Public and Private E-mails Don’t Mix

Posted by

Hillary Clinton recently made headlines for using her personal email account for business purposes during her tenure as Secretary of State. This high profile example provides us with an opportunity to reflect upon what is commonplace for some.  It can be tempting for employees to use personal email accounts to conduct corporate business, particularly when working remotely.  However, the highly sensitive nature of Clinton’s job raised questions over the security of using a non-work email account to transmit information. Depending on the nature of your job or the emails that you send, there are risks when mixing personal and business e-mails.

Unauthorized Disclosure

By far the biggest concern with using personal email is lack of security, which can result in the unauthorized disclosures of sensitive information.   Using personal email, without the protections of corporate IT oversight and protection, allows information to be sent to outsiders without protection, such as encryption.  Also, it may not just be the employee who has access to the account. For example, a company does not know if the password to the personal account is shared, when it was last changed, and how often emails are deleted or archived.

Additionally, many free webmail services have weak recovery mechanisms when a user forgets a password.  This allows hackers to guess a user’s password through the password recovery security questions and gain access to their account, putting confidential or privileged information in the wrong hands.  Many free email services also employ a process called indexing in which the service scans emails for the number of times particular words appear and then sends targeted advertising to that account based on the results.  This means the hosting service has likely read or copied potentially confidential or sensitive text from a user’s inbox. This can be particularly harmful when employees make it a regular practice of using personal accounts for business.

Data Retention/Destruction

Most companies have a data retention and destruction policy, which includes automatically deleting e-mails and attachments, past a certain date.  An employee’s use of personal email to send and receive corporate documents can frustrate this policy.  A company can’t delete what it doesn’t have.   In contrast, litigation holds and subpoena requests are common when a company or its client is involved in a lawsuit.  If responsive documents have been transmitted or stored outside the company’s system, the company could be denied access to essential documents to comply with such requests or worse be denied access to records in support of its own defense.

Furthermore, if an employee who has made it a habit to use personal email for business purposes leaves the company he essentially takes those documents with him.

Corporate Governance

Put simply, a company has less control of what occurs outside the corporate walls.  When employees are conducting business from a personal account, the company lacks the ability to properly monitor its own business dealings.  Specifically it lacks control over security, privacy, content, or communications that could lead to potential liability such as threats or defamation or harassment.  If a lawsuit arises from any representations or communications made by the company, the company loses its ability to accurately document what happened, identify what communications were made and the context in which they were made.

To avoid these risks, make sure your company’s electronic use policy contains a provision that restricts work related electronic communications to company provided email accounts.  Establish a strategy to monitor and enforce the policy to ensure compliance.  Also, remember that besides the risks associated with going outside the company domain to communicate on company related matters it may be perceived as unprofessional.