Personal Email Accounts at Work
Many workplaces rely on email to help employees stay connected and to communicate with clients. However, the law regarding email usage is sometimes confusing, and many companies lack a clear policy regarding how employees can and can’t use email in the workplace.
What is the Law Regarding Email?
The U.S. Small Business Administration says federal law is unclear regarding email monitoring, with the Electronic Communications Privacy Act of 1986 banning the intentional interception of “any wire, oral or electronic communication.” However, the act includes a business use clause that allows companies to monitor employee emails. While the laws are open to interpretation, the SBA advises that employers have the right to monitor emails if they’re sent from a company computer and if the company can demonstrate a legitimate business reason for doing so.
Employees sometimes assume their company emails are private; however, in many cases companies introduce policies notifying that email content is not private, and could be subject to scrutiny. Employers do have the right to monitor employee emails if:
- They are sent from a company computer
- The company can demonstrate a legitimate business reason for doing so
- The company has a policy regarding emails, which employees are required to approve and sign
Who Owns Emails?
Any email that is sent, received, created or stored on a company’s computer system is considered company property, regardless of whether the company is hosting the email system, or an employee accesses a private email provider. Email content could be admissible in a legal case. Since an employer is in possession of this information, they could become involved simply because they are holding key information.
What about personal email?
Many employees use their work computers to send or check personal email, if permitted by their employer, or not “prohibited” by blacklists.
However, some companies are choosing to prohibit personal email use on company-owned computers.
- Threats to the company’s network
- Computer viruses could be introduced through phishing attacks. Company email systems often implement controls alerting recipients of email received from outside of the company. Employee personal emails often have less controls. File attachments could contain ransomware. Emails containing hyperlinks could direct employees to unsafe websites.
- Although employees are trained to be vigilant when using the company’s email system, employees may treat their personal email with less scrutiny simply because it is “their” email
- Threats to the company’s reputation
- Emails sent containing objectionable language, images or material, or messages with religious, political or other controversial content
- When employees use company email, they act as representative of their employer. If email content contained inappropriate language, or an employee made statements or promises, the recipient could believe that the company shares these views, and anything promised is considered binding.
- Sensitive or Proprietary Information
- Although a company’s email system may prevent proprietary or sensitive information from leaving the organization, the company cannot implement these controls on private email systems. Employees can upload documents to themselves via the web browser, and bypass the corporate email environment. The IT department may not be aware that they are checking personal email unless email domains are blacklisted/audited. In the event of a security breach, the company can face legal ramifications for not protecting customer information.
What Should Companies Do Regarding Personal Email?
Companies need to consider any possible liability, and implement an email usage policy. If employers plan to monitor both company and personal emails, the policy should state:
- Personal, web-based accounts are subject to scrutiny. The company requires access to the email account, which the employee must provide.
- Timeframes when personal email usage is permitted.
- Emails must be archived. This gives management the right to monitor messages, and ensure that employees are not engaging in activity detrimental to the business. This allows companies to audit information in the event disputes arise.
Although an email policy has been implemented and signed by the employee, at a later time employees could change their credentials and refuse company access to their personal email account. The company would need to find additional means of access to the employee email account.
If a company does not want employee usage of email accounts, it should blacklist known webmail domains. Employers should also discourage employees from using work email for personal use to prevent company network threats.
Personal Cloud Accounts at Work
Cloud accounts such as Dropbox, Box and Google Drive can simplify data sharing and teamwork among colleagues.
What Are The Advantages?
- Unlimited storage
- Easy transfer and sharing of information
What Are The Disadvantages?
- Information theft
- Information Security
Corporate-Approved Individual Cloud Accounts
Some organizations have implemented “bring your own cloud” (BYOC) policies that officially sanction employee use of consumer-grade cloud applications. Although employees are typically required to sign a non-disclosure agreement, there is often insufficient control taken to prevent employees from transferring confidential information from company servers to a personal cloud. If an employee is terminated, access is still permitted to their personal cloud account. During litigation, issues such as preservation requirements and retention schedules are not enforced because the personal cloud account cannot be controlled by the company.
Another common scenario is the “stealth” or “shadow” use of personal cloud accounts – employees using their personal cloud accounts in connection with their work duties, without company approval or knowledge.
How Should Companies Monitor Personal Cloud Use?
Companies should identify all locations containing their sensitive and proprietary information, the data endangered by personal cloud applications. If a company cannot identify the precise areas where it has stored its trade secrets and other sensitive materials, it becomes difficult to establish that it used “reasonable steps” to safeguard that information. Once these locations are defined, organizations can develop policies to protect their corporate information.
If personal cloud accounts are not permitted, companies should using blocking programs to prevent access.
If personal cloud accounts are permitted:
- Companies should enforce the right to monitor, access and disable the use of personal cloud accounts.
- Companies should state what company data can be transferred to the cloud.
- Upon an employee’s termination, cloud accounts should either be disabled or the company should verify that company data, previously maintained in the account, has been returned or destroyed
In conclusion, companies need to decide if use of personal email or cloud accounts are detrimental to their organization, and create and enforce the necessary policies.
Contact Vestige for a consultation on email and cloud policies and security at your place of work.
By Mary Brewer, MBA, BS, AAS
Vestige Digital Investigations