There are lessons for businesses in the scandal regarding former U.S. Secretary of State Hillary Clinton using her personal e-mail account to conduct government business.
And while the jury is still out on just how damaging this was (notwithstanding any legal issues) in Clinton’s case, there are clear and present dangers to any firm that allows its staff to use their own e-mail accounts to conduct the company’s business.
There are three reasons you should set a usage policy that bars your staff from using their personal e-mail for work:
- The danger of your employee’s e-mail being infected by a virus, malware or similar attack that spreads into your own computer systems.
- Hampering your records retention.
- It makes it difficult to comply with electronic discovery if you are embroiled in a legal matter.
A portal to infection
Everyone likes to be able to access their personal e-mail account at work through web-based e-mail accounts such as Gmail or Hotmail.
When employees access their e-mail through websites, this can create a dangerous “back door” through your company’s security firewall so that viruses, trojans, worms and hackers can potentially exploit your network.
If you don’t already have an Internet usage policy in place, develop one now. And if you do have a policy that doesn’t forbid the use of webmail and web-based accounts, talk to your IT support staff about how to best implement such a policy.
Records retention
The Federal Records Act requires government officials to preserve e-mails on department servers rather than sift through personal correspondence to decide what to archive and what to trash.
While the act does not apply to the private sector, your company could still need your e-mail records at some point in the future. In this case, it’s obviously better to have all of those messages on a company account rather than having to sift through all of the conversations in your personal e-mail to locate the exchanges.
Worse than that, if you’ve deleted e-mails, it may appear as if you are conducting the electronic version of shredding documents.
You need to make sure that your important documents are properly preserved and archived so that they can be found quickly later when needed. You need to make sure that e-mails containing sensitive business information are secured and can be accessed only by those who have the authority to view them. Using a private e-mail account circumvents this entirely and is not in the best interest of your organization.
Also, if you’ve invested in developing your company’s records retention policy, your e-mail system and database, those efforts could be wasted if employees circumvent the system by using personal e-mail accounts and devices to create and store work-related information.
Electronic discovery
Storing work-related e-mails in a personal e-mail account can result in a significant and costly burden to your company in case of electronic discovery.
During litigation it’s common practice for attorneys to file discovery motions in order to produce relevant documentation. These days that includes searching through your computer systems and e-mails.
But if one of your employees or managers stored any potentially salient information in their personal e-mail accounts, your business could be required to search their personal e-mails, as well.
This can result in a challenge, since potentially important company information has been comingled with the employee’s personal information. Not only that, but the time involved and concerns about outsiders rifling through a personal e-mail account is not palatable for anybody.
Finally, the costs of performing e-discovery increase with each new data source. This can result in additional expenses and more time.
Violation of best practices
The Wall Street Journal noted in an article titled “Hillary Clinton’s Email-Risk Lessons for CEOs” that executives who employ the same practices as Clinton would do so at risk of legal and security best practices.
“If a [chief executive] of a corporation subject to Sarbanes-Oxley had conducted business affairs this way it would have most certainly been a violation of that legislation,” Bill Solms, CEO of Wave Systems, a data security firm, told the Wall Street Journal.
And Kevin Bocek, vice president of security strategy & threat intelligence at Venafi Inc., told the newspaper: “Control over executive communications, intellectual property, and financial data have been the hallmarks of corporate governance regulations passed over the last decade. Using a home e-mail server takes data outside of the corporations’ control and possibly exposes that data to compromise by hackers.”