Executive Emails: Lessons from the White House Breach

“Never write if you can speak; never speak if you can nod; never nod if you can wink.”

Prescient advice for the age of data theft from gilded-age politician Martin Lomasney.

Indeed, the theft of non-classified White House emails – ostensibly one of the most well-guarded non-classified networks in the world — should bring into sharp focus the reality of cybersecurity: emails should be treated as likely to be hacked and certainly to be under attack.  In short, we need to help employees in general, and executives in particular, to re-frame how they use email.   Most people treat email as private, those that do not often forget that even seemingly innocuous emails can tell a great deal when taken together with a larger group of emails.

Executives often possess the highest levels of access and the most sensitive information in any organization.  Accordingly, executives are often the targets of specifically targeted social engineering campaigns — and their blunders on email are potentially very damaging to employers.   Accordingly, as I have written, cybersecurity practices should be built into executive agreements and executives need to be taught how to live within the confines of the reality of what I would call “public emails.”

How do we advise executives to deal with public emails? That “REPLICAS” will be made of those communications.  Consider advising/training executives to keep this mnemonic in mind as they draft every electronic communication:

• Respect
• Employment
• Permanent & Public
• Legal & Ethical
• Information Retention
• Clarity
• Attorney-Client Privilege
• Social Engineering & Security

REPLICAS:

• Respect.  Executives should use respectful language that won’t embarrass the company when it is reviewed by third parties.  Sexist, racist, bigoted, homophobic, bullying language, etc., has no place in an executive’s writings.

• Employment Agreement.  Executives should understand that violating the employer’s security rules (or the rules set out here) can cause grave harm to the employer — and may result in termination for cause.

• Permanent/Public.  Executives must understand that emails are permanent and they should be written as if they will be made public at some point.  At the very least, there is no such thing as an email getting accidentally lost or ignored during litigation or during an investigation.  Every email that touches upon the subject of a particular litigation or regulator’s inquiry will be found.  Forever.  Regardless of what data retention policies may say.

• Legal and Ethical.  Ensure that every email, including those written to subordinates, is written in a manner to convey the highest level of integrity.  Suggesting unlawful or unethical activity, even in jest, is inappropriate. Moreover, if an email references an individuals specific gender, race, disability, illness, religion, ethnicity, sexual orientation, etc., an executive should be able to articulate a clear reason for including that information.  Executives should be trained to ensure that their emails are compliant with any of the laws or regulations (e.g, insider trading) or norms that are specific to the business and  industry.

• Information retention. Preservation of electronic messages (or, put differently, spoliation in an electronic messaging context) is, obviously, increasingly litigated.  Attorneys should establish and executives ought to follow very specific guidelines about data retention across platforms.  This includes which modes of electronic communication are permissible and which may not be.

• Clarity.  Be succinct.  There is less room to misinterpret shorter emails.

• Attorney-client.  Merely copying an attorney or writing the words “privileged and confidential” does not guarantee that the attorney-client privilege will shield your email from being shared. To maximize the chance that your email is found to be privileged mark it privileged and confidential, confine your email to the details of the situation,  copy only those who are absolutely necessary, and try to specifically ask the attorney for legal advice.  Otherwise, the privilege likely will not hold and your email may be disclosed.

• Social Engineering and Security.  Executives need to be taught to avoid social engineering efforts (such as “spear phishing”).  One site succinctly describes a social engineering attack:

Strictly, social engineering is a technique to get around security systems—or any type of system—not by breaking through it or exploiting vulnerabilities in the system itself, but to exploit vulnerabilities in the humans around the system. Instead of breaking in or cracking a password, you convince a tech support agent to reset the password and give it to you, for example, or you trick a system into thinking you’re an authorized user through some logical means using information you have available.

The more senior the executive, the higher the risk that resources will be expended to getting access to the information that the manager possesses – after all, they are likely to have wider access to more valuable information.

Executives must be trained on avoiding social engineering – especially those that come in through email.  Avoiding such attacks is not a matter of common sense – it is a matter of rigorous training.  Executives will need to avoid such efforts, not click on emailed attachments or links (except links to this blog) and should be cautious about the information they share in any emailed communication to anyone, within the enterprise or without.