This is a hot topic ever since news broke about Hillary Clinton’s use of personal email (including her own server in her home) to conduct official State Department business. Lost in all of the politically-charged hype seems to be the question; so what? Plenty of leaders, both in the public and private sector, use personal email accounts to conduct business:
- Texas politicians use personal email account for business – http://www.click2houston.com/news/investigates/some-texas-politicians-keep-mum-on-personal-email-for-business/31737716
- Minnesota’s Governor Dayton has used a personal email account for business – http://minnesota.cbslocal.com/2015/03/11/gov-dayton-uses-personal-email-for-work/
- Florida’s Governor Rick Scott used a personal email account to conduct official business – http://www.miamiherald.com/news/politics-government/article4151920.html
At FRSecure we work with hundreds of organizations, and many of them have people who use personal email accounts for business.
Let’s cut through the political finger-pointing and posturing. I want to address two points:
- What’s the big deal about using personal email accounts for business?
- What’s the big deal if a leader (in business or the public sector) uses personal email accounts for business?
What’s the big deal about using personal email accounts for business?
Consider the typical reasons why people use personal email accounts for business instead of the business email accounts. Based on our research at FRSecure, here are the most common reasons why:
- Work email systems typically have a file attachment size limit. If an employee wants to send a large file, and their work email system won’t support it, employees feel justified in using their personal email accounts to send large files.
- BYOD (“Bring Your Own Device”) is allowed at their organization, so they use their own system for both work and personal email. The line blurs separating the two.
- They don’t have access to the organization’s network from home, so they email documents to their personal email account to work on after hours.
- In general, it’s just more convenient to use their personal email account.
These last two reasons are cause for concern…
- To avoid FOIA (Freedom of Information Act) applicability.
- Employees don’t want the organization to know what information they’re sending or who they’re sending the information to.
Using personal email accounts for business is dangerous.
Personal email accounts and systems do not employ the same security controls as your organization, and this can make the use of personal email accounts more dangerous. In general:
- Personal email accounts exist outside of your IT department’s control. No backups, no archives for data retention, no security (that you control anyway), and no governance.
- Personal email account communications are more susceptible or prone to unauthorized disclosure.
- Personal email account communications may not be retrievable in many instances.
- Unauthorized disclosure (or leakage) of sensitive information often goes unnoticed by the organization.
- Email providers may scan their users’ emails, which can be a compromise of privacy (See: Google fights for right to read your private emails)
- Thorough investigations of incidents and breaches are more complex and costly; in some cases nearly impossible.
- The use of personal email accounts to send, receive and/or store certain types of information may be against the law.
- Employees can keep secrets from the organization. See Stengart vs. Loving Care; “Stengart v. Loving Care Agency, Inc., 990 A.2d 650 (2010) was a New Jersey Supreme Court case that provided guidance to employees as to what extent they may expect privacy and confidentiality in personal e-mails composed on company-owned computers. Through its decision, the court ruled on two key issues which concluded that there should be a “reasonable” expectation of privacy in personal e-mails on company computers, and that attorney–client communication privileges and privacy should not be violated.” – Wikipedia
- The people who use personal email accounts for business may not understand who really owns the information that they’re sending. Does the information belong to them or does it belong to the company or does it belong to a customer of the company?
At the end of the day, there are many issues to consider before allowing personal email account usage for business purposes. Using personal email for business poses serious risks to intellectual property theft, violations of customer privacy, regulatory compliance violations, loss of organizational privacy, and disruptions to network operations.
Your organization has invested time and money into securing internal email communications. Some may argue (successfully even) that your organization has a legal obligation to secure email communication and the information contained therein. Be very careful with this issue.
What’s the big deal if a leader uses personal email accounts for business?
I look at this question from two different perspectives; as a leader and as an advisor to leaders.
As a leader
As a leader at FRSecure, I take the responsibility for information protection very seriously. Beyond the fact that FRSecure is an information security management company is the fact that we have personnel, families, and customers who depend on us to do the right things. I feel a responsibility to protect information and play by the rules that we’ve set forth. We’ve set these rules for a reason.
- If I use personal email for business, but expect everybody else to play by the rules, what kind of leader am I? The old “do as I say not as I do” approach to management. I feel like a hypocrite.
- If I use personal email for business, but expect everybody else to play by the rules, what kind of precedent do I set? That the rules aren’t really rules, they’re more like guidelines. Or maybe I set the precedent that the rules only apply to everybody else, not to me because I’m better/I’m more important/I’m too busy/I’m _________ (choose). I’m responsible for the culture of this organization, and neither of these precedents are ones that I’m willing to set.
As an advisor to leaders
Assuming that the organization prohibits the use of personal email accounts for business purposes (if not, address this first):
The two questions that I considered for myself are good questions for leaders to answer when considering their own use of personal email for business.
- What kind of leader am I?
- What kind of precedent do I set?
Whether or not you choose (as a leader) to comply with the organization’s policies, will depend upon your answers to these two questions.
Also, it’s probably a good idea to make sure that customers, stakeholders, shareholders, and/or board members are aware of the decision because they are all affected to some extent.
At FRSecure, personal email account use for business purposes has been determined to be too great a risk and has been prohibited. As the leader of FRSecure, I have chosen to comply with the rules that I ultimately approved.