IT managers who allow their users to access personal email accounts via
Web-based sites are putting their companies at risk, according to
”If companies are allowing employees to use personal email tools, but
not retaining those messages, they could be facing serious legal and
regulatory trouble,” says Nancy Flynn, executive director of the ePolicy
Institute in Columbus, Ohio. ”Email today is the electronic equivalent
of DNA evidence. If there is a lawsuit, you can take it to the bank that
email will be subpoenaed.”
In fact, a 2004 Workplace Email and Instant Messaging Study, co-sponsored
by the ePolicy Institute and the American Management Association, found
21 percent of the 840 U.S. businesses surveyed had employee email and
instant messages subpoenaed in the course of a lawsuit or regulatory
Flynn says courts are not discriminating about whether the emails were
sent via personal email accounts or business email accounts. ”They want
all business-related emails that are being transmitted by employees,”
she says. Not producing these emails could result in a
This puts companies that allow access to popular Web-based services like
Google’s Gmail, Microsoft’s HotMail, AOL and Yahoo Mail on the hot seat.
”How many legitimate business records are escaping the company system
via these services, and won’t be available if the company gets involved
in a lawsuit,” she says.
Web and security experts agree the use of personal Web-based accounts is
a problem for companies under strict compliance and regulatory rules,
such as the Sarbanes-Oxley Act of 2002, as well as those trying to
protect intellectual property.
”It’s about risk minimization,” says Mark Gibbs, founder of Gibbs &
Co., a Web and network consultancy in Ventura, Calif. ”Can you fully
defend your compliance? If you are allowing the use of personal Web mail,
you are introducing a whole new realm of risks.”
Policy and Enforcement
Gibbs says companies must decide if they’re going to take a soft or hard
”If you go for the hard approach, then you’ve decided you are not going
to let them access those accounts and you have to make your network
bulletproof,” he says.
This requires a two-pronged approach that includes clearly stated
policies and advanced monitoring, blocking and filtering technology.
First, he says, you should develop and articulate a policy to all
employees regarding the use of personal email. You should have a written
statement that clearly says employees cannot use Web-based email from
inside the corporate envelope, Gibbs says.
Joel Snyder, senior partner at Opus One security consultancy in Tucson,
Ariz., agrees. ”Make sure you not only have a policy, but that you
explain to employees why you have a policy,” he says.
According to the 2004 ePolicy Institute/AMA study, 37 percent of
organizations surveyed were unclear about the difference between an
electronic business record and an insignificant message. Flynn says this
indicates that companies need to clearly understand what information is
important to them and would pose a risk if it were to get out.
She says it’s critical for companies to make employees aware of the risks
involved in everyday communications, adding that companies have to put
muscle behind their policies. In the survey, although 79 percent of
companies have a written email policy in place, only 25 percent
terminated employees for violating that policy.
Flynn says companies often are unclear about what constitutes personal
use. Executives must set guidelines about how much time users can spend
on personal messaging, via what systems, and with whom they can
To make sure these rules are being enforced, she recommends companies put
in place sophisticated monitoring and filtering tools.
Gibbs suggests employing software to block popular mail service Web
sites. He also says IT managers can use tools that perform on-the-fly
keyword monitoring to ensure that messages do not contain sensitive
Some IT groups employ virus scanners to keep an eye on personal
messaging, but Snyder warns that ”most, if not all” of these tools
don’t handle Web-based email very well. Instead, he says some of the free
tools, like Snort, might be better suited to examine these packets. He
adds that companies could force all outbound HTTP/HTTPS traffic through a
proxy as a safeguard.
Flynn says organizations that can’t afford the risks associated with any
kind of personal email use should ban it altogether.
”The risk, in terms of lost business records and lost productivity and
lost intellectual property, far outweigh any argument anyone would give
in terms of giving employees flexibility. There is just no reason for
employees to have to access personal email tools in the office,” she