In my last post I looked at the Clinton email scandal from the State Department’s point of view. It’s equally worthwhile to look at it from Clinton’s point of view. That’s what we’ll do today.
In addition to the facts that I bulleted yesterday, there’s one central point that needs to be added: Clinton wanted some email to remain private and unavailable to others. Her version of it is that this notion applied to her private email, and not to any public business. Her detractors argue that she was trying to hide improprieties in her public business instead. Whichever of these is the case is immaterial for purposes of this discussion. The central fact is that she wanted to keep something private and unavailable, and from her perspective, the State Department email system was the weak link. So, she took the weak link out of the loop by creating an email system that was controlled directly by her and her subordinates, rather than the bureaucracy of the Federal Government.
From a professional perspective, and leaving aside the questions of motive, it’s a case of a very aggressively conceived and very aggressively implemented records and information (or information) governance policy. And it has all of the basic concepts of an information governance policy and procedure embedded in it: a strategic goal, a plan to implement that goal, the acquisition, implementation and configuration of technology to implement that goal, and one or more repositories that wound up being subject to the overall strategy and process. Classic information governance.
The retention of the server upon which the emails resided after Clinton left Government service is likewise part of that information governance policy. So too is the deletion of emails selected by Clinton and her staff prior to returning the server to the government, and wiping the server. These are all tactics that are, analytically speaking, part of a standard information policy and process. Keeping one’s records secure, and then securely destroying them upon expiry of their retention period is again classic information governance.
The Generally Accepted Recordkeeping Principles
So how does she score on the GARP (AKA “The Principles”®) maturity model? Let’s see:
Accountability: An organization shall assign a senior executive who will oversee a record-keeping program and delegate program responsibility to appropriate individuals, adopt policies and procedures to guide personnel and ensure program auditability.
Clinton probably gets a 4 or 5 here. Her program was certainly overseen by a senior executive, and she was certainly careful in delegating responsibilities to trusted subordinates, and they all rode herd on the thing pretty carefully, so she gets top marks for accountability.
Integrity: a record-keeping program shall be constructed so the records and information generated or managed by or for the organization have a reasonable and suitable guarantee of authenticity and reliability.
Here again, Clinton probably gets a 4 or 5. So nearly as we can all tell, the thing was managed pretty tightly, and was obviously heavily relied upon by Clinton and her staff, so reliability and authenticity was a key.
Protection: a record-keeping program shall be constructed to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret or essential to business continuity.
Now we begin to see some of the weaknesses in Clinton’s information governance. We know that the server was hosted by a relatively unsophisticated commercial service, and that her technical staff were by no means world-class experts in data security. We also know that there were hacking attempts on her server, although we don’t know if they were successful or not. All in all, not strong. We have to give her a 2 here.
Compliance: the record-keeping program shall be constructed to comply with applicable laws and other binding authorities, as well as the organization’s policies.
This one’s tough. Her score depends on who you view as the organization. If the organization in question is the State Department, she gets a very poor score – it’s very clear that the whole arrangement violated existing policies and procedures. If however, you view the organization as Clinton herself, then she gets a higher score, because she had a set of policies she wanted implemented, and she implemented them very aggressively. The other problem here is the Federal Records Act. At the very least, she delayed for several years in turning over any Federal Records found on her server to the appropriate custodians, and at worst, she has deleted some federal records. And then of course there is the question of various levels of confidential information ending up on her server, which also is at least a violation of State Department policy, and may possibly be a violation of law. Best case, she gets a 3. Worst-case, a 1.
Availability: an organization shall maintain records in a manner that ensures timely, efficient and accurate retrieval of needed information.
Another tough one. Available to whom? If to Clinton and her staff, a slam-dunk 5. If to anyone else, a 1.
Retention: an organization shall maintain its records and information for an appropriate time, taking into account legal, regulatory, fiscal, operational and historical requirements.
Again, from Clinton’s standpoint, another easy 5. By her own criteria, she knew what she wanted to keep, and she kept it as long as she felt she needed to keep it. From the State Department’s standpoint, much tougher: since Clinton and her staff decided what to keep and what not to keep without consulting the State Department, it’s really tough for them to determine whether the choices made were appropriate. Let’s give them a 3.
Disposition: an organization shall provide secure and appropriate disposition for records that are no longer required to be maintained by applicable laws and the organization’s policies.
Yet another 5 for Clinton. She had a retention and disposition policy and she ruthlessly implemented it. And her version of the implementation of that policy is that she complied with applicable law. From the standpoint of the State Department and other interested parties, the situation is less clear. Again, since Clinton and her staff made the decisions without consultation with other parties, those other parties cannot know whether the appropriate decisions were in fact made. On the other hand, they don’t know that the decisions made weren’t appropriate either. So, we have to give them a 3 again.
Transparency: the processes and activities of an organization’s record-keeping program shall be documented in an understandable manner and be available to all personnel and appropriate interested parties.
No matter how you slice it, Clinton gets poor marks on this one. Although her program was clearly understood by her own personnel, as a matter of law and public policy, “appropriate interested parties” includes a wide array of other people including the Federal Government and all sorts of interested outside parties. That’s what the Freedom of Information Act is all about. We have to give her a 1 here.
Hillary’s GARP (AKA “The Principles”®) Score
So how does she grade out? From Clinton’s perspective, she gets an average score of 3.625 to 3.87 out of 5. Not bad – most organizations would love to achieve a maturity score as high as that. But, clearly there are also some areas where she could have done a much better job. From the State Department’s standpoint, not so good – a 2.5, which is subpar – and, we might observe, right in keeping with the Inspector General’s report. And it could be worse. For the Principles of Accountability and Integrity, we assumed Clinton’s position. Looking at it from the State Department’s position, the scores would be very low for these, dragging down the overall score quite a lot. Give them a 1 on both of these, and their score comes down to a dismal 1.125.
What does all of this teach us? Well, an obvious teaching point that arises out of the disparities in Clinton’s score versus the State Department’s score is that how the value and effectiveness of a program is judged is very much dependent upon what you see as the goals of it, and who you see as the legitimately interested parties. There are widely divergent opinions on both of these, and on the legitimacy of Clinton’s own take on them. And this is true for everyone else: are the legitimately interested parties the Board of Directors? The shareholders? Regulatory agencies? Public interest groups? The public? Some combination of all of them? Every organization has to make these choices, and it can make them in an aggressively self-serving way, or in a way that serves a broad public interest, or anyplace in between. And none is necessarily right or wrong – it really depends upon many factors. And that choice may have consequences down the road, as we are seeing with Hillary Clinton’s email.
There are also compliance issues here that are unavoidable. Clearly, Clinton took a very aggressive stance in her interpretation of State Department policy, the Federal Records Act, Secrecy laws and other relevant authority. As of this writing, we do not know whether that interpretation actually violated any laws, but it seems clear at least that it violated State Department policy. So she was skating pretty close to the line. And Clinton is a lawyer, and many of her staff are lawyers, and they all had information security briefings, so it’s hard for her to make a convincing case that they were unaware of this.
All of which brings us to the question of defensibility. At the end of the day, whether it’s defensible disposition or defensible management and retention, the choices you make must be legally defensible. And here, she may have skated too close to the line. It’s unlikely that, at the time she implemented this policy, Clinton anticipated the current set of adverse consequences, which are at the very least severe reputational damage, and at worst might wind up being criminal charges and a conviction. And that is another obvious teaching of this – as a policy becomes more and more aggressive, it gets closer to that line of defensibility. At the time you make the decision, it’s important to understand where that line is, and the consequences of getting close to it. You had better be sure that you understand and are willing to live with the consequences of however closely to the line you choose to skate, otherwise you may fall through the ice. And at that point, as in this case, it’s too late to go back and make a different choice.
Where to Go From Here
How does this work out in terms of practical implementation? Well, the The Principles® (GARP) are a pretty good place to start. The maturity model certainly tells you where you need to improve, but then it’s a question of acting upon that information. The weaknesses in Clinton’s program are illustrative of the challenges of acting on that information. Here are a few:
- You need to have experts with unbiased viewpoints in on the decision-making. Clinton had a lot of lawyers in on her decision-making, but it’s probably fair to say that they weren’t unbiased. In fact, there’s evidence in the Inspector General’s report that opinions from unbiased subordinates was suppressed. So all decision makers shared her viewpoints and they shared her agenda, and that probably colored the ultimate decision-making, and thereby the ultimate outcomes. And that was probably a mistake.
- You need the technical expertise to implement your strategy and goals competently. In retrospect, Clinton could have done a much better job on the technical security aspects of her setup, but she could also have used more expert – and unbiased – guidance on the legal and records management aspects of the arrangement. Effective use of that guidance would probably have permitted her to substantially achieve her goals while avoiding much of the downstream fallout that she is currently experiencing.
- If you’re going to take an aggressive stance with respect to the interpretation of guidance, legal authority and policies and procedures, you need to thoroughly consider the justification for that stance early on in the process. Clinton very clearly did not do this, and her subsequent ad hoc and inconsistent justifications for her actions have only sharpened suspicions about her motives. She’s not the only one this has happened to, she’s just the one on the front page.
The bottom line is that any such program needs careful planning, expert implementation and competent professional oversight. Although the issues with Clinton’s email are front and center in the public eye, they are really no different analytically then the issues faced by other organizations that implement governance strategies and processes without thinking them through. And like Clinton, organizations that fail to do these things can and do have problems later.