Hillary Clinton’s email server news is a warning to all of us in the public sector to think about how we use email and protect confidential information in our agencies.
Although we may not be setting up personal servers for our agency email, we may put our careers or our agencies at risk in other ways. After almost 40 years in the internal audit profession, I’ve personally seen careers come to an end, secrets exposed through the media, and agencies put through significant public scrutiny due to information exposed from electronic communication.
First, as an internal auditor in the public sector, always be cognizant that every time you or anyone in your agency sends an email, you are creating a permanent record. Always keep in mind that the Freedom of Information Act (FOIA) ensures that this record can be accessed by parties who may not take your casual comments in the appropriate context or give you the benefit of the doubt for what you were truly trying to express.
I can recall reading a front page news story about a law enforcement officer who arrested an underage young lady in a convenience store parking lot, thinking she had purchased beer, but it was actually canned water. Within the agency, there was a lot of email related to the incident, and those records were ultimately requested under FOIA as well as the legal discovery process in court proceedings. In their email, agency leaders openly discussed employees who were involved with the incident, including commentary such as, “That idiot did it again.” In the court of law—and the court of public opinion—this was a disaster.
In addition to the risk of public exposure, email is shared so quickly and easily that your words can fall into unintended hands without any help from the FOIA. Earlier in my career, I received an email from an external state auditor that said something disparaging about my boss. I sent a quick, nebulous reply to everyone on the email string, which inadvertently included my boss in the process. He came storming into my office, and I had to desperately explain context, etc. etc. I learned a valuable lesson about what I should put in writing and to ensure utmost care in who is included on the distribution list.
The bottom line is that we are often too nonchalant about our email. We share opinions that shouldn’t be written; they should be private thoughts or private conversations. Always remember you are creating a permanent record and always ask yourself is this something everyone should see.
In your annual risk assessment and audit planning, have you evaluated your organization’s potential exposure related to email? Issues to consider include:
- Does your organization have a policy about email? Is it up-to-date?
- What are the guidelines for appropriate email communication?
- Have you ever tested compliance to policy?
- How are staff made aware of this policy? Staff meetings? Annual policy reviews?
- Is your internal audit function following the policy?
The second lesson from Clinton’s email saga is that technology puts confidential information at risk—internally and externally. When Clinton used an email server outside of the government firewall, the information in her email was vulnerable to hackers. Even if your agency is not dealing in state secrets, the staff probably has access to personal information for clients, customers, competitors, confidential reports, etc. How easy would it be for someone to send an attachment to an email that may fall into the wrong hands? Even if there were no intention of breaching security, a leak could happen anyway.
During your audits, think about asking:
- Are the confidentiality policies of our organization being followed?
- How is confidential information shared with third parties outside of the agency?
- Who should have access to confidential information?
- Are appropriate controls in place about how staff members access confidential information?
- Are we appropriately classifying what is confidential and what should be made available for public consumption?
In conclusion, we will hear about Clinton’s email server for many months to come, so every time we see another news story, let’s use it as a reminder to handle email and confidential information wisely.
About the Author
John Wszelaki, CIA, CRMA, CFE, is the director of the American Center for Government Auditing. Before joining The IIA in early 2016, Wszelaki was director of internal audit at the State of Virginia’s Department of Alcoholic Beverage Control for nearly 17 years and, previously, managing auditor at American Greetings Corp. for nearly 22 years.
An active IIA volunteer for more than 20 years, Wszelaki has served in an array of leadership capacities, including as chairman of the North American Board (2014-15); chair of the North American Chapter Relations Committee; member of the North American and global boards; president and member of the board of governors of The IIA’s Central Virginia chapter; and district representative and adviser.