Insights: Article

Private Email Accounts + Business Communications = A Hacker’s Delight

By Anders Erickson

July 06, 2017

The head of the CIA had his private email account hacked. Hackers stole agency data that shouldn’t have been on his personal account. Did you know hackers can use a private email account to attack your customers? Or that employees can keep secrets from you if they use private email? Think twice about allowing personal email accounts for business communications because:

  1. Private email accounts don’t enforce same level of security as corporate email, and they’re more easily hacked.
    • When the head of the CIA had his private email account hacked, they stole agency data that shouldn’t have been there. Among the attachments stolen were a spreadsheet containing names and Social Security numbers—some of them for U.S. intelligence officials—and a letter from the Senate asking the CIA to halt its use of harsh interrogation techniques.
  2.  Hackers could use a private email account to attack your customers.
    • Attackers hacked a user’s Gmail account and sent phishing emails to all of the contacts on the account. Imagine the damage if your customers were hacked through emails sent from a salesperson’s email account. 
  3. Emails sent via personal accounts are not discoverable in standard legal discovery procedures.
    • An employee made the front page of the New York Times two years ago when they never obtained a work email account, conducting all business from a personal account.

      “All companies should be concerned about retention because a failure to preserve information may give rise to allegations of spoliation in litigation. It is nearly impossible for a company to preserve an employee’s personal email account because the company typically has no control over the settings or usage of that account, both of which could increase the likelihood of a spoliation claim. Allegations of spoliation, if proven, can result in substantial sanctions to a company.”

  4. Employees can keep secrets from the business.
    • If an employee is using a personal email account to send business-related email using a company device, it doesn’t necessarily mean the organization has the right to search those emails. In the case of Stengart vs. Loving Care, the New Jersey Supreme Court ruled that an employee “could reasonably expect that email communication with (their) lawyer through her personal, password-protected, web-based email account would remain private, and that sending and receiving them using a company laptop did not eliminate the attorney-client privilege that protected them.”
    • Communications that employees conduct using their personal email accounts are considered private.
  5. Data sent through a private email account is out of your control.
    • Allowing employees to use personal email accounts to conduct business means that your company’s business information is being stored on mail servers outside of your control, anywhere in the world.
    • Private email services, like Gmail and Yahoo, store data everywhere. They have servers all over the world and there is no way to confidently identify where your data is located when it’s sent via a private email account.

There’s more than enough evidence and data to show that private email accounts are dangerous for business communications. So what are you waiting for? Encourage your employees to exclusively use their work accounts for business communications. Start today.  

Besides setting up a policy so staff only use their work email for work, you should also be employing an email security system to better protect your work email accounts. An email security system should be in place to protect against threats, such as ransomware, coming through email. Even if your team has been trained to be cautious and avoid social engineering, without an effective and strong security system, threats can still get through.

Latest Insights

January 18, 2019
While having your audit team onsite can be stressful, there are certain steps you can take to reduce that stress and make the most of your audit.
January 17, 2019
In this installment of our Common Single Audit Findings and Remediation Series, we discuss the three distinct parts that make up Requirement “G.”
January 17, 2019
Here’s a list of what the IRS is and isn’t doing as the  partial government shutdown rolls on.
January 17, 2019
Eide Bailly recently sat down with Bill Stovall, CEO of Community National Bank in Texas, to hear his thoughts on the current state of the banking industry.
January 15, 2019
The back and forth on tariffs is wreaking havoc for many businesses. Here’s what you can do to help ease the pain.
January 15, 2019
If you are a farmer who sold to a cooperative in 2018, you will need to provide additional information if you’re looking to take advantage of deductions this tax season.