Who Owns Your Emails?

email
Emails stored in the cloud may be exposed to access by other entities and governments

 

One of the easiest applications to move into the cloud is email messaging services. For most organizations the email application stands alone and therefore can be easily exported to the cloud. On the positive side this can reduce costs and free up resources that can be better used elsewhere.

Unfortunately, most executives are unaware of the potential risks they are taking by doing so. Business and IT executives need to fully understand the risk exposures and ensure, to the best of their abilities, that the business is maximally protected.

Metadata and Content

For all data that is kept in a file or database somewhere there is the actual data itself and data about the data – i.e., metadata. For emails metadata is envelope information such as the sender, receiver, date of transmission, and file size. According to rules in the U.S. and most other countries the metadata is considered a business record while the contents of the email are treated as personal communications.

When an enterprise employs a cloud service provider (CSP) to handle its email services, it is authorizing the CSP to have access to the metadata. This can be used for archiving, billing purposes, restoring lost records, etc. This authorization may be for the duration of the contract or it may be for as long as the records are retained at that CSP, which could be for years after contract termination.

Most companies do not intend to allow the CSP to have access to the email contents. But if the terms are not clearly called out in your contract, then the CSP may use the content for its own purposes without informing anyone within your organization.

Business records (metadata) are much easier for government agencies to obtain access to than the personal communications. In the U.S. the email itself is protected by the Constitution’s Fourth Amendment, which protects against unreasonable searches and seizures.

Thus, it is not too difficult for government agencies to subpoena your business records from your CSP without your knowledge. But a warrant is needed to actually search the emails themselves. The CSP may or may not inform you of the warrant request.

Current Cloud Challenges

There are some current legal actions that raise issues business and IT executives should be aware of and think about relative to their own emails. In the July 30, 2014 Wall Street Journal the Microsoft general counsel and executive VP for legal and corporate affairs discussed the upcoming hearing it has concerning the federal government’s attempt to force it to turn over customer emails stored exclusively in other countries.

The emails are stored in Microsoft’s Dublin, Ireland data center, which services customers outside of the U.S. The federal government is asserting the emails you store in the cloud do not belong exclusively to you but are the business records of the CSP. This gives them easier access and you do not need to be notified of the request.

This government action does not conform to the recent unanimous Supreme Court decision last month wherein it concluded a warrant was needed before a government agent could search a cell phone. Here the court concluded that an individual’s email account is an electronic “cache of sensitive personal information.”

Nonetheless, in this case, a U.S. judge deemed U.S. law can apply anywhere in the world if a U.S.-headquartered technology company has control over data in a foreign land. The ruling will be stayed to allow Microsoft time to appeal.

Moreover, quite recently the British passed a law asserting its right to require technology firms to produce emails stored anywhere in the world, including those of U.S. citizens that have never been to the UK. These invasive actions may just be the beginning of an assault by multiple countries into private email correspondence.

Furthermore, if these redefinitions of the rules take hold, then the CSPs themselves (or employees with their own personal agendas) could assume they have rights to the content of corporate emails. None of this is good news for cloud service providers, privacy rights or organizations that store emails in the cloud.

Protective Actions

The first thing business and IT executives need to do is read and understand the potential CSP’s contract. It should clearly call out both parties’ rights during the contract period and afterwards. If the protections are not there, then executives must negotiate a revision to the agreement that protects the access to the metadata and privacy of the data for as long as the CSP is in possession of it.

Most cloud providers are reluctant to address and codify data access, archiving, backing-up, ediscovery, storing, and data sovereignty policies. Organizations should evaluate the positions of multiple email service providers before deciding on a selection and negotiation strategy. This competitive knowledge about the various providers can assist in the negotiation process and the extent of protection available.

Executives should have a clear understanding of the email retention periods. This comes in three forms – corporate, CSP and legal hold retention periods. Enterprises should have in place policies on the retention of emails (as well as other digital and physical records). These policies should be adhered to even if the emails are in the cloud.

How this will be accomplished should be another point of contract discussion and service level agreement (SLA) measurement and monitoring. It also implies that the CSP will adhere to the policy as relates to its own archiving of your corporate records and rights and use after contract termination. Legal hold retention is a different issue and needs to be addressed in terms of satisfying the ediscovery and legal hold requirements and who pays for it.

Email data consist of the email text itself and all attachments. For best protection, both should be encrypted in transit and at rest. These requirements should also be part of the contract agreement.

Executives should make employees aware of the email retention policies and that they must be adhered to. For emails that must be kept beyond the retention period (such as those that are digital agreements) it is best to print them out and file them with the other records that require longer term retention.

Summary

Choosing an email service provider and instituting policies for emails in the cloud can be challenging but it is better to solve the problems up front than to deal with the exposures and lawsuits later on. While there may not be recourse against government warrants, organizations can minimize risks by negotiating strong SLAs, enacting prudent policies and enforcing adherence. Business and IT executives should carefully consider their insourcing and outsourcing email service options and select a provider that best meets their business requirements.

Related articles:

The Complexity of Clouds

Small Business Move To Cloud? 8 Factors Say No

Mobile Technology Serves Up Business

Virtual Office? Yes There Are Pros and Cons

RELATED POSTS

AI and Web3: Unleashing the Power of Decentralized Intelligence

AI and Web3: Unleashing the Power of Decentralized Intelligence

The fundamental definitions of AI and web3 as they stand today By now you have probably heard a lot about the pros and cons of Artificial Intelligence or AI and Web3. In this article, we will explore the relationship of AI and Web3, its implications across various...

Video Gallery

Polls

Sign Up for the Latin Biz Today Newsletter

PR Newswire

Featured Authors

Innovation & Strategy

Money

Talent/HR

Legal

Marketing

Culture

Fashion

Food

Music

Sports

Work & Life

Mindfulness

Health & Fitness

Travel & Destinations

Personal Blogs

Pin It on Pinterest