Since the infamous 2016 election debacle where Hillary Clinton used personal email (including her own server in her home) to conduct official State Department business, discussion of mixing non-work and work accounts has remained prevalent.
Lost in all of the politically-charged hype seems to be an important question: so what?
Plenty of leaders in both the public and private sector use personal email accounts to send messages for business. Here are just a few examples:
- Texas politicians use personal email account for business
- Minnesota’s Governor Dayton has used a personal email account for business
- Florida’s Governor Rick Scott used a personal email account to conduct official business
We’ve been in business for over 10 years and have worked with many organizations who have people using home email addresses for business.
Political finger-pointing and posturing aside, I want to address two points:
- What’s the big deal about using personal email accounts for business?
- What’s the big deal if a leader (in business or the public sector) uses personal email accounts for business?
What’s the Big Deal About Using Personal Email Accounts for Business?
Consider the typical reasons why people use personal email accounts for business instead of business email accounts. Based on our research at FRSecure, here are the most common reasons why:
- Work email systems typically have a file attachment size limit. If an employee wants to email clients a large file, and their work email system won’t support it, employees feel justified in using their personal email accounts to send large files.
- BYOD (“Bring Your Own Device”) is allowed at their organization, so they use their own system for both work and personal email. The line blurs separating the two.
- They don’t have access to the organization’s network/email service from home, so they email documents to their personal email account to work on after hours.
- In general, it’s just more convenient to use their personal email account.
These last two reasons are cause for concern…
- To avoid FOIA (Freedom of Information Act) applicability.
- Employees don’t want the organization to know what information they’re sending or who they’re sending the information to.
Using Personal Email Accounts for Business is Dangerous
Personal email accounts and systems do not employ the same security controls as your organization, and this can make the use of personal email accounts more dangerous.
In general:
- Personal email accounts exist outside of your IT department’s control—no backups, no archives for data retention, no security (that you control anyway), and no governance.
- Personal email account communications are more susceptible or prone to unauthorized disclosure.
- Personal email account communications may not be retrievable in many instances.
- Unauthorized disclosure (or leakage) of sensitive information often goes unnoticed by the organization.
- Email providers may scan their users’ emails, which can be a compromise of privacy (See: Google allows third parties to read your private emails).
- Thorough investigations of incidents and breaches are more complex and costly; in some cases nearly impossible.
- The use of personal email accounts to send, receive and/or store certain types of information may be against the law.
- Employees can keep secrets from the organization. See Stengart vs. Loving Care:
- “Stengart v. Loving Care Agency, Inc., 990 A.2d 650 (2010) was a New Jersey Supreme Court case that provided guidance to employees as to what extent they may expect privacy and confidentiality in personal e-mails composed on company-owned computers. Through its decision, the court ruled on two key issues which concluded that there should be a “reasonable” expectation of privacy in personal e-mails on company computers, and that attorney–client communication privileges and privacy should not be violated.”
- The people who use personal email accounts for business may not understand who really owns the information that they’re sending. Does the information belong to them, does it belong to the company, or does it belong to a customer of the company?
At the end of the day, there are many issues to consider before allowing non-business email account usage for business purposes. Using home email for business poses serious risks to intellectual property theft, violations of customer privacy, regulatory compliance violations, loss of organizational privacy, and disruptions to network operations.
Your organization has invested time and money into securing internal email communications. Some may argue (successfully even) that your organization has a legal obligation to secure email communication and the information contained therein. Be very careful with this issue.
What’s the Big Deal if a Leader uses Personal Email Accounts for Business?
I look at this question from two different perspectives; as a leader and as an advisor to leaders.
As a Leader
As a leader at FRSecure, I take the responsibility for information protection very seriously. Beyond the fact that FRSecure is an information security management company is the fact that we have personnel, families, and customers who depend on us to do the right things. I feel a responsibility to protect information and play by the rules that we’ve set forth. We’ve set these rules for a reason.
- If I use non-work email for business, but expect everybody else to play by the rules, what kind of leader am I? The old “do as I say, not as I do” approach to management—I feel like a hypocrite.
June 29, 2011: A State Department cable to employees is issued under Clinton’s signature (as are all cables) after Google revealed that hackers were targeting the personal e-mail accounts of U.S. government employees. The cable warns: “Avoid conducting official Department business from your personal e-mail accounts.”
Washington Post
- If I use personal email for business, but expect everybody else to play by the rules, what kind of precedent do I set? The precedent is set that the rules aren’t really rules—they’re more like guidelines. Or maybe I set the precedent that the rules only apply to everybody else, not to me because I’m better/I’m more important/I’m too busy/I’m (fill in the blank). I’m responsible for the culture of this organization, and neither of these precedents is one that I’m willing to set.
As an Advisor to Leaders
Assuming that the organization prohibits the use of personal email accounts for business purposes (if not, address this first):
The two questions that I considered for myself are good questions for leaders to answer when considering their own use of email for business.
- What kind of leader am I?
- What kind of precedent do I set?
Whether or not you choose (as a leader) to comply with the organization’s policies, will depend upon your answers to these two questions.
Also, it’s probably a good idea to make sure that customers, stakeholders, shareholders, and/or board members are aware of the decision because they are all affected to some extent.
Conclusion
At FRSecure, personal email account use for business purposes has been determined to be too great a risk and has been prohibited. As the leader of FRSecure, I have chosen to comply with the rules that I ultimately approved.
For assistance with email policies and creating or adjusting other policies and procedures, visit frsecure.com.