Data Loss and Other Risks – Employees Sending Email to Their Home Computer for Business Purposes

It can be very tempting for employees to use their personal email accounts to do corporate business. The typical scenario is that they didn’t quite get all their work done on a document in the office, so they send that document to their personal email account, where they can pick it up at home and continue working on it.

In this article, we’ll have a look at why employers should have a policy against employees using this practice. Having a clear policy might save some embarrassment, financial penalties or even legal difficulties,  and might help people understand why it’s important.

Unauthorized Disclosure

One of the most important reasons for not using personal email accounts – especially those hosted by ISPs or free Webmail services – is the risk of unauthorized disclosure of sensitive information.  There are several ways that sensitive information might become compromised when sent to a home email account.

Many free Webmail services have fairly weak recovery mechanisms for users who forget their password. This means that attackers might be able to guess the user’s challenge questions correctly, and gain access through the recovery process. This happened to vice-presidential candidate, Sarah Palin, in 2008, when an attacker broke into her Yahoo Mail account by guessing the answers to her password recovery challenge questions.

Under pressure for more advertising revenue, some Email hosting services, such as Google’s Gmail, may actually “index” the contents of a user’s Email inbox.  Indexing is the process of counting the number of occurrences of each word in each message (and attachments), as well as their locations (to create better contextual information about the messages). This would allow the service to present targeted advertisements to the user, creating a more “personalized” experience. (Have you ever noticed that the ads shown beside your Gmail inbox seem to reflect some knowledge of the general content contained within your messages?) However, the fact that the hosting service has indexed the user’s Inbox means that the text has probably been copied and read by the service’s computers. If not disposed of properly after indexing, the copied text could leak to other systems.

Once an employee gets into the habit of emailing office documents to their home computer, increasingly sensitive information could be sent to outside accounts without appropriate protection, such as encryption. Employees may not know when a seemingly benign habit can become a serious confidentiality risk.

Loss of Availibility

Aside from the above confidentiality issues, sending documents to personal email accounts to do work at home can also cause a number of availability and retention issues for official corporate records. Once a record is edited at an off-site location, its most recent version is not available to other workers who may be relying on it. It might be difficult to recover from the loss of that data.

Legal Issues

In more serious situations, documents sent to personal email accounts may remain on the email service’s server longer than the employer’s corporate retention policy would allow. This means that if a legal discovery action determines that employees were emailing corporate documents to their home accounts, a much longer and more costly discovery period may be triggered, causing the email providers to be compelled to reveal all of the contents of personal email inboxes.

Enforceable Policies

For the above reasons, it is important for employers to have enforceable policies on the use of personal email accounts.  With the TITUS Aware product, it is easy to configure “Safe Domains” or to “Blacklist” certain email domains in order to discourage the practice of sending corporate documents to home email accounts.  The figure below shows a typical warning that an employee might see if they attempt to send an email message to an unauthorized domain.

Click for larger image

Employees can still be allowed to send emails if they deem that the circumstances are warranted, but these decisions should be audited and monitored. This provides an opportunity and a mechanism for educating employees on the importance of proper email handling.

Does your organization allow the use of personal email accounts for handling corporate documents? Has this caused any incidents or concerns?

If you’d like more information on how the TITUS products can help implement features such as “Safe” or “Blacklisted” domains to improve Data Loss Prevention, please use the coordinates on our Contact Us page to let us know.

Leave a Reply