The real question: “When is it OK to use a personal email for business purposes?”

The short answer: “Never.”

Risks of using personal email at work:

  • Employees might use a personal email address to set up any number of functions critical to your company’s day-to-day operations, such as web hosting accounts or purchasing domains. The employee’s personal email address then becomes the owner of the account. Therefore, if that employee leaves, you may have a difficult time taking ownership of the assets they set up on the company’s behalf.
  • You may have your company email set up to combat email viruses, but your employees’ personal email accounts may not have that level of protection. One employee opening up an email virus on a company computer can leave you and your entire business vulnerable.
  • Allowing employees to use personal email accounts to conduct business means that your company’s business information is being stored on mail servers outside of your control. You then would have no way of knowing all the places where your company data is stored, or where it’s been transmitted.
  • It can cause embarrassment, financial penalties, or legal difficulties.
    • The legal risks:
      • If there are regulations covering your business (such as HIPAA), personal email means your company will likely be found out of compliance.
      • Personal emails are not stored on company servers
      • Discovery requests are seriously compromised
  • Personal email is not subject to backup, archiving, security or governance.
  • Continuity can be a big issue – what if this employee leaves the company? Those emails leave with that individual – along with any relevant information, making future searches more challenging.
  • This practice poses serious risks of IP theft, losing company privacy, or violating customer privacy.
  • Many free Webmail services have fairly weak recovery mechanisms for users who forget their passwords. This means that non-employees/attackers might be able to guess the user’s challenge questions correctly and gain access through the recovery process.
  • Major email providers like Gmail scan their users’ emails (and the attachments). Their justification is to block malicious material, but it also destroys privacy.
  • Personal email accounts are not covered by your company’s security policies. Your employee may have agreed to Gmail’s Terms and Conditions (which allow for email content searches), but your company didn’t. You may have a good data privacy policy in place—but personal email accounts can bypass it with one click of the “Send” button.
  • If your employees are dealing with sensitive client information or confidential company information, you won’t be able to control whom they send it to. An unhappy employee could severely hurt your business and expose you to legal liability by disseminating confidential client information that they have saved in their personal email.
  • If you receive a customer complaint or claim that the customer never received what was promised to them, good luck tracing your records to try and understand the series of events.
  • Additionally, here are a couple of questions to consider:
    • Does allowing employees to send email addresses from [email protected] present a professional image for your organization?
    • How can you distinguish company ownership vs personal ownership with respect to processes and clients?

Sources: