Educause Security Discussion mailing list archives
Email Forwarding
From: "Shamblin, Quinn" <qrs () BU EDU>
Date: Thu, 17 Feb 2011 11:37:18 -0500
Hello Everyone, I would like to poll the group on if you allow faculty/staff to forward email to a third-party provider. I am trying to get a sense of how common or uncommon it is to allow forwarding or if you even have a policy on the subject. If you would like to respond privately instead of to the list, my address is qrs () bu edu<mailto:qrs () bu edu> I will compile a summary of the results and send them back out to the list. Thanks for your input! -------------------------- For background, I am conducting this poll as input to a decision we are reviewing. We are currently allowing forwarding, but the legal landscape has changed since that decision was made and policy may need to change as well. Here are some of the issues we see: 1. Records Retention - Emails are University business records and ought to be treated as such. When an employee forwards email from his or her bu.edu account to a personal account, the University loses control of those record and must rely on the employee to provide records. If the employee leaves the University, passes away, or loses access to his or her own personal account, these records will most likely be lost to the University. 2. eDiscovery - The University is frequently asked to or needs to collect emails for litigation. If an employee is forwarding, evidence to support the University's claims or defenses may be lost. 3. Contractual Obligations - The University is party to many agreements that require the University to keep a third party's information confidential. When an employee forwards email, that confidence is undermined and the University may be in breach of the agreement. 4. FERPA - Forwarding (non-directory) personally identifiable information ("PII") from student education records to an account administered by a third party email provider could be a violation of FERPA unless (i) the University had the student's consent, (ii) the University designated the provider a "school official," or (iii) one of the other FERPA exceptions applies. First, student consent, which must be particular to the disclosure and in writing, is impractical and unlikely. Second, the University could not designate the provider a "school official" in the forwarding context. To be a school official, the provider must be performing an institutional service for which the University would otherwise use University employees and be under the direct control of the University with respect to PII from education records. A third party email provider with whom an employee has a personal email account is not providing an institutional service. The University also does not have a direct relationship with the provider, let alone the ability to control the provider's disclosure of PII. Therefore, such a provider could not be a school official. Finally, none of the other exceptions under FERPA would permit forwarding.[1] 5. State Privacy Laws - If email contains "personal information" (name + driver's license number, social security number or financial account number) and the University is the owner of, or charged with maintaining or storing, the personal information, then unauthorized access to, acquisition of, or use of the email will violate state law in most states. When an employee forwards email containing personal information to a personal account, it increases the number of places that information is stored. In addition, the University no longer has control of the information. This increases the likelihood of a breach and a violation of state law. 6. HIPAA - Protected health information (as that term is defined under HIPAA) should never be sent via regular email. However, if it is, forwarding such an email to a personal account may violate HIPAA and/or the University's contractual obligations. To receive protected health information from the University, the recipient must be the University's "business associate" (as that term is defined under HIPAA) and execute a business associate agreement. If the protected health information is the University's, then forwarding the email to a non-business associate violates the University's obligations as a covered entity. If it is another covered entity's protected health information, then forwarding the email may violate the University's obligations as a business associate. There may be consequences for the University both under HIPAA and under the business associate agreement between the University and the covered entity. 7. Confusion - An @xxxxxxxx.edu address is a reasonably reliable indication to a recipient that the sender is a member of the given University community. When an email comes from a Gmail or Yahoo account, it may be confusing to the recipient or lead the recipient to mistrust the source of the email. Warm Regards, Quinn R Shamblin ----------------------------------------------------------------------------- Executive Director of Information Security, Boston University GCFA, CISSP, PMP - O 617-358-6310 M 617-999-7523 ________________________________ [1] The exceptions include exceptions for disclosures in the event of an emergency, in response to subpoena or court order, or to other universities to which a student wishes to transfer. 34 C.F.R. 99.31.
Current thread:
- Email Forwarding Shamblin, Quinn (Feb 17)
- Re: Email Forwarding Mclaughlin, Kevin (mclaugkl) (Feb 17)
- Re: Email Forwarding Shamblin, Quinn (Feb 17)
- Re: Email Forwarding Theresa Rowe (Feb 23)
- <Possible follow-ups>
- Re: Email Forwarding Joe St Sauver (Feb 17)
- Re: Email Forwarding Shamblin, Quinn (Feb 17)
- Re: Email Forwarding Geoffrey Steven Nathan (Feb 18)
- Re: Email Forwarding Joe St Sauver (Feb 18)
- Re: Email Forwarding Joel Rosenblatt (Feb 18)
- Re: Email Forwarding Geoffrey Steven Nathan (Feb 19)
- Re: Email Forwarding Volz, Donald D (Feb 19)
(Thread continues...)
- Re: Email Forwarding Mclaughlin, Kevin (mclaugkl) (Feb 17)