Using a personal email address for messages that should be available, archivable, and secure is a big deal if you are the former U.S. secretary of state, but what’s the big deal about routing your work messages to your Gmail?
Hillary Clinton’s years-long use of a private email address for government business is a good example (albeit on a much bigger scale) of what we are all probably doing wrong when it comes to email security at work.
Here’s where email use gets murky:
Rule number one, says Timothy Ryan, managing director at Kroll Cyber Security and Investigation, is to take it outside of email if the discussion is sensitive. Talk in person, or, if it needs to be put in writing, send an encrypted attachment.
Email clients don’t have universal encryption, but sharing protected Word documents keeps them safe–as long as you don’t put the password in the bottom of the email. You wouldn’t lock your door and hang the key from the doorknob. Assume every message you send could be used against you by adversaries and competition or leaked to the press.
The biggest issue with using personal email accounts for business purposes–and part of the problem with Hillary’s misstep–lies in record keeping. The Federal Records Act requires government officials to preserve emails on department servers rather than sift through personal correspondence to decide what to archive and what to trash.
You might not be a government official, but your company could still need your email records for legal reasons, and you’d likely prefer they have access to messages on a company account rather than viewing every conversation you’ve ever had via your personal email.
Worse than that, if you’ve deleted emails (in our ongoing struggle towards Inbox Zero, here’s betting you have), it could look like you’re trying to hide something. You don’t want to get the memo that a litigation is under way and all emails on the big client three years ago need be pulled from the archives–and you’ve deleted all the ones from your personal account, detailing your happy-hour meetings.
Another good reason to keep them separate: viruses and outside attacks. If you open a personal email on a work machine, and it shreds the whole company server, you can count on trouble.
But overall, it depends on your industry, Ryan says. It’ll probably be fine, but it could be career-ending. “Generally speaking, people who [use personal email] do it until they themselves are burned. And once you learn that lesson, you never do it again.”
The next time you flop down in a coffee shop to send an internal document, heed the warning of your Wi-Fi connection: public hotspots are prime spots for someone to get between you and your recipients. Not all public Wi-Fi is harboring hackers, but it’s not a safe space for sending sensitive material.
David Reischer, legal analyst and chief operations officer at LegalAdvice.com, says he instructs traveling employees to never connect to the Microsoft Exchange server at airports, coffee shops, and hotels. Ryan says he always jumps through his cell-phone network for a secure connection, using its hotspot capabilities.
You’ve likely seen them, and maybe you have one on every email you send, too: the legalese that says something to the effect of, “This email is confidential and intended solely for the use of the individual or entity to whom they are addressed.” Sometimes they’re short, sometimes they’re longer than the whole email chain combined. But do they really hold power, legally?
“The inclusion of a disclaimer, ‘for recipients’ eyes only,’ serves to notify the recipient that the content of the email message is important and confidential,” wrote Reischer via . . . well, email. “The disclaimer is not necessarily dispositive of any conclusion, but does serve as evidence of the intent of the party that includes such a disclaimer.”
If emails are between you and your attorney–or priest, doctor, and so on–you might want to protect them from potentially prosecuting eyes.
But adding it to each email might be overkill. “There isn’t a magic wand,” Ryans says. “Just because something’s attorney-client privilege, putting it on every single email? I’m not sure that’s helpful.”
Just because an employer can, legally, view company emails as their property, does that mean they should be snooping into employees’ inboxes?
If you’d like to be able to peek, don’t sneak about, Reischer advises. Notify employees of a corporate email monitoring policy if you’re monitoring messages.
Otherwise, only use this power when it’s necessary, says Ryan. If you suspect departing employees of taking important information with them to their new job, you can set monitoring programs that alert to certain thresholds–like file size or types being sent to outside addresses–and not have to constantly keep an eye on email exchanges. There’s just not enough time in the day, he says, and usually not enough reason to do so. “[Companies] shouldn’t be reading people’s emails for the sake of reading people’s emails.”