Personal email accounts exist outside of the IT department’s control. They are not subject to backup, archiving, security or governance so using them for business purposes, is a clear violation of compliance regulations. And since personal emails are not stored on company servers, discovery and FOIA requests are seriously compromised presenting legal risks to your organization.
Perhaps your organization has a legacy of Freelancers using personal accounts? What risks is your business being exposed to by letting that continue? The following excerpts come from, The business risks of using personal email accounts – Journey Notes (barracuda.com)
What are the legal risks of using a personal account for business?
Even the act of discovery is difficult – Personal emails are not discoverable in standard legal discovery procedures.
If an employee is using personal email accounts to send business related email using a company device, it doesn’t necessarily mean the organization has the right to search those emails. In the case of “Stengart vs. Loving Care,” the New Jersey Supreme Court ruled that an employee “could reasonably expect that e-mail communication with (their) lawyer through her personal, password-protected, web-based e-mail account would remain private, and that sending and receiving them using a company laptop did not eliminate the attorney-client privilege that protected them.”
There is also a corporate risk to be considered
Allowing employees to use personal email for work poses serious risks of IP theft, losing company privacy or violating customer privacy, and disrupting network operations due to exploits which can be implemented on computers not secured by your internal policies.
Using personal email compromises company secrets and potentially exposes company correspondence to uncontrolled mining and searching. Virtually all personal accounts can be subject to legal (and in some cases questionable) collection and searching by various security agencies.
Continuity can be a big issue – what if this employee leaves the company? Those emails leave with that individual – along with any relevant information, making future searches more challenging.
It’s not just email that is the problem. Employees might use a personal email address to set up any number of functions critical to your company’s day to day operations, for example web hosting accounts or purchasing domains. The employee’s personal email address then becomes the owner of the account so if that employee leaves, you may have a difficult time taking ownership of the assets they setup on the company’s behalf. What effect could this have on your ability to do business?
The solution might be obvious but companies still need to reinforce it
First and foremost, setting strict policies against the use of personal email for business is the only course of action but despite all the reasons why company business should only be done through company email, users will still take the path of least resistance and use whatever email is most straightforward for them. The burden falls to the company, then, to make sure that the “path of least resistance” is the right path.
Companies can be proactive and ensure that remote or field employees can easily access company email systems using their own devices. Webmail interfaces are easy to set-up, and any compliance capture will see and preserve those mails even when sent from a home pc, laptop, smartphone or tablet. When composing a new email, particularly on mobiles, employees need to be reminded to always choose the company email address, not their personal one. For non-employees such as contractors and consultants, the issue is the same. If the contractor or consultant is doing business on behalf of the company, then it’s a smart step to provide a company email address for them and enforce strict guidelines on using this is part of the arrangement.
IT departments should always be able to retain central control and visibility of all emails being sent or received on the company’s behalf to avoid the problems that result from business being conducted from personal email accounts, but it does require some simple policies and an IT organization that is both proactive and persistent.
The problem might not go away entirely, but it will be a nominal problem, not a big one.