Business and Personal Email: Not the Same Privacy Game
I was delighted to be asked this week to contribute to TechRadar – in case you didn’t see the article, you can find it here. In it, I explored the differences between privacy of work and personal emails. Conscious that some of our blog readers might not have seen it on TechRadar, I thought it would be useful to repost it for you all…
…I love email. I use email every day for communication and collaboration in every aspect of my work and private life. It has been a feature of my life for decades. A personal email between me and someone else is just that, personal and therefore private – sacrosanct. No ifs or buts. But my work email is a different matter. I appreciate that my business and personal email don’t operate within the same standards of privacy. More to the point - I shouldn't expect them to. That’s why I have two different email addresses.
Organizations carry a serious responsibility for reporting, governance and legal or regulatory compliance. Every communication is part of a chain of evidence an organisation is expected to be able to report on if needed, and email is the archive where the majority of this information exists. It’s where we all do business.
But all too often we bring expectations of freedom and privacy from our private lives into the workplace. We’re uncomfortable about the idea that our employer can enforce ‘appropriate use’ policies or archive email with the right to review it if needs be. Well, we shouldn't need to be concerned about this, because our employer should help ensure that we don’t need to put anything personal in corporate email.
Understanding the Inside and the Outside
First of all, business email is nearly always operated by or for the business, as a dedicated domain with a clearly defined “inside” and “outside,” bounded by a gateway. Inside the boundary, the company has rights and expectations of control over the information, while anything can happen outside. Consumer email, for example, may be viewed as “always outside” in this formulation. Business email that crosses the gateway, in either direction, can be subject to a variety of checks, restrictions, and other processing, which is not the case for consumer email.
In theory, a company has complete control over any information that passes through its gateway. Among the likely jobs of this gateway are:
- Spam filtering. This is usually done in both directions: to prevent outside spam from getting in and to prevent internal machines (perhaps hijacked by a virus) from sending out spam and tarnishing the company’s reputation.
- Data Loss Prevention (DLP). Whatever the business, it’s not uncommon for employees to send sensitive information outside the company, whether intentionally or by accident. However, if a company can define the characteristics of sensitive information, which could be as simple as the words “Do Not Redistribute”, then the gateway can automatically enforce restrictions against sending such information outside the company.
- Large file modification. Internet email operates with size limitations that seem small by today’s standards and, vary from site to site. Email messages that total more than ten megabytes are highly likely not to be delivered. As an alternative, gateways can replace large file attachments with simple links and make the files available from a web server, with or without some kind of user authentication requirement.
While these external gateways may seem complicated, business email is further enriched with more complexities inside the gateway, none of which are concerns for consumer email.
- Security. Most computer security failures come from within the company, most often because an employee has unintentionally allowed malware to infect their machine. This can happen even with the most secure gateway in the world, as users can be tricked into downloading the malware, most often via the web or a USB storage device. Once a machine is weakened, it can easily be used to disrupt all communication-related security. While consumer email can also be compromised, the consumer depends on a service provider to deal with the problem, while a business, and especially the IT manager, needs to worry about it for its internal network. Such disruptions can wholly or partially shut down a company’s email system, or can even cause critical information leaks.
- Privacy. Although all corporate email characteristically belongs to the corporation, it is generally considered important to isolate the mail for each user, so that they can’t all read email to Human Resources or the CEO. This requires a certain amount of effort for account maintenance and administration.
Legal and Regulatory Issues
Finally, most businesses operate under legal and regulatory restraints that are simply not relevant to consumers. Here are a few examples:
- Archiving. There is a strong and highly specific business need for archiving. Some companies want to keep all their information forever, while others want assurance that it’s completely removed after a certain amount of time. (Legal requirements can strongly constrain such policies.) Both of these are tricky to do right; keeping information forever requires disaster-proof practices, while complete purging has to account for such pitfalls as back-up tapes.
- Compliance. In many industries, legal or regulatory requirements place considerable burdens on corporate communication. Beyond archiving, which is often mandated, there are often regulations (such as HIPAA in healthcare in the USA) regarding the treatment of sensitive information. For a company that is not in the communication or compliance business, it can be hard to know what regulations apply, let alone how to comply with them all.
So when all is said and done, if we want to continue to benefit from the power of email in our business life we need to recognize it is a different tool at work than home. Our business email has to operate under different standards of privacy, much like other forms of business communication. Once we take these concerns into account, we might even find we use email more effectively and create less risk or problems for our businesses in the process.
Of course, all of this depends on employers maintaining reasonable policies about occasional use of personal email while at work. If you expect me to accept the rules about corporate email, you should give me a way to occasionally access my personal email from work when it really matters. Otherwise, you’re forcing me to use corporate email to talk to my kids’ doctor, and I’m far less likely to view the privacy limitations of corporate email so benignly.