Technewsworld is running a story on company personnel who forward company e-mail to their MSN, Google, Yahoo, or other hosted e-mail accounts.
So after spending all that money to secure your corporate e-mail systems, users as always have found a way around it, and its not new.
Users are really clever when it comes around to circumnavigating security controls. We would not keep on piling on security controls if users could just work with what controls are already in place. But the forwarding of tidbits, or even hostile e-mails to your home account is a time honored tradition that all users really do, they do it a lot, and probably some security folks are also guilty of the same thing. It is a way to back up what ever you think the issue is going to be in the future, because you just ever know. Or if it is lights out, and the company is down, using personal e-mail from home is a way to keep getting work done, send it from your home account to your receiver, and just CC your work address on it.
This following point though is the most interesting:
“Also, because messages sent from Web-based accounts do not pass through the corporate mail system, companies could run afoul of U.S. laws that require them to archive corporate mail and turn it over during litigation. Lawyers in particular wring their hands over employees’ using outside e-mail services. They encourage companies to keep messages for as long as necessary and then erase them. Companies have no control over the life span of e-mail in employees’ Web accounts.” (Technewsworld)
As well as corporate intellectual property falls under some uncertainty when it comes ot outside e-mail services:
“Many corporate technology specialists express the fear that Google and its rivals may actually own the intellectual property in the e-mail that resides on their systems. Gmail’s terms of service state that e-mail belongs to the user, not to Google. Its automated software does scan messages in Gmail, looking for keywords that might generate related text advertisements on the page. A spokesperson for Google said it had an extensive privacy policy to ensure that no humans at Google read user e-mail.” (Technewsworld)
Not only do we have a discovery problem, but we also have a intellectual property problem along the way. Once lawyers have checked the send box, or the headers of the e-mails, those personal accounts also become discoverable, and users have to worry about turning over control of their personal e-mail boxes as well as the corporate e-mail boxes. This is an additional hurdle not just for the company, but for the hosted e-mail systems as well as the user who uses those hosted e-mail systems.
It will be interesting when these problems get addressed in the courts, and how those hosted e-mail systems might just prove to be the issue of the day. Where does ownership of corporate e-mail end, and under what issues does liability end for the company along the way.
The best solution is probably not to have people use their external e-mail systems to host corporate data, but then end users will do what they think they need to do, to do their jobs, or cover their butt in case something they are working on goes south. Its worth finding out why people do this at the office, and something that should be governed by corporate policy.
Add to 
Bookmark Murdok:
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.
