Though she may have broken no laws, Hillary Clinton acted irresponsibly in using a personal email account to conduct official U.S. government business in her capacity as secretary of State.
And besides that, it’s messy when you mix business things with personal things.
Years back, as I was leaving a job to launch a company, a wise business attorney counseled me to “leave naked.” He was telling me to leave all company property with the company and keep my own belongings for myself. Of course, I did just that. It makes good sense, after all. But that can be difficult when you’ve inextricably mixed your business and your personal lives together.
To avoid that sort of mixing, I’ve had my own email domain for nearly two decades and a separate email identity for business matters. I do my best to keep a wall between those two worlds whenever possible. Clinton is discovering the wisdom of that attorney’s advice, the hard way.
On one level, I can sympathize with Clinton. Many of us prefer to use our own computers and network services instead of what can be bloated and awkward corporate email services. I’ve certainly found my own systems to be vastly more reliable for my own purposes.
It has become a common practice for people to use their webmail addresses for both personal and business purposes. It’s just a lot easier to check all your email in one place, and services like Gmail are fast, easy and really good at filtering out spam. But when you let things get mixed together like that, you’re asking for trouble.
Who owns emails sent in the course of conducting business for a company? The company does, even when those emails reside outside of corporate systems. Corporate systems are subject to backup, and incoming emails are scanned for malware. External email services like Gmail do the same things, but do they do them to your company’s specifications? Where do the backups reside — in what jurisdiction?
Things are even trickier if your company is involved in a lawsuit. During the discovery phase, opposing counsel may try to include your personal webmail accounts within the scope of any subpoenas. If that happens, how do you protect your privacy? Your personal emails are in the same bucket with your company emails. Maybe no one will read them, but how can you be sure?
You might think you can just delete all the truly embarrassing stuff. Sorry, but many webmail services don’t actually delete email you put in the trash can. They archive them, and they can get resurrected.
So do yourself a favor and use your company’s corporate email system for anything related to work, and use your personal email identity for everything else. By isolating those two worlds from each other, not only are you acting in the best interest of the company by safeguarding its intellectual property, but you’re also acting in your own best interest by safeguarding your own privacy.
With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.
This story, "Don’t get into an email mess" was originally published by Computerworld.