cancel
Showing results for 
Search instead for 
Did you mean: 

What…They Can Read My Emails Without Telling Me?

JW_IG
Level 1

I just got back from the IAPP Privacy. Security. Risk. conference. There’s lots of stuff going on in the area of data privacy around the globe. The big topic was the California Consumer Privacy Act (CCPA). There were many sessions on California data privacy regulations. However, you’ll be surprised that one of the most significant items that I came away with has something to do with a law that passed over 35 years ago. Imagine a US federal law that is impacting US organizations and citizens with little fanfare. This law should be a compelling reason for every organization using Office 365 (or any other cloud email provider) to utilize a 3rd party archiving solution. The US federal law that I am talking about is the Electronic Communication Privacy Act (ECPA) of 1986.

This law allows the government (especially the US federal government) to access emails from cloud service providers that are older than 180 days. In a nutshell, the law states that emails held by email service providers 180 days or less require a warrant (with probable cause) to access subscriber messages without notifying the subscriber. However, emails older than 180 days only require a subpoena, and notification to subscribers is not needed. To top it all off, many US Circuit Courts interpreted and enforced this law differently.

So, a little background on how we got here. In 1986, (when this law passed) technology was beginning to blossom, the Internet was in its infancy, and electronic storage was expensive. Consider this:

  • Cost of Storage
    • In 1985, First Class Peripherals was selling 10MB hard drive for $710 (that comes out to $71K/GB)
    • In 2019, Amazon sells a 4TB internal hard drive for $70 (that comes out to just under $0.02/GB)
  • Internet Access
    • In 1986, most businesses and consumers were regulated to dial-up internet access
    • In 2019, high-speed, dedicated internet access is now the norm for most of the US

When the US Federal government passed the ECPA, the thought of people holding onto more than a hundred emails was not a pervasive thought. However, with the prevalence of high-speed internet access and low-cost storage, businesses and consumers are taking advantage of the inexpensive storage options from the cloud service providers.

The pending Email Privacy Act would fix this loophole in the ECPA that allows the government to search (without a warrant) emails and other electronic communications older than 180 days, stored on servers of third-party service providers such as Google and Microsoft. This bill has not passed because the US Senate has shelved the bill (for now). Opposition to the bill came from several agencies, including the Securities and Exchange Commission, which uses administrative subpoenas on service providers during investigations. The subpenas allow them to work around the handicap that people investigated often do not keep copies of incriminating mail after sending them or decline to share their content with the SEC.

Veritas can assist in mitigating the risk of potential government overreach.

  • First, you need to set a retention policy of 180 days with your email service provider.
  • Second, you need to archive all emails (that they want to keep; preferably all emails – e.g., journaling) to a Veritas archiving solution (Enterprise Vault or Enterprise Vault.cloud).

That’s it. Nothing spectacular or too complicated.

Veritas Digital Compliance portfolio can help with many of today’s challenges: storage optimization, corporate governance, regulatory compliance, privacy, and visibility into sensitive data and eDiscovery readiness.

Let me know how we can help with your digital compliance challenges or how you’ve leveraged the portfolio to solve an interesting challenge.