Your Personal Email Is Not Safe: You Best Watch What You Say

On May 30, 2008 a New Jersey State Superior Court determined that emails sent and received on a private email service are subject to legal discovery under the Freedom of Information Act. This ground-breaking ruling relates specifically to emails that were exchanged between NJ Governor Jon S. Corzine and Carla Katz, a state union leader he once dated. However, the implications of this ruling are expected to have a widespread impact. In short, your personal email is not safe.

According to a recent Proofpoint study, 34% of the largest companies (20,000 employees or more) reported that employee email was subpoenaed in the last 12 months. While the data does not specify the inclusion of employee’s personal email, the precedent set by the NJ State Superior Court indicates that what you write in your personal email (eg: Gmail, YahooMail) can be subpoenaed. While there exist other examples of employee’s personal email being called into court; these cases were limited to emails accessed through corporate servers (ie: when you access Gmail in the office, the gloves come off). However, this ruling seems to indicate that messages sent from home or your mobile device are fair game too; especially if they mention business matters.

Many experts advise that you use a personal email account for non-work related email. However, it now seems that anything you say or do online can be used against you. The bottom line: It doesn’t matter where you write it, anything you write online can be used against you.

My advice: Never mention anything business-related in your personal emails. If you are not comfortable sending a message through your work account, you probably shouldn’t send it through your personal account.

Data Leaks Through Email

A Proofpoint study “Outbound Email and Data Loss Prevention in Today’s Enterprise, 2008” has revealed some interesting data points on the dangers of using email and other online communication channels in the workplace.

Roger Matus highlighted some of the key findings on his blog Death By Email:

• 44% of companies reported that they investigated an email leak of confidential information in the past 12 months.
• 41% of the largest companies surveyed (those with 20,000 or more employees) reported that they employ staff to read or otherwise analyze the contents of outbound email.
• 26% of companies surveyed terminated an employee for violating email policies in the last 12 months.
• 23% of U.S. companies surveyed said their business was impacted by the exposure of sensitive or embarrassing information in the last 12 months.
• 34% of the largest companies (20,000 employees or more) reported that employee email was subpoenaed in the last 12 months.

In addition to email, companies must be aware of the inherent dangers of allowing employees free access to blogs, message boards, media sharing sites, and mobile devices.

• 27% of companies surveyed had investigated the exposure of confidential, sensitive or private information from lost or stolen mobile devices in the past 12 months.
• 11% of U.S. companies surveyed disciplined employees for improper use of blogs/message boards in the past 12 months.
• 13% of surveyed companies disciplined employees for social network violations and 14% for improper use of media sharing sites in the past 12 months.
• 14% of publicly traded companies surveyed had investigated the exposure of material financial information (such as unannounced financial results) on blogs or message board postings in the last 12 months.

The bottom line: Email is a critical business application and is not going away. Additionally, new media channels like blogs, message boards, and social networking sites are proving to be useful tools for marketing, collaboration, and research. However, companies and employees must understand the inherent risks associated with these applications. Employers should lay down specific guidelines for employees and incorporate technologies to track and prevent inappropriate use of such channels.

Bahambug: 50% of Companies Fire Employees for Internet and Email Abuse

According to a study published by InfoWorld and conducted by the American Management Association (AMA) and The ePolicy Institute, more than 50% of companies have fired employees for abusing email and the Internet. The stats are alarming but not surprising.

Internet Misuse
84% have been fired for accessing porn and other inappropriate sites

34% have been fired for excessive personal use of the Internet

Email Misuse
64% have been fired for violating company email policy

62% have been fired for sending emails with offensive language

25% have been fired for excessive personal use of email

22% have been fired for violating confidentiality rules in email

How are companies monitoring email and internet use?
66% monitor Internet connections

65% use software to block inappropriate Web sites

18% block URLs to prevent access to external blogs

Methods for Monitoring
45% track content, keystrokes, and time spent at the keyboard

43% store and review computer files

12% monitor activity on blogs (if they allow access)

10% monitor social-networking sites (if they allow access)

Companies keep track of their employees behavior due to Legal Fears
24% of companies have had their emails subpoenaed

15% of companies have been sued based on employees misuse of email

I know its frustrating to have your online activity monitored so closely, but we all have to admit that companies not only have the right but they also have good cause to do so. Beyond legal liabilities, companies face security risks for allowing unrestricted access to external messaging and content sites. In addition, many companies are subject to strict document retention regulations and can be heavily fined for not storing all electronic communications and content. So if you are going to access personal messages or surf the Web while at work, please do so smartly.

Access Denied!!! Why can’t I email at work?

Can you imagine a place where you can not talk to your friends without a chaperon or tend to personal matters without permission? I can. I call it Hunters Creek Elementary School, but for many others it is called the Office. It’s sad but true: Millions of employees have had their access to personal email and social networking sites cut off.

Almost all corporations monitor e-mail communications; but did you know that nearly half of these companies completely restrict employee access to popular email and social networking sites like Gmail, Hotmail, Facebook and MySpace? There is a good chance you know this from personal experience…you are not alone. As a former corporate worker bee, I can relate to the frustrations shared by millions of people who have found themselves blocked from their personal email and social networking messages in the workplace.

Not all corporations are evil, so why do so many block employee access to external messaging accounts when it is clearly an unpopular policy? The answer may surprise you because “Productivity” is not the reason. Most corporate e-mail and internet policies are predicated on security, legal liability and regulatory concerns. In truth, the decision to restrict access is a prudent business practice.

Let’s look at the security issues first. Unrestricted access to external messaging accounts exposes company computing systems to the threat of viruses and other unwanted intrusions. It only takes one erroneous download to take down a single computer or even worse, an entire network. Even with the best-in-breed anti-virus applications, protecting computers from web downloads is difficult and breaches occur all the time. The bottom line is the cost, time and lost productivity associated with repairing or replacing an infected computer is high and the ROI on granting employee access to personal messages is low.

So what of the legal liabilities? It’s sad, but we live in a litigious society and an offensive message sent from an employee’s computer can result in the company being sued. Furthermore, because it is difficult and expensive to monitor external messaging accounts in real time, any employee can willingly or inadvertently send confidential or proprietary information without the company finding out. Just think of the scenario where a financial analyst sends a message to a friend about a new deal they are working on. It sounds harmless, but in truth, that employee has just passed on insider information and that can result in investor lawsuits, government fines and even criminal charges. By the time the company finds out, the damage has been done. While instances like this are rare, they do happen and many corporations aren’t willing to take the risk just to keep their employees connected.

This brings us to the next major factor: Government regulation. There are many laws and government organizations regulating corporate email security, privacy and document retention practices. At least eight federal agencies and numerous state agencies have authority to enforce these laws, which include: Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, SEC Rule 17A, NASD Rules 3010 & 3110, the USA Patriot Act and the Cyber Security Enhancement Act of 2002. The legal landscape for online messaging is complicated and unclear; however, the fines for violating these rules can be hefty. In February 2006, Morgan Stanley was fined $15 million by the US Security and Exchange Commission for its failure to properly retain email messages, and there are many similar examples.