http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9015092 By Todd R. Weiss March 29, 2007 Computerworld For official government business, staff members in the Bush White House use government-issued e-mail accounts where all communications are then stored, archived and preserved for eventual inclusion in the National Archives. But for several years, some high-ranking Bush staff members have also apparently been using outside e-mail accounts for nongovernmental, political communications. Those accounts, through the Republican National Committee (RNC) and the 2004 Bush-Cheney re-election campaign, allowed the officials to keep up with both their official and political responsibilities while not violating the Hatch Act. That law forbids many government officials from engaging in political activities from their workplaces. While the focus of those particular incidents is on the White House, the issue is one that should be getting close scrutiny from businesses across the nation, experts said. The concern is that if company communications are being conducted outside official corporate e-mail systems, there's no way to control their security, preservation or use, something that can leave companies vulnerable to a wide variety of legal problems and regulatory compliance issues. In the White House case this week, the House Committee on Oversight and Government Reform sent letters Monday to the chairmen of the RNC and the former Bush-Cheney 2004 campaign committee, asking them to explain more about the use of the outside e-mail accounts. In the letters, Oversight Committee Chairman Henry Waxman (D-Calif.) said his group wants to know what's been done to preserve the contents of the outside e-mail accounts used by government officials for possible review and to assure that "no e-mails involving official White House business have been destroyed or altered. "Congressional investigations have revealed that White House officials have used nongovernmental e-mail accounts, including those maintained by the RNC, to conduct official White House business," the letters said. "The Committee has questions about who has access to these e-mail records and how the RNC protects them from destruction or tampering. The Committee also directs you to preserve all such records because of their potential relevance to congressional investigations. Such e-mails written in the conduct of White House business would appear to be govemmental records subject to preservation and eventual public disclosure." The Oversight Committee first learned of the outside e-mail accounts during investigations of White House contacts with convicted lobbyist Jack Abramoff, which found "that many of the e-mail exchanges between Jack Abramoff and White House officials were conducted via nongovernmental e-mail accounts. In at least one [incoming message to Abramoff], the e-mails indicate that these nonofficial accounts were being used because 'to put this stuff in writing in their [White House] e-mail system might actually limit what they can do to help us.'" Waxman today sent a similar letter to White House Counsel Fred Fielding (download PDF [1]), asking for "information and a briefing regarding the e-mail policies of the White House" next week. White House records fall under the Presidential Records Act of 1978, which was established to govern and manage the collection and use of all presidential records. White House spokesman David Almacy said the outside e-mail accounts were set up to allow legitimate political activities to be conducted by appropriate staff members without using White House accounts, which would be illegal under the Hatch Act. "It was specifically set up that way so that people weren't using their official accounts for political activities," he said. Only certain White House staff members have such outside accounts, including those who regularly communicate with outside political groups, he said. The creation and use of the outside e-mail accounts has been reviewed by White House lawyers, he said. Since 2004, e-mails to and from White House staff members sent through the RNC e-mail system are archived and saved, he said. White House staff members are not able to access other home or other personal e-mail accounts on their work-issued computers because access is blocked, he said. "The reason primarily is presidential records and security. We want to be able to control what people bring onto their [work] computers. From a presidential records perspective, this is something that we take very seriously," Almacy said. The White House e-mail case should be a wake-up call for businesses that face similar situations, said John Alber, a technology lawyer at Bryan Cave LLP in St. Louis. The problem, he said, is that all business communications must be securely archived and stored in the event of lawsuits, government inquiries or other legal scenarios. When such records aren't tightly controlled, any large unsubstantiated gaps in the stored data can mean disaster in court, he said. A major issue is that virtually every business is overwhelmed today by the volume of electronic records and communications, he said. His own law firm is experiencing 60% increases in e-mail storage requirements each year for its 800 attorneys and other staff members. "It is nowadays a de facto document repository," he said of the law firm's Microsoft Exchange server system. "It is often that [some legal documents] only exist in an e-mail repository right now in Exchange," which wasn't designed for the long-term storage and archiving of such documents. "If companies aren't worried about this, they'd better get worried," Alber said. "It's truly important stuff. Everybody has this problem. It's simply because of the way we do business. Almost everybody's behind the curve." Michele Lang, a staff attorney for legal discovery software vendor Kroll Ontrack Inc. in Eden Prairie, Minn., said "there are a whole bunch of lessons" for businesses to take away from the unfolding White House e-mail case. "Corporate America is having this very same problem with employees using [free consumer e-mail accounts from] Google, Yahoo or Hotmail," Lang said. By doing so, those employees are often storing sensitive corporate information with free services that don't have the data security, compliance and archiving that companies should mandate, she said. "That's a scary situation for corporate America. Definitely there are loads of landmines here for the government ... and for corporate America to navigate." [1] http://oversight.house.gov/Documents/20070329130758-87640.pdf _________________________________________ Visit the InfoSec News Security Bookstore http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Thu Mar 29 2007 - 22:47:41 PST