The case I covered yesterday regarding discovery of personal emails from the defendant’s CEO generated a lot of discussion on LinkedIn and there was a lot of discussion on why business and personal emails shouldn’t be mixed. Not only should you not use your personal email account to conduct business, as this article notes, you also shouldn’t send data to your personal email accounts from your business account.
The blog post from Tessian (Unauthorized Emails: The Risks of Sending Data to Your Personal Email Accounts, hat tip to Tim Steele for the link to the article!), notes that to print something, or to get a second opinion from a spouse, most of us have sent “work stuff” to our personal email accounts. And, while we might think it’s harmless…it’s not.
So, why do people send data to their personal email accounts from their business account? Two reasons:
- It’s easier than following security policies: Most of the time, employees send company data to their personal email addresses because they’re trying to get their job done and – well – it’s easier than the alternative. 54% of employees say they’ll find a workaround if security policies or software make it difficult for them to do their job. But some industries are more likely to find workarounds than others.
- They’re maliciously trying to exfiltrate data: Across industries, insider threats are a big problem. In fact, 45% of employees say they’ve taken data with them before leaving or after being dismissed from a job. Can you guess what the most common way of exfiltrating data is? Email.
Whatever the reason, employees send a lot more unauthorized emails than security leaders currently estimate. How many? At least 27,500 a year in organizations with 1,000 employees. Security leaders generally think the number is more like 720 a year. Big difference!
Consequences associated with sending company data to personal email accounts include:
- Breach of contracts or non-disclosure agreements
- Loss of IP and proprietary research
- Breach of data protection regulations
- Heavy fines imposed by regulators and clients (GDPR, in particular, will greatly increase fines for all manner of data breaches)
- Lost customer trust, damaged reputation, and revenue loss
An innocent example of an airline employee sending a spreadsheet containing approximately 36,000 employee records (with SSN and dates of birth in hidden columns) home so his wife could help with a formatting problem may have cost the company as much as $5.7 million. Ouch.
The post (available here with more information) also provides three tips for security leaders to addressing the issue:
- Educate your workforce on what to do and what not to do.
- Provide Ease of access (with an appropriate level of security to make it easier for them to access their emails from wherever they need to do so.
- Be proactive, not reactive by choosing email security platforms that track emails to a personal email address to reinforce security policies with those who are attempting to do so.
Sending data to your personal email accounts from your business account is not only an eDiscovery issue, it also is a potentially significant cybersecurity and data privacy issue as well. The old phrase “I never mix business with pleasure” should be applied to keeping your business and personal email accounts separate.
So, what do you think? Have you ever sent data to your personal email accounts from your business account? I’ll bet many of you have, even if you won’t admit it! 😉 Please share any comments you might have or if you’d like to know more about a particular topic.
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.