From: InfoSec News (alertsinfosecnews.org)
Date: Fri Mar 30 2007 - 01:36:55 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9015092

By Todd R. Weiss
March 29, 2007
Computerworld

For official government business, staff members in the Bush White House
use government-issued e-mail accounts where all communications are then
stored, archived and preserved for eventual inclusion in the National
Archives.

But for several years, some high-ranking Bush staff members have also
apparently been using outside e-mail accounts for nongovernmental,
political communications. Those accounts, through the Republican
National Committee (RNC) and the 2004 Bush-Cheney re-election campaign,
allowed the officials to keep up with both their official and political
responsibilities while not violating the Hatch Act. That law forbids
many government officials from engaging in political activities from
their workplaces.

While the focus of those particular incidents is on the White House, the
issue is one that should be getting close scrutiny from businesses
across the nation, experts said.

The concern is that if company communications are being conducted
outside official corporate e-mail systems, there's no way to control
their security, preservation or use, something that can leave companies
vulnerable to a wide variety of legal problems and regulatory compliance
issues.

In the White House case this week, the House Committee on Oversight and
Government Reform sent letters Monday to the chairmen of the RNC and the
former Bush-Cheney 2004 campaign committee, asking them to explain more
about the use of the outside e-mail accounts. In the letters, Oversight
Committee Chairman Henry Waxman (D-Calif.) said his group wants to know
what's been done to preserve the contents of the outside e-mail accounts
used by government officials for possible review and to assure that "no
e-mails involving official White House business have been destroyed or
altered.

"Congressional investigations have revealed that White House officials
have used nongovernmental e-mail accounts, including those maintained by
the RNC, to conduct official White House business," the letters said.
"The Committee has questions about who has access to these e-mail
records and how the RNC protects them from destruction or tampering. The
Committee also directs you to preserve all such records because of their
potential relevance to congressional investigations. Such e-mails
written in the conduct of White House business would appear to be
govemmental records subject to preservation and eventual public
disclosure."

The Oversight Committee first learned of the outside e-mail accounts
during investigations of White House contacts with convicted lobbyist
Jack Abramoff, which found "that many of the e-mail exchanges between
Jack Abramoff and White House officials were conducted via
nongovernmental e-mail accounts. In at least one [incoming message to
Abramoff], the e-mails indicate that these nonofficial accounts were
being used because 'to put this stuff in writing in their [White House]
e-mail system might actually limit what they can do to help us.'"

Waxman today sent a similar letter to White House Counsel Fred Fielding
(download PDF [1]), asking for "information and a briefing regarding the
e-mail policies of the White House" next week.

White House records fall under the Presidential Records Act of 1978,
which was established to govern and manage the collection and use of all
presidential records.

White House spokesman David Almacy said the outside e-mail accounts were
set up to allow legitimate political activities to be conducted by
appropriate staff members without using White House accounts, which
would be illegal under the Hatch Act. "It was specifically set up that
way so that people weren't using their official accounts for political
activities," he said. Only certain White House staff members have such
outside accounts, including those who regularly communicate with outside
political groups, he said.

The creation and use of the outside e-mail accounts has been reviewed by
White House lawyers, he said.

Since 2004, e-mails to and from White House staff members sent through
the RNC e-mail system are archived and saved, he said. White House staff
members are not able to access other home or other personal e-mail
accounts on their work-issued computers because access is blocked, he
said. "The reason primarily is presidential records and security. We
want to be able to control what people bring onto their [work]
computers. From a presidential records perspective, this is something
that we take very seriously," Almacy said.

The White House e-mail case should be a wake-up call for businesses that
face similar situations, said John Alber, a technology lawyer at Bryan
Cave LLP in St. Louis. The problem, he said, is that all business
communications must be securely archived and stored in the event of
lawsuits, government inquiries or other legal scenarios. When such
records aren't tightly controlled, any large unsubstantiated gaps in the
stored data can mean disaster in court, he said.

A major issue is that virtually every business is overwhelmed today by
the volume of electronic records and communications, he said. His own
law firm is experiencing 60% increases in e-mail storage requirements
each year for its 800 attorneys and other staff members. "It is nowadays
a de facto document repository," he said of the law firm's Microsoft
Exchange server system. "It is often that [some legal documents] only
exist in an e-mail repository right now in Exchange," which wasn't
designed for the long-term storage and archiving of such documents.

"If companies aren't worried about this, they'd better get worried,"
Alber said. "It's truly important stuff. Everybody has this problem.
It's simply because of the way we do business. Almost everybody's behind
the curve."

Michele Lang, a staff attorney for legal discovery software vendor Kroll
Ontrack Inc. in Eden Prairie, Minn., said "there are a whole bunch of
lessons" for businesses to take away from the unfolding White House
e-mail case.

"Corporate America is having this very same problem with employees using
[free consumer e-mail accounts from] Google, Yahoo or Hotmail," Lang
said. By doing so, those employees are often storing sensitive corporate
information with free services that don't have the data security,
compliance and archiving that companies should mandate, she said.

"That's a scary situation for corporate America. Definitely there are
loads of landmines here for the government ... and for corporate America
to navigate."

[1] http://oversight.house.gov/Documents/20070329130758-87640.pdf

_________________________________________
Visit the InfoSec News Security Bookstore
http://www.shopinfosecnews.org

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]