Navigating Legal and Security Risks: Managing Access to Former Employees' Email Accounts

Jun 23, 2024 6 min read Security

In today’s digital workplace, email accounts serve as critical repositories for both ongoing projects and historical records. When an employee departs—especially under unfavorable circumstances—the temptation for managers to access the former employee’s mailbox directly can be strong. However, this practice carries significant legal and security risks that organizations must be aware of and proactively manage. Here, we explore these risks and offer best practices for maintaining secure and compliant access to email accounts.

Key Points

  • Security Risks:
    • Compromise of account security through shared or insecure credentials.
    • Issues with data integrity and authenticity.
    • Exposure to phishing and other cyber threats.
  • Legal Risks:
    • Violation of privacy laws (e.g., GDPR).
    • Breach of employment contracts.
    • Increased litigation risks in wrongful termination cases.
  • Best Practices:
    • Use delegated access for former employees’ email accounts.
    • Implement clear policies and procedures for email account management.
    • Conduct regular security audits to monitor access.
    • Consult legal counsel to ensure compliance with laws and regulations.

Security Risks

Compromise of Account Security

Using a former employee’s credentials to access their email account can compromise the security of the account. Disgruntled employees might have shared their credentials with unauthorized parties or could have set up malicious rules or scripts within the account. This poses a significant security risk to the organization’s email system and sensitive information.

Data Integrity and Authenticity Issues

Accessing emails through an ex-employee’s account can lead to issues of data integrity and authenticity. Actions taken under the former employee’s account can be misattributed, leading to confusion and potential data manipulation or loss. It’s crucial to maintain clear and verifiable records of who accessed what data and when.

Risk of Phishing and Other Cyber Threats

If a manager uses outdated or insecure methods to access the former employee’s account, they might inadvertently expose the organization to phishing attacks and other cyber threats. Cybercriminals often exploit such vulnerabilities to gain unauthorized access to corporate networks.

Violation of Privacy Laws

Many jurisdictions have stringent privacy laws governing access to personal and professional communications. Unauthorized access to an employee’s mailbox can breach these laws, leading to significant legal consequences. For instance, the General Data Protection Regulation (GDPR) in the European Union imposes strict rules on data access and processing. A manager accessing a former employee’s email without proper authorization could constitute a violation, resulting in hefty fines and reputational damage.1 Additionally, residents in california are protected by the California Privacy Rights Act of 2020. 2

Breach of Employment Contracts

Employment contracts and company policies often include clauses on the handling of employee data and privacy. Unauthorized access to a former employee’s email account could breach these agreements, potentially leading to legal disputes and claims for damages.

Organizations must establish a comprehensive set of policies and standards to ensure the secure and responsible use of their resources. Key among these are:

  • Acceptable Use Policy (AUP): This policy delineates the proper use of an organization’s computing resources, including networks, software, and technology assets. It serves as a code of conduct for employees, outlining acceptable and unacceptable behaviors to protect the organization’s interests and reputation.

  • Company Property Policy: This policy clarifies the ownership and use of company assets, ensuring that employees understand their responsibilities regarding company property.

  • Employee Non-Disclosure Agreement (NDA): An NDA is crucial for safeguarding sensitive information. It legally binds employees to confidentiality, preventing them from disclosing proprietary information both during and after their employment.

These policies are essential for mitigating risks associated with terminated employees. Without them, a terminated employee could claim privacy rights over company property, potentially leading to legal disputes and security breaches. Therefore, it is imperative that all employees read, understand, and sign off on these agreements before accessing information systems.

Litigation Risks

In cases where an employee has been terminated, particularly under contentious circumstances, any unauthorized access to their email account could be used as evidence of malicious intent or invasion of privacy in wrongful termination lawsuits. This could weaken the employer’s legal standing and result in unfavorable legal outcomes.

In cases where an employee is terminated for misconduct, such as inappropriate behavior towards colleagues or clients, it is crucial to manage access to company resources effectively. Accessing a terminated employee’s mailbox using their account without proper audit trails and policy adherence can lead to non-repudiation risks. Non-repudiation refers to the assurance that someone cannot deny the validity of something. In this context, it means that without proper audit trails, it would be challenging to prove who accessed the mailbox and when, potentially leading to legal and compliance issues.

Best Practices for Accessing Former Employees’ Email Accounts

Delegated Access

The best practice for accessing a former employee’s email is through delegated access. This method allows the manager to access the mailbox using their own credentials, ensuring that all actions are properly logged and attributed. Delegated access maintains the integrity of security protocols and reduces the risk of unauthorized access.

For more information on setting up delegation, see the documentation of common business mail hosting providers:

Implementing Clear Policies and Procedures

Organizations should have clear policies and procedures for handling the email accounts of former employees. These policies should outline the steps for securing and managing these accounts, including the use of delegation for access, and should be communicated clearly to all employees.

For guidance on defining cybersecurity policies within your organization, refer to industry standard such as the NIST Special Publication 800-53 revision 5 . Specifically refering to controls AC-2, AT-2, AU-10, PS-4, and PT-5 in conjuntion with their policy defining controls.

Employee handbooks and company policy are the first steps to preventing issues from arising in regards to work emails. With a clear company policy in place, both the employees and employers are aware of email privacy and etiquette. Without a clear company policy on employer access and employee use, there may be inappropriate use and access by both employers and employees. 3

Regular Security Audits

Conduct regular security audits to ensure that the accounts of former employees are not being accessed improperly. Audits can help identify and mitigate potential security risks, ensuring compliance with legal and regulatory requirements.

More policy information can be found in NIST Special Publication 800-53 revision 5 control family AU (Audit and Accountability). For a full assessment framework, please refer to the NIST Special Publication 800-53A revision 5

Engage with legal counsel to understand the implications of accessing former employees’ email accounts and to ensure that practices align with current laws and regulations. Legal advisors can provide guidance on how to manage access while minimizing legal risks.

Conclusion

Accessing the email accounts of former employees, especially those terminated under contentious circumstances, is fraught with legal and security risks. By adopting best practices such as delegated access and adhering to clear policies, organizations can mitigate these risks.

It is crucial to balance the need for information with the legal and ethical obligations to protect privacy and maintain data security. Through diligent management and proactive measures, organizations can navigate these challenges effectively and uphold both legal compliance and security integrity.

Disclaimer

This article is published to inform friends, clients, and colleagues in the field of data privacy and cybersecurity. The content is informational only and does not constitute legal advice. I encourage you to consult with a data privacy and employment attorney if you have specific questions or concerns relating to any of the topics covered here.

  1. https://www.dickinson-wright.com/news-alerts/the-gdpr-covers-employee-hr-data-and-tricky ↩︎

  2. https://www.oag.ca.gov/privacy/ccpa ↩︎

  3. https://www.okeeffeattorneys.com/work-email-who-owns-it/ ↩︎

risk compliance security
Avatar
Jack Wozny
BS, CISSP, CCSP, SSCP

As a computer engineer, I have a decade of expertise in securing various networks and systems. I have led and delivered several security projects, ensuring their compliance, availability, and security.

comments powered by Disqus

Related