WOOF! Newsletter

September 30, 2013

The Dangers of Using Personal Email for Work

What's the harm in employees using personal email for work purposes? Plenty, in fact: privacy violations, falling out of legal compliance, potential for data theft and other risks. This WOOF article documents those risks, and gives advice on how to stop employees from using personal email at work.
If any of your employees use their personal email accounts to send company information, your business is at risk for multiple security and privacy problems.

Why would employees use personal email, when they have corporate email accounts? You can ask 10 people this and get 10 different answers. The most common reasons we’ve found are:
  1. Work emails typically have a file attachment size limit. Maybe they have to send a large file (images, a spreadsheet, video) and their business email won’t send it.
  2. BYOD ("Bring Your Own Device") is allowed at their company, so they use their own PC for both work and personal email. The line blurs between work and home.
  3. They don’t have access to the corporate network from home, so they email documents to their personal email account to work on after hours.
  4. To avoid FOIA (Freedom of Information Act) liability.
  5. Or, they may not want the company to know what information they’re sending out, and to whom they’re sending it to. Which means there’s potential for data theft. Like this case from last June: Foreign Engineer Arrested for Trade Secret Theft Involving Medical Technology – TradeSecretLaw.com.
These reasons should give every employer pause. Using personal email for work poses serious risks of IP theft, violating customer privacy, losing your own company’s privacy, and disrupting network operations due to exploits which can be implemented on computers not secured by your internal policies.

In legal terms, using personal email for business purposes can mean two things.

One, it means your company's business information is being stored on mail servers outside of your control, throughout the world. Where did Google actually store your data? You have no way of knowing all the places where your company data is stored, or where it’s been transmitted.

And two, a personal email account is not covered by your company's security policies. Your employee may have agreed to Gmail’s Terms and Conditions (which allow for email content searches), but your company didn’t. You may have a good data privacy policy in place—but personal email accounts can bypass it with one click of the "Send" button.

The Risks Inherent in Letting Employees Use Personal Email for Work

This kind of privacy disruption subjects business data to many risks, like:
  • Personal email accounts exist outside of IT’s control: no backup, no archives for discovery, no security, no governance.
  • Major email providers like Gmail scan their users’ emails, destroying privacy. Google is actually fighting to keep on scanning Gmail users' emails in court.
  • The U.S. government can read your company’s email. Personal email providers like Google, Microsoft, AOL, and Yahoo! have cooperated with the NSA, allowing them to scan and store any emails they like on NSA’s servers.
  • Emails sent via personal accounts are not discoverable in standard legal discovery procedures. If you need to produce email files for legal reasons (an audit, lawsuit, government compliance), you won’t know about the missing data, and will be out of compliance.
  • Employees can keep secrets from the business. In the case of "Stengart vs. Loving Care," the New Jersey Supreme Court ruled that an employee "could reasonably expect that e-mail communication with (their) lawyer through her personal, password-protected, web-based e-mail account would remain private, and that sending and receiving them using a company laptop did not eliminate the attorney-client privilege that protected them."
  • Harassment: Institutions like Gmail mask the originating IP address information with internal IP addresses, making it impossible to narrow down the origin of an email sent to your employees. To top that off, they make it extremely difficult for a company to request information on their employees harassed by Gmail users.
  • Employees may use their personal email address to purchase domains, setup web hosting accounts, or do any number of functions on the company’s behalf. The problem then is that the employee's personal email address becomes the owner of the account. If that employee leaves or becomes uncooperative, you will have a difficult time taking ownership of the assets they setup.  Which may be critical to your company's day-to-day operations.

Protect Your Privacy - and Your Customer’s!

It’s a needlessly-dangerous practice to let employees use personal email for business reasons. Especially when it comes to government surveillance.

According to current FISA law, the NSA has the right to record data from both endpoints in an email conversation, if ONE of those endpoints cooperates with NSA procedures. Since most large free email providers do cooperate, this means anyone who receives an email from their accounts is put at risk for surveillance – even though they didn’t agree to the provider’s Terms and Conditions at all.

So if your employee uses personal email to send project blueprints to a customer’s work email, that customer has unwittingly lost their privacy to the NSA!

How to Keep Work Emails Away From Personal Email Accounts

The best thing to do is to provide secure file-sharing solutions for your employees and set strict policies against the use of personal email for business.

Here are some ways you can do this:
  • Increase the size limit for file attachments on business email accounts. According to a Mimecast survey, this is a big reason workers under 25 prefer to use personal email accounts for work. We suggest 10MB for average users (more for individual users based on demonstrated need).
  • Implement a private file sharing technology, like Anchor or Microsoft SharePoint which allows users to use their Active Directory accounts to share files. This kind of technology maintains control of accounts, and keeps private data private. It also allows for auditing what’s been transferred outside the organization.
  • If you don’t have one already, create a policy saying that all work emails must use work email accounts. If you have such a policy already, enforce it by reviewing staff practices.
    • If anyone objects, remind them that using non-domain based emails for business is just plain unprofessional. Do you trust an organization that sends you a business email from janie2011@gmail.com, or from jsmith@acmemanufacturing.com?
    • If someone still uses personal email for business purposes, ask them for their login & password. You'll need to catalog their email, so you can record what business information they sent out. (Watch them stop using personal email for work fast!)
  • Just accessing personal email while at work is okay, so long as it’s done infrequently and for personal use only. This should be part of a comprehensive Acceptable Use Policy.
Business email is for business use. Personal email is for personal use. Whenever the two cross, you’re at risk for legal issues and privacy loss.