Email Privacy Laws and Expectations Explained

An email is like a passenger on a road trip in that it makes multiple pit stops en route to its final destination.

First, it is sent from the sender’s computer through their Internet Service Provider’s email server. From there, it travels to the recipient’s server, which it passes through on its way to the recipient’s computer. Each pit stop is a point of vulnerability, an opportunity for a third party — whether authorized or unauthorized — to view the email’s contents.

Also, unlike a wayward traveler, a copy of the email is stored at each stop along the way, which introduces an additional problem. Even if the sender and recipient delete the email from their respective sent folder and inbox, copies of it still exist in other locations — and these copies can be stored for a very long time.

The concept of privacy is already tenuous for personal email and is even more so for emails in the workplace. Most employers require new employees to sign an email policy contract that stipulates that email is only to be used for business purposes and that the company reserves the right to monitor email usage. Such a contract effectively eliminates the reasonable expectation of privacy when it comes to electronic communications in a work environment.

And that’s for good reason. Businesses are at risk of security breaches, both internally and externally, and are liable to workplace harassment claims. By monitoring employee emails, employers can identify any incoming or outgoing emails that contain spam, malware or phishing attempts, as well as any employees who might be disseminating private company information to unauthorized parties. They can also search for offensive language or problematic messages and take action against any harassment that might be occurring, protecting both themselves and their employees in the process.

Note: Speaking of litigation, businesses are often subjected to eDiscovery requests during civil proceedings, which makes email archiving a top priority — but more on that later.

All of that said, there are limitations around what an employer can monitor. For example, employers can’t monitor emails for illegal reasons, such as to dissuade employees from unionizing or engaging in other protected activities.

As an additional precautionary measure, many employers will use encryption to protect email privacy at work. Email encryption disguises the content of an email message by scrambling the message at the sender’s server and then unscrambling it at the recipient’s server so that it can only be read by involved parties. On a macro scale, encryption is a key requirement for many email privacy laws and compliance regulations.

There are numerous email privacy laws and compliance regulations that dictate the type of information businesses can transmit over email, as well as the security policies they must enforce. Let’s look at a few:

• Health Information Portability and Accountability Act (HIPAA): HIPAA stipulates that health care organizations must limit the amount of Protected Health Information (PHI) — that is, individually identifiable health information — sent via unencrypted email, as well as restrict access to, protect the integrity of, and guard against unauthorized access to PHI sent via email. HIPAA also requires health care organizations to preserve all emails containing PHI.
• Payment Card Industry Data Security Standards (PCI DSS): The PCI Security Standards Council stipulates that all emails containing credit cardholder information must be encrypted, and that all service providers must maintain a document description of their cryptographic architecture.
• The Gramm-Leach-Bliley Act (GLBA): The GLBA requires financial institutions to explain to consumers how they share their personal data, give customers the ability to opt out of sharing their data with third parties and clearly outline their strategy to protect customer information.
• The Email Privacy Act: This update to the Electronic Communications Privacy Act of 1986 prevents electronic and remote communication service providers from voluntarily disclosing the contents of emails, requires the government to obtain a warrant to compel the disclosure of email contents and revises the process for obtaining a delayed notification order.
• General Data Protection Rule (GDPR): GDPR stipulates that all personal data, including personal data contained in emails, must be processed lawfully and in a transparent manner, must be kept up to date and must be kept in a form which permits identification of data subjects for no longer than is necessary.
• FINRA and SEC 17a-4 : Under FINRA and SEC 17a-4, brokers and dealers must retain electronic communications with customers and those that are germane to their business for at least three years on non-rewritable and non-erasable storage.
• Federal Rules of Civil Procedure (FRCP): Under FRCP, all organizations are required to maintain complete archives and make electronically stored information (ESI) readily available in the event of litigation.

You’ll notice that a few of the email privacy laws and compliance regulations listed above reference email retention, preservation or archiving. Email archiving gives businesses and organizations a reliable record of all email correspondence to refer to both for business purposes and in the event of litigation. Often in a civil or criminal legal case, one or both of the litigants’ attorneys will submit an eDiscovery request[MC1] . In order to be adequately prepared for such requests, businesses are advised to maintain thorough email records.

That’s where Intradyn comes in. Our proven email archiving solution offers unparalleled insight into your company’s email communications, is built to ensure regulatory compliance and is ideal for businesses, organizations and government agencies alike. To learn more about what Intradyn’s Email Archiver can do for you, contact us today.