Hillary Clinton’s use of a personal email address as secretary of state appears to have run afoul of five different laws and regulations governing information security at the State Department, according to a recent government report.
The report, from the State Department’s inspector general, has renewed scrutiny of Clinton’s email practices, which critics say jeopardized sensitive or classified information and shielded Clinton’s activities from laws designed to ensure public access to government information.
The inspector general’s examination focused on statutes and regulations specific to the State Department. The more serious allegations against Clinton have to do with potential violations of the Espionage Act, which lays out penalties for "gross negligence" in the handling of sensitive national security information.
That investigation is ongoing, but the report identifies five other laws or regulations that Clinton circumvented or failed to follow. They contradict the Clinton campaign’s repeated claims that Clinton’s email practices at the State Department complied with all relevant rules regarding federal records and information security.
Retaining agency records after leaving
"Departing officials and employees [may] not remove Federal records from agency custody" —36 C.F.R. § 1222.24
Clinton’s personal email address, which she used exclusively as secretary of state, was housed on a private email server in her Chappaqua, N.Y. home. That meant her emails, which are considered federal records, were never in federal custody while she served as secretary. She didn’t just retain records after leaving the State Department; those records were never in the department’s possession in the first place.
The State Department is responsible for transferring records to the National Archives and Records Administration after a federal employee’s departure. But the State Department only requested Clinton’s emails in October 2014, a year and a half after she left office. The records agency only learned of Clinton’s private email server through media reports in March 2015, more than two years after her tenure.
Properly archiving agency records
"Agencies that allow employees to send and receive official electronic mail messages using a system not operated by the agency must ensure that Federal records sent or received on such systems are preserved in the appropriate agency recordkeeping system." —36 C.F.R. § 1236.22(b)
Clinton claims that the fact she was sending emails to federal employees using official email accounts meant that those emails were being archived properly. The IG rejected that explanation and concluded that Clinton had violated rules on the preservation of federal records.
"Secretary Clinton should have preserved any Federal records she created and received on her personal account by printing and filing those records with the related files in the Office of the Secretary," the IG wrote. "At a minimum, Secretary Clinton should have surrendered all emails dealing with Department business before leaving government service and, because she did not do so, she did not comply with the Department’s policies that were implemented in accordance with the Federal Records Act."
Provisions of that law are designed to preserve agency records so that they are available to the general public through open records requests. Clinton emails quoted in the report suggest she was attempting to avoid just that type of scrutiny.
Preserving federal records from loss or destruction
"All Department employees are ... required by law to preserve documentary materials meeting the definition of a record under the Federal Records Act [and are] responsible for creating, using, maintaining, preserving, and disposing of the Department’s information and records." —State Department Foreign Affairs Manual
Clinton has said that she deleted roughly 30,000 emails stored on her server that she deemed of a personal and non-official nature. Neither the State Department nor the records agency has ever seen those emails. We now know that they included messages that were official in nature.
The IG report identified a number of such emails to Gen. David Petraeus. "The Department of Defense provided to OIG in September 2015 copies of 19 emails between Secretary Clinton and General David Petraeus on his official Department of Defense email account." None of those 19 emails were turned over to the State Department.
Use of department-approved computing devices
"It is the Department’s general policy that normal day-to-day operations be conducted on an authorized AIS, which has the proper level of security control to provide nonrepudiation, authentication and encryption, to ensure confidentiality, integrity, and availability of the resident information." —State Department Foreign Affairs Manual
According to the inspector general, Clinton never received department approval to conduct official agency business on her private email server. She never consulted with the proper authorities before doing so. If she had, her email arrangement would have been rejected.
"According to the current CIO and Assistant Secretary for Diplomatic Security, Secretary Clinton had an obligation to discuss using her personal email account to conduct official business with their offices, who in turn would have attempted to provide her with approved and secured means that met her business needs," stated the IG report.
"However, according to these officials, DS and IRM did not—and would not—approve her exclusive reliance on a personal email account to conduct Department business, because of the restrictions in the FAM and the security risks in doing so."
Handling of sensitive-but-unclassified (SBU) information
"Where warranted by the nature of the information, employees who will be transmitting SBU information outside of the Department network on a regular basis to the same official and/or most personal addresses, must contact the [information security officials] for guidance in implementing a secure technical solution for those transmissions." —State Department Foreign Affairs Manual
"Emails exchanged on [Clinton’s] personal account regularly contained information marked as SBU," but she never obtained the required approval for the handling of such information on a personal computing device. Because a security review never occurred, "Secretary Clinton never demonstrated … that her private server or mobile device met minimum information security requirements."
Information security officials from Clinton’s time at the agency told the IG "that they were not asked to approve or otherwise review the use of Secretary Clinton’s server and that they had no knowledge of approval or review by other Department staff. These officials also stated that they were unaware of the scope or extent of Secretary Clinton’s use of a personal email account, though many of them sent emails to the Secretary on this account."