Categories
Personal Accountability

Two types of e-mail provider to avoid for board business

Company directors using personal e-mail services or accounts belonging to a substantive employer, introduce risks to the company they direct that need to be managed.

A 2015 study estimated the average number of business e-mails sent and received per person, per day, at over 120 (including spam that beat the filters). It was predicted to only increase. It’s unsurprising that we do what we can to simplify our use of it.

For convenience, company directors have typically handed over a personal e-mail address to the secretary of the companies they direct. If not a personal one, the alternative is their address at a substantive or primary employer.

A study in 2018 found that 92% of company directors preferred to use personal e-mail accounts for communication.

Not using an e-mail account managed by the company a director oversees is typically for no other reason than convenience. It means one less account to manage, one less barrier to communication, and potentially one less device or access control to contend with.

But this convenient solution creates several inconvenient problems.

The problems created by using free e-mail services and other company accounts

Here are five problems in no particular order, created by company directors who do not use e-mail accounts issued by the companies they direct.

Cyber security risk

Ironically, directors can be privy to some of the most sensitive of company information, yet their use of an e-mail service outside of their own company’s system becomes the weak point in keeping that information confidential.

Free accounts with providers such as Google (Gmail) and Microsoft (Outlook[.]com) can be an attractive target for hackers. Whilst these types of accounts have the option of being configured with more than a password, security enhancements can be skipped. Suspicious activities and breaches can go unnoticed.

These types of personal e-mail accounts put the onus of security and account management entirely onto the end-user. If system security isn’t their specialty, there can be little assurance they are as well protected as they would otherwise be by using a corporate account.

Corporate accounts are generally centrally managed by a trusted IT team. Advanced security in these cases can include monitoring for suspicious account activity, such as failed login attempts from unknown devices, or multiple logins from geographically diverse locations.

Corporate accounts of other companies may have additional security controls applied, but it’s impossible to know how stringent they are. This is something to be mindful of if a director is using an account of a primary employer.

Data sovereignty and control

Geographical distribution of data by free e-mail service providers — for commercial, performance and back-up purposes — means copies of e-mails can end up distributed across local and international borders.

This can lead to a loss of confidentiality. Data is often subject to the laws of the countries within which it is stored. A government or other third-party could, without a user knowing, request and be granted access to communications.

Back-ups can also be stored for unspecified amounts of time, including in perpetuity. This can lead to data retention concerns that conflict with company or regulatory requirements. Even if records get deleted from an inbox, back-ups controlled by providers can continue to exist elsewhere indefinitely.

These concerns can also exist where a director’s substantive employer’s e-mail system is used. Depending on the nature of a director’s primary employment, the matter of confidentiality could be of great concern.

Legal risk

Use of another employer’s work e-mail system may result in a waiver of legal privilege of otherwise confidential board material.

In one case tested in a Delaware court in 2020, it was determined that no “reasonable expectation of privacy” could have been expected when using one particular company’s system for dealings of another company’s matters. This sort of scenario can jeopardise attorney-client privilege.

Use of a personal e-mail account may preclude records from being used in a court case. Alternatively, independent professionals may need to be brought in to search through personal e-mails for official board records.

Conflict with company policy

When company directors don’t adhere to the policies of the companies they direct, it sends a message. The wrong type of message. A message that can be interpreted as “one rule for you, no rules for us”.

The importance of adhering to an information security policy is diminished if company directors are comfortable exchanging company documents, information and opinions from freely available consumer e-mail services.

Eliminating leakage of corporate information to uncontrolled locations can be challenging at the best of times. As with all company cultures — cyber security or otherwise — the tone gets set at the top.

Lack of professionalism

Staff conducting business via personal accounts would generally not be tolerated for numerous reasons. Aside from the obvious security concerns, it would be considered unprofessional.

Consider the signals sent when the CEO or an executive is e-mailing a board member at a non-company domain. In all sorts of ways it can provoke a feeling that a director is figuratively and technically outside of the company, not part of it.

Free e-mail service domains, such as @gmail.com or @outlook.com, are well known to be free and can suggest a director doesn’t place significant value on the company or their role with the company.

An account with a substantive employer suggests that company carries more significance.

Consider use of a board portal

Platforms known as board portals are steadily gaining popularity. They can be used as a replacement for e-mail and address most, if not all, of the concerns raised in this article.

Board portals are secure platforms within which sensitive information is shared, such as board and committee papers. Board portals can also offer in-app conversations.

There is a wide range of board portal software on the market. It pays to research options to ensure risks addressed by moving away from e-mail are not merely transferred, such as data sovereignty and control.

In the mean time

For companies concerned with director use of non-company e-mail addresses:

  • Consider establishing a policy, or extending an existing policy, addressing acceptable use of e-mail that covers directors as well as employees. Ban the use of personal e-mail for business purposes.
  • Limit information that is shared with non-company e-mail addresses. At a minimum host sensitive files in cloud storage that the company can control access to, and merely use e-mail to alert directors when new content is available.
  • Use the opportunity to educate directors on their personal responsibilities in keeping your company cyber secure.

Monthly cyber security insights, news and tips direct to your inbox

More information here. You can unsubscribe at any time. See Privacy Policy for further details.