What…They Can Read My Emails Without Telling Me?

I just got back from the IAPP Privacy. Security. Risk. conference. There’s lots of stuff going on in the area of data privacy around the globe. The big topic was the California Consumer Privacy Act (CCPA). There were many sessions on California data privacy regulations. However, you’ll be surprised that one of the most significant items that I came away with has something to do with a law that passed over 35 years ago. Imagine a US federal law that is impacting US organizations and citizens with little fanfare. This law should be a compelling reason for every organization using Office 365 (or any other cloud email provider) to utilize a 3rd party archiving solution. The US federal law that I am talking about is the Electronic Communication Privacy Act (ECPA) of 1986.

This law allows the government (especially the US federal government) to access emails from cloud service providers that are older than 180 days. In a nutshell, the law states that emails held by email service providers 180 days or less require a warrant (with probable cause) to access subscriber messages without notifying the subscriber. However, emails older than 180 days only require a subpoena, and notification to subscribers is not needed. To top it all off, many US Circuit Courts interpreted and enforced this law differently.

So, a little background on how we got here. In 1986, (when this law passed) technology was beginning to blossom, the Internet was in its infancy, and electronic storage was expensive. Consider this:

  • Cost of Storage
    • In 1985, First Class Peripherals was selling 10MB hard drive for $710 (that comes out to $71K/GB)
    • In 2019, Amazon sells a 4TB internal hard drive for $70 (that comes out to just under $0.02/GB)
  • Internet Access
    • In 1986, most businesses and consumers were regulated to dial-up internet access
    • In 2019, high-speed, dedicated internet access is now the norm for most of the US

When the US Federal government passed the ECPA, the thought of people holding onto more than a hundred emails was not a pervasive thought. However, with the prevalence of high-speed internet access and low-cost storage, businesses and consumers are taking advantage of the inexpensive storage options from the cloud service providers.

The pending Email Privacy Act would fix this loophole in the ECPA that allows the government to search (without a warrant) emails and other electronic communications older than 180 days, stored on servers of third-party service providers such as Google and Microsoft. This bill has not passed because the US Senate has shelved the bill (for now). Opposition to the bill came from several agencies, including the Securities and Exchange Commission, which uses administrative subpoenas on service providers during investigations. The subpenas allow them to work around the handicap that people investigated often do not keep copies of incriminating mail after sending them or decline to share their content with the SEC.

Veritas can assist in mitigating the risk of potential government overreach.

  • First, you need to set a retention policy of 180 days with your email service provider.
  • Second, you need to archive all emails (that they want to keep; preferably all emails – e.g., journaling) to a Veritas archiving solution (Enterprise Vault or Enterprise Vault.cloud).

That’s it. Nothing spectacular or too complicated.

Veritas Digital Compliance portfolio can help with many of today’s challenges: storage optimization, corporate governance, regulatory compliance, privacy, and visibility into sensitive data and eDiscovery readiness.

Let me know how we can help with your digital compliance challenges or how you’ve leveraged the portfolio to solve an interesting challenge.

2 Comments

Forgive me for asking, but wouldn't the archived emails within "ev.cloud" be subjected to the same law as the other providers?

ECPA of 1986 - https://www.justice.gov/sites/default/files/jmd/legacy/2013/09/06/act-pl99-508.pdf

Pages 14 and 15

I'm not a lawyer so these are my personal thoughts.

-----------------------------------

It is possible for any "Remote Storage" of "electronic communicaitons" be subjected to this law. But it appears that many legal challenges to this law's definition of electronic communication service provider tend to rule more to define it as the traditional email service providers (eg., Gmail, Yahoo Mail, and Office 365). It would be best to consult an attorney if you have any concerns.

That being said, the best way to archive emails would be to archive to an on-premise solution, the second would be to archive to a solution that can reside in an IaaS or PaaS environment (ie, EV i n MS Azure or AWS), and the third would be to archive to a SaaS provider (EV.cloud) that is not historically defined as an email service provider.

According to how FISA defines "electronic communication service providers" from various existing laws, I read the definition as a  service provider that facilitates the electronic transmission of communication and "Remoe Storage" as storge with that "electronic communication service provider". So based on that definition, EV.cloud would not be regulated because it is considered an archving service (storage) and not an "electronic communication service provider".