Put aside politics and law for a minute. The stories about former Secretary of State Hillary Clinton’s use of her personal email account (exclusively) for her work at the State Department raises issues of corporate (and government) governance, control, security, privacy and work/life balance apart from the questions of whether such use was legal or permissible. We should take this as a lesson for security and HR governance.
We all (well, almost all) use personal email accounts for “official” stuff. Maybe it’s because the personal account is easier, faster, more accessible, more convenient, or whatever.
We similarly use corporate or government accounts for communications that may not be strictly government or corporate related. You know, “hey, hunny—I’m running late, can you pick up the kids,” or soliciting sales of Girl Scout cookies (“now with 30% more girl scout!”).
But it’s a good idea to keep (well try to keep) corporate/government and personal communications separate. It’s good for the employee and it’s good for the enterprise.
If an employee uses personal email for corporate/government work, this means that there is the very real potential that the employer will have a right, and sometimes the obligation, to review the contents of that personal e-mail. Currently, employers claim the right (or more accurately, compel consent) to review the contents of personal communications if they travel through or over the corporate network.
But if you are using personal accounts for corporate or government communications, the company or agency may claim a right to review the communications that were NOT sent over the corporate or government networks. This may be for any of the reasons noted below. My comingling corporate/government communications with personal communications, you potentially expose the personal communications to corporate/government scrutiny.
From a privacy perspective, you are better off keeping them separate. In both ways. Sending personal communications from a corporate/government account can be even worse than sending corporate/government emails from a personal account. Under the legal doctrine called “implied authority” sending an email from a government or corporate domain may create the impression that the communication is an official communication of the company or agency, and binds the company or agency.
Almost like (but not quite like) using agency letterhead. Clearly the Secretary of State would not send a MEMORANDUM stating that Charlotte Clinton Mezvinsky is officially the cutest baby girl in the world on official Department of State raised letterhead. Or that the Chicago Cubs are the best team in the history of baseball (go Nats!). But a quick e-mail to those effects even on an official account is OK. But if you work for the Federal Trade Commission and send an email from firstname.lastname@example.org to your landlord saying that his actions constitute a violation of the FTC act and constitute a fraudulent and deceptive trade practice, it’s easy to see how that could be misconstrued as an official FTC communications. Hell, that’s why you sent it in the first place.
From a privacy perspective, if you keep these communications separate (and even better, don’t send personal email through a corporate network – that’s what smartphones are for) you will be better off. Not a hard and fast rule, but a guideline.
2. Data Retention/Destruction
Companies and government agencies have policies on data retention and destruction, which include e-mails and attachments. Most companies try to automate these rules, searching for e-mails older than a certain data, or documents created prior to a certain date. Moreover, if there is a lawsuit, a company will suspend its destruction policy (or a government agency in response to a Congressional subpoena) to prevent relevant documents from being destroyed.
Keeping company or government documents on a personal email account or server – like taking corporate documents home – frustrates this policy. You can’t delete what you don’t know about, and you can’t preserve what you don’t have access to. This means that companies or agencies may be denied access to documents or records they need to function. Especially if the employee leaves the company.
Moreover, companies and agencies have document retention and archival legal requirements. If these documents or records are maintained by employees on their personal accounts, the company can’t meet those requirements. Or worse. The company certifies compliance when they aren’t compliant. That’s a bad thing.
Related to retention and destruction is e-discovery. When a company gets a subpoena or demand for production of documents or records, it typically will look on its own computers, servers, etc. for such records. Sending official communications through side channels not accessible to the company or agency means that the company can’t produce those records, and doesn’t have access to those records in their own defense.
It also adds to the cost and expense of production when the company or agency has to rummage through personal e-mails (not to mention the privacy issues) for production of official records. While a company MIGHT argue that the personal emails are not in the company’s “possession, custody and control” for discovery purposes, a court might find that its failure to control its own documents and records constitutes a “spoliation” of records. Courts have imposed massive finds and sanctions in such cases. Not good.
Simply, a company can’t know what it doesn’t know. Having what amount to “side channel” communications means that the company or government agency can’t know what things are happening in their name or on their behalf. It can’t document what happened, or act on this information. It can’t know what promises were made, what context they were made in, and the nature of company or government discussions.
It also means that the company can’t control things like safety, security, privacy, content, harassment, threats, infringement, or other things that could give rise to potential liability. For example, all communications of a broker-dealer to a customer or potential customer must be recorded and are frequently reviewed (automatically) for certain key terms like “promise” or “guarantee.” Establish a side channel of communications, and these controls are circumvented.
This is the big one. It’s not that personal email is more or less secure than corporate or government e-mail. It’s that we don’t KNOW if it’s more or less secure. We don’t know who is using it or how. Who has access to the personal account? Is the password shared? Is it guessable? Is it changed? Are emails stored or archived? For how long? What about SPAM filters, anti-malware, etc.
The goal is to protect information – not computers. If company or government INFORMATION is on personal email, it isn’t being protected under the same rules.
And that’s a bad thing.
6. HR Issues
By mixing corporate/government communications with personal ones you further eliminate the business/home distinction that can protect employee’s private actions. A “personal” email that reflects poorly on an employee may be cause for discharge or sanctions. Same with other semi-official uses of accounts – Facebook, Twitter, etc. When you mix business with pleasure you create problems.
So whether it’s legal or not is for another day. Not everything that is permissible is wise. And not everything that is wise is permissible.