The case I covered yesterday regarding discovery of personal emails from the defendant’s CEO generated a lot of discussion on LinkedIn and there was a lot of discussion on why business and personal emails shouldn’t be mixed. Not only should you not use your personal email account to conduct business, as this article notes, you also shouldn’t send data to your personal email accounts from your business account.
The blog post from Tessian (Unauthorized Emails: The Risks of Sending Data to Your Personal Email Accounts, hat tip to Tim Steele for the link to the article!), notes that to print something, or to get a second opinion from a spouse, most of us have sent “work stuff” to our personal email accounts. And, while we might think it’s harmless…it’s not.
So, why do people send data to their personal email accounts from their business account? Two reasons:
- It’s easier than following security policies: Most of the time, employees send company data to their personal email addresses because they’re trying to get their job done and – well – it’s easier than the alternative. 54% of employees say they’ll find a workaround if security policies or software make it difficult for them to do their job. But some industries are more likely to find workarounds than others.
- They’re maliciously trying to exfiltrate data: Across industries, insider threats are a big problem. In fact, 45% of employees say they’ve taken data with them before leaving or after being dismissed from a job. Can you guess what the most common way of exfiltrating data is? Email.
Whatever the reason, employees send a lot more unauthorized emails than security leaders currently estimate. How many? At least 27,500 a year in organizations with 1,000 employees. Security leaders generally think the number is more like 720 a year. Big difference!
Consequences associated with sending company data to personal email accounts include:
- Breach of contracts or non-disclosure agreements
- Loss of IP and proprietary research
- Breach of data protection regulations
- Heavy fines imposed by regulators and clients (GDPR, in particular, will greatly increase fines for all manner of data breaches)
- Lost customer trust, damaged reputation, and revenue loss
An innocent example of an airline employee sending a spreadsheet containing approximately 36,000 employee records (with SSN and dates of birth in hidden columns) home so his wife could help with a formatting problem may have cost the company as much as $5.7 million. Ouch.
The post (available here with more information) also provides three tips for security leaders to addressing the issue:
- Educate your workforce on what to do and what not to do.
- Provide Ease of access (with an appropriate level of security to make it easier for them to access their emails from wherever they need to do so.
- Be proactive, not reactive by choosing email security platforms that track emails to a personal email address to reinforce security policies with those who are attempting to do so.
Sending data to your personal email accounts from your business account is not only an eDiscovery issue, it also is a potentially significant cybersecurity and data privacy issue as well. The old phrase “I never mix business with pleasure” should be applied to keeping your business and personal email accounts separate.
So, what do you think? Have you ever sent data to your personal email accounts from your business account? I’ll bet many of you have, even if you won’t admit it! 😉 Please share any comments you might have or if you’d like to know more about a particular topic.
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.
Great article, Doug. If work emails reside on your personal account is your whole personal account then open to scrutiny if there is an incident/investigation? Or just the work emails?
Great question, Brian. At the very least, your whole personal email account becomes potentially discoverable, depending on the circumstances.
Consider this scenario: an employee who is about to leave for a competitor emails a customer list spreadsheet to his personal email account. If he then takes that spreadsheet and makes a few edits on it and then sends it from his personal email account to the competitor he is about to join (without, obviously, linking to his business email account), that seems like a pretty important email in discovery as well.
Aside from people stealing company data, I could even see innocent instances of forwarding to another non-business email account (such as the Boeing example where the employee looped in his wife). The best approach is to not use the personal email account at all for any business content, then discovery of it becomes a non-issue.
Thanks, Doug!
[…] work files, making monitoring and controlling data sharing more challenging. Even more concerning, 45% of employees have taken company data with them when they leave for another position, which they couldn’t do if […]