Clinton Private Email Server: What It Means to IT Service Providers

In a presidential race with no shortage of controversy, Democratic Party nominee Hillary Clinton’s use of a private email server while she was U.S. Secretary of State has proven particularly sticky.

In trying to determine if she broke the law, both Congress and the FBI have questioned the former First Lady and her associates, as well as IT services companies connected to the case.

Three companies – Datto, SECNAP Network Security and Platte River Networks – were pulled into the investigation because they had some involvement with the private server. Datto handled online backup, SECNAP provided a tool to monitor hacking threats, and River Platte managed the server.

The FBI exonerated the former First Lady of any lawbreaking, but that hasn’t appeased Congress. Senate and House committees continue to investigate the matter, and subpoenaed the three service companies for related documents.

As of yet, no charges of wrongdoing have been brought against the companies. Yet, their involvement in the case raises serious questions regarding the proper way to handle sensitive client data. The Clinton case potentially involved state secrets, but similar questions could emerge in cases involving private user data such as legal, financial and medical records, and intellectual property.

What to Know

The two main questions for IT service companies are:

• How much do you need to know about data you handle for clients?
• What’s your liability in relation to the data?

Let’s address the “need to know” question first. As a provider you don’t have to know – nor does the client necessarily want to tell you – the data’s contents. The client is entrusting you to manage the data, not read it.

But you need to know the nature of the data. The governance of certain types of data, such as corporate secrets, medical files and financial records, falls under federal and state laws. And if the data involves state or military secrets, that’s a whole other level of confidentiality subject to very strict regulations and specific security clearances.

Data protection laws deal with matters such as breach disclosure, encryption requirements for data in motion, and archival. Non-compliance can lead to severe penalties and legal action. Complicating matters, breach disclosure laws differ based on geography, so you need to know those laws in your country or state.

As a service provider, you have to be able to demonstrate your solutions and platforms that handle client data are compliant. Your security protocols and infrastructure should be transparent to clients, not only to instill confidence in your ability to protect their data but also to address any potential liability issues.

Liability Question

One of the concerns regarding the Clinton private server was whether it had been subject to hacking. No evidence has turned up yet. If it did, not only would Clinton and her staff have to answer for it, but likely so would the involved IT service providers.

Liability for data management can get complicated, especially when it involves multiple parties. MSPs typically handle client data with solutions provided by a vendor. Which party is responsible for what needs to be clear from the offset, with well-crafted contracts that spell out each party’s liability.

“In some scenarios, as many as five parties touch the customer’s data but the service provider is always the perceived responsible party and allocated a disproportionate amount of risk in the customer contracts,” attorney Dan Liutikas explained in a 2015 blog. “If you’re providing services such as cloud-based applications and data backup and recovery, be sure you understand your liability to protect yourself.”

Protect Yourself

The Clinton email case will likely continue providing headline fodder. The outcome is anyone’s guess, but one thing is sure: As a service provider, you want to understand your liability and follow applicable rules so you come out clean if dragged into a case like this.

Want to stay informed and access additional resources to help you in your business? Check out APC by Schneider Electric’s Channel Partner Program.

Also, follow the steps below to sign up for our Managed Services Program today!

• Ensure you are a Registered APC Partner
• Log into your Personal Page and click “Training & Education”
• Complete MSP Sales Associate Certification (3 courses)
• Schedule an MSP Business Planning Session with your APC representative.  Log in now!