It’s the oldest Internet advice in the book: Keep your personal and professional online lives separate.
That’s probably why a Slate political correspondent effectively scolded Hillary Clinton this week for making an “obvious mistake” using a personal email server for official business as secretary of state, and a recent New York Times opinion piece mocked Ashley Madison customers who were “too stupid” to avoid using their work accounts on the cheating site.
After all, the arguments against mixing work and personal online communication are fairly clear and well-trodden.
Use your work email or office hardware for personal correspondence, and your bosses are legally entitled to monitor every word you type or scour the machine’s hard drive any time they see fit.
“Courts have repeatedly, repeatedly, repeatedly ruled that employers have every right to do that,” says Eric Rzeszut, an IT manager at the University of Virginia and the coauthor of 10 Don’ts on Your Digital Devices.
Even if your employer’s not deliberately monitoring your activity, any private email you send through the company server or files you save on your office hard drive can still end up automatically backed up, mirrored, and archived on systems outside your control, perhaps long after you’ve left the company.
And if you use your personal email or other cloud services for work purposes, you risk violating company policies or even legal privacy and data retention rules, and are liable to take the blame if anything confidential gets leaked or you inadvertently bring malware into the company network. You can even find your personal emails and files subject to unwanted scrutiny if there’s any question about what data you’ve transferred and exactly what you’ve done with it, says digital privacy and security consultant Jonathan Bari.
“The corporation may very well wonder, what is the employee trying to do here and is the employee trying to do something wrong?” he says.
Yet despite all the arguments against it, plenty of people continue to mingle their personal and professional data.
One recent study conducted by document management software company Alfresco suggested Clinton is far from alone in using personal email for government work: A third of public employees polled acknowledged doing so. Even Homeland Security Secretary Jeh Johnson and other senior officials in the department apparently got special permission to check their personal webmail accounts on work computers after the practice was generally banned last year, though it’s not clear if they used the accounts for government purposes.
And in the private sector, research has repeatedly found such practices are at least equally widespread. One 2011 report by email security firm Mimecast found that 79% of those surveyed used their personal email accounts for work. Another study, released in 2013 by research firm Frost & Sullivan and security giant McAfee, found that 80% of respondents had used some kind of unauthorized cloud software for work purposes.
But according to both survey reports, employees mostly weren’t trying to do anything nefarious—often, they were just trying to transfer larger files than their corporate inboxes could handle or using cloud-based tools that were better than what they had at work.
“It turns out users overwhelmingly turn to nonapproved apps for one reason: They need to get their jobs done,” wrote the authors of the Frost & Sullivan report.
But even with the best intentions, experts say, workers should still be wary of using unauthorized email accounts and other online tools in the office, says Robert Douglas, the president of Bay Area IT consultancy PlanetMagpie.
“I wouldn’t circumvent—it kind of opens yourself up to repercussions from management,” he says.
Instead, employees should talk to their bosses and IT departments about the best way to handle tasks like sharing large files—there might be an officially approved tool that’s simply not well-advertised, he says.
“If I were an employee of one of those companies, that’s how I would approach it: Please tell me what the official way to share this is, and that’s how I’ll do it,” he says.
And companies can make matters easier by deciding on one approved solution, publicizing it to employees and potentially even blocking other cloud services, says Douglas.
Of course, many companies simply don’t have clear policies or workable solutions in place. At the same time, bosses often still expect that employees have ready access to work data to answer quick questions even when they’re out of the office, says Rzeszut.
In those kinds of situations, workers should try to take reasonable precautions about what kinds of data they allow on outside systems, he says.
“A lot of it is kind of analogous to paper files,” he says. “There are certain paper files in our offices that we might leave just sitting around on our desk or in a conference room, and then there are other files in a typical office where they have to be kept under lock and key in a file cabinet or they’re stored in a secure room where you have to swipe your badge to verify your identity.”
Workers can also take other precautions, like deleting project data from cloud services when it’s no longer in use, says Rzeszut, though he acknowledges most probably don’t.
“People aren’t great at performing any sort of cleanup on their cloud storage,” he says. “In an ideal world, you’d go in and pull that down off the cloud once the project is complete, but because in most cases people don’t run up against the storage limit in their cloud storage providers, they’re not incentivized to do that.”
Setting up work-specific accounts with cloud providers even if they’re not employer-issued, as opposed to simply mingling personal and employer data, can also be a good idea —and another one that’s not often practiced, says Rzeszut.
Still, even for experts, it can take some diligence to keep your personal and professional email lives fully segregated.
“People send me a lot of personal stuff to my company email, and I purposely push it to my private email and respond to them there,” Murphy says.