Educause Security Discussion mailing list archives
Re: Email Forwarding
From: "Mclaughlin, Kevin (mclaugkl)" <mclaugkl () UCMAIL UC EDU>
Date: Thu, 17 Feb 2011 12:59:15 -0500
Hi Quinn: We do not allow or support this type of forwarding and in light of some recent e-discovery requests we are actually beginning discussions surrounding eliminating the use of email folders that are locally maintained (meaning we'll give everyone space on the central store for maintaining all email). In parallel we are exploring if we want all faculty/staff email to be archived for inactive + 5-10 years. - Kevin Kevin L. McLaughlin, CISM, CISSP, GIAC-GSLC, PMP, ITIL Master Certified Assistant Vice President, Information Security & Special Projects University of Cincinnati 513-556-9177 The University of Cincinnati is one of America's top public research institutions and the region's largest employer, with a student population of more than 41,000. [cid:image001.gif@01CBCEA2.7ACCFF70] From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shamblin, Quinn Sent: Thursday, February 17, 2011 11:37 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Email Forwarding Hello Everyone, I would like to poll the group on if you allow faculty/staff to forward email to a third-party provider. I am trying to get a sense of how common or uncommon it is to allow forwarding or if you even have a policy on the subject. If you would like to respond privately instead of to the list, my address is qrs () bu edu<mailto:qrs () bu edu> I will compile a summary of the results and send them back out to the list. Thanks for your input! -------------------------- For background, I am conducting this poll as input to a decision we are reviewing. We are currently allowing forwarding, but the legal landscape has changed since that decision was made and policy may need to change as well. Here are some of the issues we see: 1. Records Retention - Emails are University business records and ought to be treated as such. When an employee forwards email from his or her bu.edu account to a personal account, the University loses control of those record and must rely on the employee to provide records. If the employee leaves the University, passes away, or loses access to his or her own personal account, these records will most likely be lost to the University. 2. eDiscovery - The University is frequently asked to or needs to collect emails for litigation. If an employee is forwarding, evidence to support the University's claims or defenses may be lost. 3. Contractual Obligations - The University is party to many agreements that require the University to keep a third party's information confidential. When an employee forwards email, that confidence is undermined and the University may be in breach of the agreement. 4. FERPA - Forwarding (non-directory) personally identifiable information ("PII") from student education records to an account administered by a third party email provider could be a violation of FERPA unless (i) the University had the student's consent, (ii) the University designated the provider a "school official," or (iii) one of the other FERPA exceptions applies. First, student consent, which must be particular to the disclosure and in writing, is impractical and unlikely. Second, the University could not designate the provider a "school official" in the forwarding context. To be a school official, the provider must be performing an institutional service for which the University would otherwise use University employees and be under the direct control of the University with respect to PII from education records. A third party email provider with whom an employee has a personal email account is not providing an institutional service. The University also does not have a direct relationship with the provider, let alone the ability to control the provider's disclosure of PII. Therefore, such a provider could not be a school official. Finally, none of the other exceptions under FERPA would permit forwarding.[1] 5. State Privacy Laws - If email contains "personal information" (name + driver's license number, social security number or financial account number) and the University is the owner of, or charged with maintaining or storing, the personal information, then unauthorized access to, acquisition of, or use of the email will violate state law in most states. When an employee forwards email containing personal information to a personal account, it increases the number of places that information is stored. In addition, the University no longer has control of the information. This increases the likelihood of a breach and a violation of state law. 6. HIPAA - Protected health information (as that term is defined under HIPAA) should never be sent via regular email. However, if it is, forwarding such an email to a personal account may violate HIPAA and/or the University's contractual obligations. To receive protected health information from the University, the recipient must be the University's "business associate" (as that term is defined under HIPAA) and execute a business associate agreement. If the protected health information is the University's, then forwarding the email to a non-business associate violates the University's obligations as a covered entity. If it is another covered entity's protected health information, then forwarding the email may violate the University's obligations as a business associate. There may be consequences for the University both under HIPAA and under the business associate agreement between the University and the covered entity. 7. Confusion - An @xxxxxxxx.edu address is a reasonably reliable indication to a recipient that the sender is a member of the given University community. When an email comes from a Gmail or Yahoo account, it may be confusing to the recipient or lead the recipient to mistrust the source of the email. Warm Regards, Quinn R Shamblin ----------------------------------------------------------------------------- Executive Director of Information Security, Boston University GCFA, CISSP, PMP - O 617-358-6310 M 617-999-7523 ________________________________ ________________________________ [1] The exceptions include exceptions for disclosures in the event of an emergency, in response to subpoena or court order, or to other universities to which a student wishes to transfer. 34 C.F.R. 99.31.
Current thread:
- Email Forwarding Shamblin, Quinn (Feb 17)
- Re: Email Forwarding Mclaughlin, Kevin (mclaugkl) (Feb 17)
- Re: Email Forwarding Shamblin, Quinn (Feb 17)
- Re: Email Forwarding Theresa Rowe (Feb 23)
- <Possible follow-ups>
- Re: Email Forwarding Joe St Sauver (Feb 17)
- Re: Email Forwarding Shamblin, Quinn (Feb 17)
- Re: Email Forwarding Geoffrey Steven Nathan (Feb 18)
- Re: Email Forwarding Joe St Sauver (Feb 18)
- Re: Email Forwarding Joel Rosenblatt (Feb 18)
- Re: Email Forwarding Geoffrey Steven Nathan (Feb 19)
- Re: Email Forwarding Volz, Donald D (Feb 19)
- Re: Email Forwarding David Grisham (Feb 19)
(Thread continues...)
- Re: Email Forwarding Mclaughlin, Kevin (mclaugkl) (Feb 17)