Natalia Merzlyakova - Fotolia
Recent reports of Hillary Clinton using personal email for government work during her tenure as Secretary of State have Exchange admins talking about email policies in the workplace.
A House committee discovered Clinton's reliance on her personal account for official business during its investigation into the attack on the American consulate in Benghazi. It has raised questions about the contents of her email, her server's security and potential law violations.
But the use of personal email accounts for business isn't a new concept in the Exchange Server world. Consultants see this issue come up in many of the businesses they work with.
"It's a special case of shadow IT," said Paul Robichaux, principal architect at Summit 7 Systems, a technology consulting company in Huntsville, Ala.
If end users have problems with their organization's email system -- perhaps it's too slow or it doesn't do something they think is important -- they'll find a way around it, he said.
"People will do what they have to do," Robichaux said.
Some organizations even expect personal email accounts to be used, said Richard Luckett, president of LITSG LLC, a technology consulting company in Round Rock, Texas.
However, many organizations have stringent policies to forbid the use of personal anything for company business. Prohibiting employees from using company systems for personal email "socializes people to say personal should go to personal email and business should go to business email," Robichaux said.
Personal email accounts raise e-discovery, security concerns
One major concern organizations have with using personal email accounts for business is E-discovery. Organizations must provide information if they are subpoenaed for it.
"As soon as data isn't in their systems, they don't have the ability to do that," Luckett said.
If end users use a corporate system on a corporate network, at least it's possible to get to those email systems, Robichaux said.
Another concern is the inability to properly access or secure that data, he added. Those emails aren't included in backups or e-discovery, and they may not be scanned for viruses and malware. If they are, they aren't scanned using the same policies and settings in the corporate environment.
By using personal email for business, data could be outside the secure facilities an organization invests in, Luckett said. And if someone gets physical access, that data is compromised.
"Encrypting data helps, but in terms of accessing the system, physical security is paramount," he said.
Government policy restrictions on personal email accounts
The government agencies Robichaux has worked with have strict policies requiring the use of government systems for email.
A number of these agencies have policies that comply with the Federal Records Act, which dictates government email use and record maintenance. The EPA and NASA, for example, have language in their policies about preserving email under the Federal Records Act, he said.
In 2014, President Barack Obama signed an amendment to the Federal Records Act banning personal email accounts for government business with specific procedures to follow in case of exceptions. A number of senior government officials had used personal email to conduct government business, prompting Congress to amend the law.