Re: Rules when she was in office....
On the other hand there was a law, the Federal Information Security Management Act - FISMA - of 2002, with plenty of rules and regulations in place by around 2005 or 2006.
In general, the law and instructions that followed from it required computer systems used to process and store government data to be particularly configured to ensure data security, be backed up regularly, and have a disaster recovery plan in effect that provided for continuity of operations if the primary system became inoperative. All that has to be documented in excruciating detail, and conformity verified before the system is approved by the agency's approving official (usually the CIO) and attached to a network. Conformity is required to be reverified periodically, including testing of the business continuity plan.
If the servers behind clintonemail.com met the standard, Ms. Clinton and her supporters could have brought it out immediately and effectively ended the discussion by requesting the State Department to release the systems' certification and accreditation documents. Instead, she diverted attention by delivering printed email copies to the department and requesting they be released, and erased them from the server or servers. It is quite safe, therefore, to conclude that the servers used were operated in violation of the law and contrary to established Department of State instructions.
Ms. Clinton, however, was not just a State Department employee presumably violating the law and agency instructions; she was the department director, responsible to see that the department and its employees, including herself and others who had clintonemail.com accounts, operated within the law and in accord with the departments established instructions.
It appears she did not do so. That is far more than poor judgment; it is, arguably, a disqualifier for election to the office of President, the duties of which include, among other things, to "take Care that the Laaws be faithfully executed".