When Personal Email Is Serious Business
Hillary Clinton is currently under fire for the use of a personal email account while United States Secretary of State. Mrs. Clinton apparently exclusively (or nearly exclusively) used her personal email account while Secretary of State, rather than her official United States government email account. Whether or not this practice was appropriate or legal, it is a good reminder for companies to review their email use and retention policies for employees.
Typically, employers have been concerned with the use of business email accounts or mobile devices for personal use. Issues that may arise include human resources policy violations and the disclosure of sensitive data, including proprietary or trade secrets, sensitive financial information, or legally privileged information. However, employers must be similar cognizant that employees may use personal email accounts to conduct business – particularly in heavily regulated industries with confidentiality concerns.
While many of us take for granted the relative security of free email products such as Gmail or Yahoo, those products may not be appropriate for sensitive data. In addition, the employer cannot require additional security measures, such as strong passwords or spam filters, which decrease the risk of unauthorized access. Moreover, any required retention of email will not automatically occur with personal email accounts, exposing the company to potential spoliation sanctions or regulatory violations.
An example of this problem is found in Puerto Rico Tel. Co., Inc. v. San Juan Cable LLC, No. 3:11-cv-02135 (Oct. 7, 2013). The court found spoliation where three of the defendant’s former officers failed to preserve relevant emails from their personal email accounts. While the court declined to award sanctions of an adverse inference at that time, the court suggested the plaintiff perform a forensic examination of the former officers’ personal email accounts, presumably at the defendant’s cost.
The use of non-business email for business use (or business email for non-business use) must be addressed as part of any company’s regular technology policy review. Employees, particularly those with access to sensitive information, must understand the potential pitfalls inherent in the use personal email accounts for business purposes.