more-arw search

Q&A Forum

Our employees have always been able forward their work email to personal Gmail accounts and mobile devices, but as our company grows we are becoming more concerned with this practice. What are the risks in allowing this to continue?

Roger Frederick's Profile

forwarding work email to personal email


Topic Expert
Regis Quirin
Title: Director of Finance
Company: Gibney Anthony & Flaherty LLP
LinkedIn Profile
(Director of Finance, Gibney Anthony & Flaherty LLP) |

No disrespect intended, but your policy is a very large mistake. Work and personal should never be combined. There is always a line. If you receive a customer complaint or claim that the customer never received what was promised to them, good luck tracing your records to try and understand the series of events. Additionally, how can you distinguish company ownership vs personal ownership with respect to processes and clients? I would immediately establish a policy that as of 1.1.2013, personal and business will no longer be combined...and enforce it.

(AVP) |

Depending on what information your company handles on a day to day basis the policy approach your company should put in place will vary. In the event your company handles material non public information, information that can be considered proprietary, and other information that would be considered "client or company sensitive" you should instill a policy ASAP. Unfortunately policy making and communication is only half the battle. You also need to put a control in place and test the control so that you can ensure it works. There is software and vendors that offer this type of security monitoring for outgoing emails and the content therein.

Kelvin Arcelay
Title: SVP Security and Risk Management
Company: Private Company
(SVP Security and Risk Management, Private Company) |

In order to understand the associated risk you would need to know you data, information asset classification and what would you loose if it were to become public knowledge.

For example, social security, employee addresses, credit cards, engineering specifications, client lists, contract specifications; probably a big "no-no" to fall in the public domain.

Once you have inventoried and classified your information assets then as previously stated you need to control the information flow hence you need to make certain there is only one route to go to the internet meaning no direct access, dial-ups or rouge wireless access points. Then you are in the Data Loss Prevention (DLP) selection exercise.

Topic Expert
Patrick Dunne
Title: Chief Financial Officer
Company: Milk Source
(Chief Financial Officer, Milk Source) |

I agree with Regis. Stop this practice. You will have multiple issues including maintaining professionalism in reaching out to customers and also keeping email history.

Bruce McClurg
Title: VP Treasury Management Consult
Company: Consulting
(VP Treasury Management Consult, Consulting) |

If mail is being sent to a personal account ... I would go further with the problem of asking why is an email being sent in the first place? Is the problem from an employee is wanting to get a job done and feels that they need to sent it home to work on it? Or is it to be malicious? Obviously you don't want business mail sent out to personal accounts and a policy could be put in place. But I think one needs to look at if the employee is feeling they need to take work home first.

(Agent, JKS Solutions, Inc.) |

You should not allow employees to cc their personal email accounts for work communications.

Your company should have an email server set up to send email to employee's mobile devices or provide web mail options so they do not have to "send through" their personal email accounts.

In many industries email contains sensitive information about developments related to your competitive edge. Many employees may be married to spouses who work for your competition, as an example.

There are legal concerns obviously, but there are competitive concerns as well. If you are working for a public company, and you are a consulting operation you are asking for a lawsuit.

You may be asking for legal trouble if you are consulting to public companies and you are sending confidential information between personal accounts during a quite period.

You need to discuss this with your house counsel and your HR director and your CTO/CIO and figure out how to facilitate email without using personal accounts.

Going into the weeds is not necessary, just put the architecture in place.


Get Free Membership

By signing up, you will receive emails from Proformative regarding Proformative programs, events, community news and activity. You can withdraw your consent at any time. Contact Us.

Business Exchange

Browse the Business Exchange to find information, resources and peer reviews to help you select the right solution for your business.

Learn more

Contribute to Community

If you’re interested in learning more about contributing to your Proformative community, we have many ways for you to get involved. Please email [email protected] to learn more about becoming a speaker or contributing to the blogs/Q&A Forum.