A recent article in the Wall Street Journal (“Tech’s ‘Dirty Secret’: The App Developers Sifting Through Your Gmail“) exposes just how insecure free email services like Gmail, Yahoo, and AOL are. In fact, what the article demonstrates is that if you are a business that is required to protect personal information and you are using Gmail, or one of these services to conduct business then you are violating the Privacy laws and are seriously exposed. The risk is serious and it cannot be overstated.
Here’s the issue. Google, Yahoo, etc., and any software developer working with any of these free email services (and there are hundreds of thousands of them) have the ability to read a users’ emails, according to a report in The Wall Street Journal. And Google doesn’t even hide it!
In a statement made to the WSJ, Google said that its employees examine emails only “in very specific cases where you ask us to and give consent, or where we need to for security purposes, such as investigating a bug or abuse.” And that’s just Google; the software developers who work with Google may or may not have these same requirements but they have full access to your emails!
Not only do these developers use computers to scan inboxes to determine trends in what users read, the developers’ employees have been poking around your email as well. And, while giving employees access to emails that users don’t know another human is reading has long been a “common practice” for companies that collect this type of data, the fact that it is now reported on and in the public domain makes you and your company liable if personal information is breached.
Why? Because regulations like the New York State Department of Financial Services first-in-the-nation cybersecurity regulation, Health Insurance Portability and Accountability Act of 1996 (HIPAA) or the European Union’s General Data Protection Regulation (GDPR) now make you liable and force you to pay, and pay dearly; and not just if the personal information is breached but for not protecting that information from a breach in the first place!
This means that you need to make sure that only those people who need access to personally identifiable information for your company get access to personally identifiable information, and everyone else must be blocked from seeing it. By using a Gmail or any other free email service you can’t prevent others from seeing personally identifiable information in emails and, therefore you are liable.
With this exposé in the Wall Street Journal it seems the cat’s out of the bag and we expect regulators to take notice of this practice; already lawmakers and their auditors are asking questions about the email services that their regulated entities are using. We expect fines and sanctions to follow shortly.
– Al Alper, CEO – Absolute Logic, Inc. | CyberGuard360