Email Forwarding

["Shamblin, Quinn" <qrs () BU EDU>]

Hello Everyone,

I would like to poll the group on if you allow faculty/staff to forward email to a third-party provider.

I am trying to get a sense of how common or uncommon it is to allow forwarding or if you even have a policy on the 
subject.  If you would like to respond privately instead of to the list, my address is qrs () bu edu<mailto:qrs () bu 
edu>

I will compile a summary of the results and send them back out to the list.

Thanks for your input!

--------------------------

For background, I am conducting this poll as input to a decision we are reviewing.  We are currently allowing 
forwarding, but the legal landscape has changed since that decision was made and policy may need to change as well.

Here are some of the issues we see:

1.       Records Retention - Emails are University business records and ought to be treated as such. When an employee 
forwards email from his or her bu.edu account to a personal account, the University loses control of those record and 
must rely on the employee to provide records. If the employee leaves the University, passes away, or loses access to 
his or her own personal account, these records will most likely be lost to the University.

2.       eDiscovery - The University is frequently asked to or needs to collect emails for litigation. If an employee 
is forwarding, evidence to support the University's claims or defenses may be lost.

3.       Contractual Obligations - The University is party to many agreements that require the University to keep a 
third party's information confidential. When an employee forwards email, that confidence is undermined and the 
University may be in breach of the agreement.

4.       FERPA - Forwarding (non-directory) personally identifiable information ("PII") from student education records 
to an account administered by a third party email provider could be a violation of FERPA unless (i) the University had 
the student's consent, (ii) the University designated the provider a "school official," or (iii) one of the other FERPA 
exceptions applies.
First, student consent, which must be particular to the disclosure and in writing, is impractical and unlikely. Second, 
the University could not designate the provider a "school official" in the forwarding context. To be a school official, 
the provider must be performing an institutional service for which the University would otherwise use University 
employees and be under the direct control of the University with respect to PII from education records.  A third party 
email provider with whom an employee has a personal email account is not providing an institutional service. The 
University also does not have a direct relationship with the provider, let alone the ability to control the provider's 
disclosure of PII. Therefore, such a provider could not be a school official.  Finally, none of the other exceptions 
under FERPA would permit forwarding.[1]

5.       State Privacy Laws - If email contains "personal information" (name + driver's license number, social security 
number or financial account number) and the University is the owner of, or charged with maintaining or storing, the 
personal information, then unauthorized access to, acquisition of, or use of the email will violate state law in most 
states.  When an employee forwards email containing personal information to a personal account, it increases the number 
of places that information is stored. In addition, the University no longer has control of the information. This 
increases the likelihood of a breach and a violation of state law.

6.       HIPAA - Protected health information (as that term is defined under HIPAA) should never be sent via regular 
email. However, if it is, forwarding such an email to a personal account may violate HIPAA and/or the University's 
contractual obligations. To receive protected health information from the University, the recipient must be the 
University's "business associate" (as that term is defined under HIPAA) and execute a business associate agreement. If 
the protected health information is the University's, then forwarding the email to a non-business associate violates 
the University's obligations as a covered entity. If it is another covered entity's protected health information, then 
forwarding the email may violate the University's obligations as a business associate. There may be consequences for 
the University both under HIPAA and under the business associate agreement between the University and the covered 
entity.

7.       Confusion - An @xxxxxxxx.edu address is a reasonably reliable indication to a recipient that the sender is a 
member of the given University community. When an email comes from a Gmail or Yahoo account, it may be confusing to the 
recipient or lead the recipient to mistrust the source of the email.

Warm Regards,

Quinn R Shamblin
-----------------------------------------------------------------------------
Executive Director of Information Security, Boston University
GCFA, CISSP, PMP  -  O 617-358-6310  M 617-999-7523



________________________________

[1] The exceptions include exceptions for disclosures in the event of an emergency, in response to subpoena or court 
order, or to other universities to which a student wishes to transfer.  34 C.F.R. 99.31.