The business risks of using personal email accounts
A customer recently asked us a question that raises some interesting points when individuals use personal accounts such Gmail, Hotmail or Yahoo for business-related emails: “When is it OK to use a personal email for business purposes?”
The short answer is never, but individual proprietors, consultants, can often revert to “personal” email accounts that reflect their name or business name. Personal email accounts exist outside of the IT department’s control. They are not subject to backup, archiving, security or governance so using them for business purposes, is a clear violation of compliance regulations.
And since personal emails are not stored on company servers, discovery and FOIA requests are seriously compromised presenting legal risks to your organization.
The real purpose of Gmail and generic emails
Google’s business model is primarily based on online advertising. The company earned over $95 billion last year selling the personal information of its users to advertisers.
For an advertiser, your emails are a gold mine because we often think of email as a private communication channel. When your bank contacts you or you address an email to your loved one, these seem like two-party conversations. In reality, Google treats your Gmail mailbox as company property, scanning them with powerful software to better understand you.
Privacy issues with generic e-mails
Imagine if Cambridge Analytica had access to your inbox. The Facebook scandal has already given us a glimpse of this power, which can even be used by malicious actors to undermine democracy. Gmail is designed for mass surveillance, and such a powerful tool could be easily misused. The intelligence software Google is developing could someday be turned against us in ways we cannot predict.
Five days after Gmail's launch, a group of privacy advocates wrote a letter to Google expressing their concerns. They said Gmail’s plan to scan emails for marketing purposes “violates the implicit trust of an email service provider.” Gmail has violated that trust again and again, and it will continue to do so because invading people’s privacy is essential to its business model.
What are the legal risks of using a personal account for business?
Allowing employees to use personal email accounts to conduct business means that your company's business information is being stored on mail servers outside of your control, anywhere in the world. You have no way of knowing all the places where your company data is stored, or where it’s been transmitted.
Understanding the risks and implications of using personal accounts for business is not always apparent until there is Freedom of Information requests, internal investigations, or eDiscovery. In all of these cases, those personal accounts may contain relevant information and as such have to be offered up for search and retrieval.
Case Study: The case of “Stengart vs. Loving Care,”
If an employee is using personal email accounts to send business-related emails using a company device, it doesn’t necessarily mean the organization has the right to search those emails. In the case of “Stengart vs. Loving Care,” the New Jersey Supreme Court ruled that an employee “could reasonably expect that e-mail communication with (their) lawyer through her personal, password-protected, web-based e-mail account would remain private and that sending and receiving them using a company laptop did not eliminate the attorney-client privilege that protected them.”
There is also a corporate risk to be considered
There are a number of other ways in which using personal accounts for business purposes generates corporate risk. Allowing employees to use personal email for work poses serious risks of IP theft, losing company privacy or violating customer privacy, and disrupting network operations due to exploits that can be implemented on computers not secured by your internal policies.
Using personal email compromises company secrets and potentially exposes company correspondence to uncontrolled mining and searching. Virtually all personal accounts can be subject to legal (and in some cases questionable) collection and searching by various security agencies.
The lack of security behind these collections (think WikiLeaks) has compromised entire governments, and businesses should expect no real protection for themselves or their customers!
Continuity can be a big issue
What if this employee who created the generic e-mail leaves the company? Those emails leave with that individual – along with any relevant information, making future searches more challenging.
It’s not just email that is the problem. Employees might use a personal email address to set up any number of functions critical to your company’s day-to-day operations, for example, web hosting accounts or purchasing domains. The employee's personal email address then becomes the owner of the account so if that employee leaves, you may have a difficult time taking ownership of the assets they set up on the company’s behalf. What effect could this have on your ability to do business?
What about credibility?
Does allowing employees to send email addresses from [email protected] present a professional image for your organization? Definitely not.
So what's the best strategy to mitigate these risks?
First and foremost, setting strict policies against the use of personal email for business is the only course of action but despite all the reasons why company business should only be done through company email, users will still take the path of least resistance and use whatever email is most straightforward for them. The burden falls to the company, then, to make sure that the “path of least resistance” is the right path.
Companies can be proactive and ensure that remote or field employees can easily access company email systems using their own devices. Webmail interfaces are easy to set up, and any compliance capture will see and preserve those mails even when sent from a home pc, laptop, smartphone, or tablet.
For non-employees such as contractors and consultants, the issue is the same. If the contractor or consultant is doing business on behalf of the company, then it’s a smart step to provide a company email address for them and enforce strict guidelines on using this as part of the arrangement.
IT departments should always be able to retain central control and visibility of all emails being sent or received on the company’s behalf to avoid the problems that result from business being conducted from personal email accounts, but it does require some simple policies and an IT organization that is both proactive and persistent. The problem might not go away entirely, but it will be a nominal problem, not a big one.
In terms of technology, legal protection, and position on privacy rights, generic and corporate e-mails diverge widely. If you just want an email account, either service will meet your needs. If email security, and in particular privacy is important to you, then you should consider using corporate e-mail accounts for all your signups and communications.