In the past few months, I’ve received a number of emails from clients’ employees using their personal email addresses. As business attorneys, the vast majority of our clients are business entities; our clients often indicate a person or a number of people who will communicate with me and our attorneys when the client seeks legal advice. This list may include a director, a person in an executive role, and sometimes a staff member. Occasionally, particularly with start-ups or with new hires, the people acting on behalf of the client will correspond with us through their personal email address instead of a company email address.
There are a number of issues involved with this practice of using a personal email address for business activities, both in the communications between a company and its attorneys, and between the business and their customers (think of it as B2B communication).
Issues involving the company’s communications with third parties. As I mentioned, the trigger for this blog post was me receiving emails from the personal email addresses of employees of a number of clients, which presents potential problems for those clients. This practice may be a problem in your company as well. The most common problems include:
IP Theft: Intellectual property developed in the context of an employment relationship belongs to the employer. When an employee engages in the practice of using their personal email or computer, that intellectual property continues to belong to the employer; however, the employer may not be privy to the content developed by the employee. Private emails are also more easily hacked into, in which case, any business content hosted in the private email account will be at risk.
Losing company privacy or violating customer privacy: All email platforms adopt privacy policies, with varying degrees of privacy and protection of the data exchanged through that platform’s email addresses. While companies tend to ensure more substantial protection of their systems, the use of private emails may result in the company’s data being used by the platform in ways that were not authorized or anticipated by the company and could cause the company to be in violation of contracts with customers or others that have requirements around how to manage and protect that data.
Protecting confidential and privileged communications in case of litigation: An employee communicating with an attorney using the company’s address can ensure that the legal advice is privileged, which means that outside parties cannot easily access that information without the express consent of the company (or other specifically justified situations). The use of private email may result in unintentional removal of that protection. At the same time, a personal email brings private protection to the owner of that email address, which means that the company itself will likely be barred from using the information contained in the private email of an employee.
Protecting private information from security agencies: According to the FISA law, the NSA has the right to record data from both endpoints in an email, as long as one of the parties agrees to cooperate. This means that an employee can allow the NSA to access their private email communications concerning the company activities.
Breach of regulations covering the business industry, such as HIPAA for medical providers.
And a number of poor business management practices that can affect the business: continuity of communication between the employee and third parties, on behalf of the company; branding perception and credibility, viruses and other security breaches.
Issues involving employee privacy: while private-sector employees typically have no right to privacy for work email and do have a broad expectation of privacy concerning their personal emails, state laws and federal requirements may change that, for example, when the employer is required to and have notified the employee that it may monitor employee’s communications made using the company’s devices, usually to protect trade secrets, investigations of suspected violation of company policies, and a number of other reasons.
Make sure that your employee handbook makes it clear that company communications should be done exclusively through the company approved channels and business email address, that you explicitly discuss this with new hires, and you talk to any employees you see using their personal email accounts for company business. This may seem obvious to established professionals, but not to everyone, and expectations are better written and said than assumed.
Finally, communication between the attorney and the client’s representatives also needs to follow a few rules.
Attorney’s obligations to the client. As an attorney with ethical and professional responsibilities to clients, we follow a rule when providing legal service to the entity-client via a natural person: we make it clear that the entity is our client and not the owner/founder, or any other person that works for the company. We make sure that the person that makes requests from us has the authority to do so, which means that when a client’s employee reaches out to me for the first time, I’ll reach out to my point of contact to make sure that I can engage with that person. If a client representative is using their personal email, I may also not want to respond to the legal question that I am being asked – the reason here is because this practice may breach the client’s rights in a privileged communication with the attorney.
By communicating with the attorney using a personal email, the client’s employee is using the “tapped line” to communicate with the attorney, but here, since the employee is not the client (the employee is a representative of the client), then the attorney may refuse to address the request on that channel, because the employee is putting the client at risk and the attorney has an obligation to protect the communication with the client — the company, and not the employee in their personal capacity. This post is not intended to provide an in-dept review of our ethical obligations to a client, but please do reach out to us if you have questions about this topic.
And stop using your personal email address for your company’s business.