A recent New York Times report that Hillary Clinton skirted federal-records laws as secretary of state by exclusively using a private e-mail system to conduct official business set off a wave of criticism. But Mrs. Clinton and her defenders insist that she followed all applicable rules and regulations. Is this claim correct?

It certainly doesn’t look so. From Mrs. Clinton’s own account of her e-mail practices, she appears to have ignored civil laws designed to preserve and protect the official records of the federal government. There are also serious questions about whether her conduct complied with federal criminal law — questions that merit more answers from Mrs. Clinton than she has provided to date.

Mrs. Clinton has admitted that she exclusively used a personal e-mail account, maintained on a private server in her home in Chappaqua, N.Y., to conduct government business. She did not have a government e-mail address, and her e-mails were not preserved on department servers at any time during her tenure. It was nearly two years after she left office, in response to a formal State Department request in October 2014, that Mrs. Clinton’s counsel negotiated the turning over of some 30,000 e-mails in non-searchable printed copies, which include, Mrs. Clinton says, all of her official e-mails. In a press conference to explain herself, Mrs. Clinton admitted that she had deleted any personal e-mails from her home server (after a legal-review process that raises as many questions as it answers). She boldly declared that her server would be off limits from further inspection by anyone. At all times, proclaimed Mrs. Clinton, she complied with applicable rules.

But did she comply with the law? The answer is almost certainly no. The legal issue is not, as many in the media have suggested, whether she was allowed to use personal e-mail to conduct professional business — though a good case could be made that her exclusive use of private e-mail to conduct official business violated written State Department policy. Since before Mrs. Clinton took office, the State Department Foreign Affairs Manual has strongly encouraged the use of official computer systems to conduct the “normal day-to-day operations” of the department in order to ensure appropriate levels of security. The same policy permits occasional use of appropriately secure private e-mails to conduct official business where official systems are unavailable. But it is difficult to read the Department’s Internet policy and conclude that its drafters ever contemplated that an official would exclusively use personal e-mail on the job. Putting aside the apparent breach of policy, the real issue is what Mrs. Clinton did with her e-mails once she created or received them on her personal network.

The Federal Records Act, a 1950 statute that governs records preservation at federal agencies, plainly requires an agency to preserve any official “record,” a term defined functionally to require the preservation of any document, in whatever form, that relates to the performance of a federal official’s duties. Since around the time the federal government began using e-mail in 1995, federal regulations have required the preservation of e-mails reflecting official business. By its own terms, the statute alone compels the preservation of official e-mails, no matter where or how created. But as early as 1995, federal-records regulations explicitly required preservation of official e-mails for agencies with access to “external electronic mail systems.”

Some might contend that this 1995 regulation simply addressed a federal agency’s use of AOL or other fledgling commercial electronic-mail systems in the mid 1990s. But best (though probably not universal) practices during the Bush administration were to require preservation of official records created in e-mail systems, whether in a personal account or otherwise. Any doubt about the scope of this legal preservation requirement in the Federal Records Act was cleared up shortly after Mrs. Clinton took office in 2009, when federal regulations applicable to all agencies were amended to state that agencies that allow employees to “send and receive official electronic mail messages using a system not operated by the agency must ensure that Federal records sent or received on such systems are preserved in the appropriate agency record-keeping system.” The argument of Mrs. Clinton’s defenders that the law changed to require preservation only after she left office is simply wrong.

In insisting that she complied with her record-preservation obligations, Mrs. Clinton also says that her e-mails went to other government employees, who would necessarily have preserved those records. There are several problems with that defense. First, reports have indicated that several of her closest confidants used private accounts on the same server in Chappaqua; all the e-mails between Mrs. Clinton and these aides might therefore remain outside the record system. More important, a very recent Department of State inspector general report suggests that there have been massive shortcomings in the way department employees preserve official e-mails, with only a very minor fraction being formally stored as official records. This report suggests that merely copying another State Department employee would not automatically have saved Mrs. Clinton’s e-mails as official records, as she contends. And a State Department spokesman confirmed that Mrs. Clinton’s explanation did not jibe with this reality. Finally, even when other employees did save e-mails sent by Mrs. Clinton, her official records would not have reflected the communication, thus frustrating public access to those exchanges.

Mrs. Clinton’s defenders also argue that she complied with federal-records laws because she preserved the records on her home server and eventually delivered them (in the form of printed copies of selected e-mails) to the State Department in early 2015. The Clinton camp maintains that the federal-records laws have no time requirement, and that, as long as she delivered the e-mails at some point after leaving office, even if years later, she met her legal obligations. The obvious problem with this contention is that no one but Mrs. Clinton knows whether she actually turned over all her federal records. Her press-conference admission that — acting without the guidance of federal-records officials — she deleted anything she deemed personal raises huge red flags. This is especially so because her initial explanation of the legal-review process suggested that her lawyers had failed to review each individual e-mail, forcing a “clarification” from Clinton later in the week after many criticized the lawyers’ review. In these circumstances, her insistence that no one will get access to her private server to confirm the truth of her public statements amounts to a giant middle finger to the law and to the American people.

Even if we assume that she did eventually turn over every official document, the “eventual compliance” defense runs headlong into the State Department’s own records manual, which requires all “departing” officials to “ensure that all record material that they possess is incorporated in the Department’s official files” before they leave. And on leaving office, each State Department employee is obligated to sign a separation statement (Form OF-109) that requires him or her to certify, under penalty of federal criminal law, the following: “I have surrendered to responsible officials all unclassified documents and papers relating to official business of the Government acquired by me while in the employ of the Department.”

A central question in this e-mail imbroglio, then, has been whether Mrs. Clinton signed such a certification, setting herself up for possible felony charges of making false representations to federal officials. And if she did not sign this form, there remains the question of whether she has willfully concealed the existence of federal records from the State Department, a crime punishable by up to three years in prison and permanent disbarment from federal office. Certainly, during her tenure in office, her records were subject to numerous Freedom of Information Act requests and document demands from congressional committees. Yet she did not turn over a single e-mail in response to those inquiries.

After a week of not answering the question, the State Department finally disclosed that it did not have a record of Mrs. Clinton’s signing the records certification. It added, for political cover, that President Bush’s secretaries of state also did not sign the separation statement. But this disclosure, if true, raises further questions. If Mrs. Clinton did not sign a certification, why didn’t she? Was it owing to agency incompetence, favoritism, or something else? The records of the secretary of state reflect the business of the State Department perhaps more than those of any other official. So why would such important records be exempted from a standard reporting obligation?

The question of criminal wrongdoing is probably academic, since President Obama’s attorney general would ultimately decide whether to prosecute, or even to investigate. The potential fallout from the criminal question might be limited, then, to the political sphere.

So, to paraphrase an infamous Clintonism, does it really make any difference? It most certainly does. Her “homebrew” server, as the Associated Press called it, not only has allowed her to evade her record-preservation obligations; it also presents obvious information-security and even national-security concerns. What’s at issue is not only the question of good practice, but the law. In a 2002 statute that the Senate passed by unanimous consent, without objection from Mrs. Clinton, who was then a senator, Congress tasked each agency head with “providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction” of both “information collected or maintained by or on behalf of the agency” and “information systems used or operated by an agency.” Mrs. Clinton’s personal e-mail server in Chappaqua would hardly satisfy anyone’s idea of sound information security.

At bottom, the e-mail scandal resonates because of the job Mrs. Clinton now seeks. Perhaps the central constitutional responsibility of the president is to “take care that the laws be faithfully executed.” If Mrs. Clinton can’t be trusted to follow the most basic of record-keeping requirements, how can she be trusted to handle weighty burdens of the executive? Her actions with respect to her e-mail seem to have been calculated to place her above the law and well beyond the rules that regulate the conduct of every other federal employee. Regina non potest peccare (the queen can do no wrong) is a concept not entirely at home in the American legal tradition.