially confidential advantage and cannot be shared outside of the business and often only shared in a limited capacity internally. Putting that information outside of a business’s systems means that despite the new found convenience, those classifications are probably meaningless and unenforceable.

Who else has had access to this? Hillary may need to prove that nobody else was able to gain access to her sensitive email, either with or without her knowledge. She asserts that her private mail server remained secured, but email is vulnerable to attacks, through spoofing, being read in transit or the email server hacked.

Back in the real world, putting business files or email into systems outside your control also means you may not be able to control who actually gets access to that information. It could be somebody you previously shared files with, that you’ve since forgotten has access. It could equally be the staff of the Cloud services business you use, with their administrator rights that happen upon your useful information.

Is that everything, or is something missing? As Hillary separated her information from the State Department’s oversight, she may have without knowing, placed the onus entirely on herself now to prove that she can produce a complete record of her interactions in her role. She says she has, but even with those 30,000 emails she has produced, questions will remain as to whether that is the complete set, what may be missing or whether there has been any deliberate tampering or deletion of anything incriminating.

If this was in our real business world, defending any business action with incomplete information records such as, timelines, order of events or approvals, would mean exposing the business to all kinds of risks. It becomes easy to make baseless assumptions, draw bizarre conclusions or just assume the worst... and people will.

For a business having to defend any action through litigation, there is nothing worse than finding you only have a small portion of the records available. How do you apply a legal hold and discovery when you can’t know where or what information may have been squirreled away, and have no control of any of those systems?

Hillary's saga is far from being complete, but all the way through it will illustrate many of the lessons we should all be learning from.

Take a look at your business. Where do your staff store their documents, or forward their email? How can you be sure?

Avron Welgemoed is an executive with Iron Mountain Australia