Learn From Hillary Clinton: Stop Using Personal Emails for City Business

April 10, 2015

John Miller, Senior Consultant, Sophicity

This article is posted with permission from Sophicity’s CitySmart blog and shares non-technical, municipal-relevant insights about critical technology issues, focusing on how technology reduces costs, helps better serve citizens, and lessens cybersecurity risks. Sophicity is solely responsible for the article’s content.
This article originally appeared on Sophicity's CitySmart blog.

Whatever your politics, personal, non-government, or poorly overseen government email accounts have plagued Hillary Clinton, Sarah Palin, George W. Bush, and many government entities such as the IRS, the Environmental Protection Agency, states, and municipalities. The root cause of many of these tortuously complex scandals and investigations is simple: Using personal email accounts instead of a government email account.

Just look at what happens when someone wants to access those emails. You may like or dislike Hillary Clinton, but it’s objectively a problem when she cannot easily produce information related to her role as a government employee. Plus, the risks of using personal email go beyond transparency. If your IT staff or vendor isn’t managing your email, who is? Your free email provider? Are they providing the right level of antispam, or backing up your emails? Not a chance.

It’s clear that open records laws and the push for transparency makes it less and less excusable to use personal email accounts for city business. If you’re still using personal email accounts at your city, ask yourself the following questions.
  1. Do you want to expose you or your employees’ personal email to open records requests? As Hillary Clinton said, she definitely doesn’t want to reveal her personal emails to the world—and she said that we can all understand that. Unfortunately, that’s not something auditors understand. That’s why she is receiving pressure to hand over her personal email server to a third party auditor to decide what’s personal and what’s business. Similarly, a third party auditor would have an absolute right to look at personal emails from city employees if an open records request required it.
  2. Do you want to spend excessive time and money processing open records requests for personal emails? Because personal email is not centralized and managed by your city, the time it takes to track down city emails from personal email accounts starts to exponentially increase. You might be out thousands of dollars in time and expenses tracking down and handing over the right information. It’s much easier to find and retrieve emails from a centralized city email server that only contains information related to city business.
  3. Do you want to increase the risk of your emails being hacked or increase your exposure to a virus? Personal email accounts are usually free email accounts. That means no one is managing them or ensuring that the proper antispam, encryption, and archiving policies and precautions are in place. While antispam measures have gotten better on free email accounts over the years, they are still not at the level of business-class email services. Using a personal email account opens up too many security risks from weak passwords to users clicking on a malicious email attachment by accident.
  4. Do you want to lose your email data when you are required to keep it? Several scenarios open you up to the risk of data loss related to personal email.
    • Your personal email is not part of your city’s data backup and disaster recovery data, and thus it’s not recoverable in case of data loss.
    • If an employee leaves, it becomes almost impossible and logistically thorny to make them hand over all of their information. You don’t have access to the email account, so what do you do? Ask them to forward 5,000 city business emails to you after they have been terminated? You might be able to get the information, but it’ll be ugly and likely incomplete.
    • Deleting a personal email account is 100% in the hands of the employee, not you. It should be the other way around. Only the city should have the power to activate and deactivate business-related email accounts
  5. Do you want an easy way to lock down email while still using mobile devices? One thing Hillary Clinton complained about was having to use two devices if she was to separately use her government email account and her personal email account. Today, cloud email allows you to use business-class email for your city, lock down that email for authorized users only, and allow people to access it with any device. So, if one of your elected officials complained about the annoyance of using two devices, let them know they can use one device. On that one device, they can easily access two different email accounts that keep their business and personal email separate—without having to use two devices.
If you feel behind the technology curve on email, you’re not alone. If people at Hillary Clinton’s level are wrestling with it, then it’s understandable that many other government entities are too. But now is the time to act. Auditors, lawyers, and the public are becoming less forgiving when public officials cannot provide emails about something critical to the public interest. Business-class email allows you to easily respond to open records requests instead of losing emails in the murk of personal accounts, and it ensures that employees cannot delete or misplace critical information.

Back to Listing