Email is excellent for sending and receiving communications, but it is risky to use it for long-term information or document storage.

Threat actors are constantly hunting for valuable information that can be stolen and used to extort money from the rightful owner or an organization. Having valuable information easily accessible in an email account can create an unnecessary and avoidable vulnerability.

Take this situation as an example:

• An employee had more than a decade of emails saved in his email account. His account was hacked, giving bad actors access to years’ worth of email contacts and personal information and documents saved in the messages and attachments.
• The threat actors then proceeded to phish all of the email contacts and had access to hundreds of people’s personal information.
• The hacked organization had to pay for sending hundreds of breach notifications, credit monitoring services for those whose information was leaked and public relations coaching on top of the expenses to eradicate the malware released on the employer’s system.

Employees should ask themselves, if their email login credentials were stolen or the account were hacked in some other manner, what information and how much would be readily available to threat actors?

Balance Data Retention and Protection

Public entities and their employees must maintain a balance between adhering to legal data retention requirements (e.g., Minn. Stat. §§ 15.17, 138.17) and protecting the private data it must maintain (e.g., Minnesota Government Data Practices Act, Health Insurance Portability and Accountability Act, etc.).

The key to success is being strategic with how employees receive and maintain sensitive data. As threat actors evolve and find new ways to exploit and attack technology and systems, it is vital that local governments and their employees do everything they can to reduce the threat landscape to their greatest ability.

Only Keep What Is Needed for as Long as It Is Needed

Public entities must have and follow a records retention schedule (Minn. § 138.17, subd. 7). This schedule dictates how long the entity must retain official records.

This also means that once the retention period has expired, the public entity no longer must maintain the data and can destroy it.

Information, documents and data that are not official records should be kept only as long as there is a business need for them. Destroying extraneous documents and data as soon as possible is key from a data security standpoint.

In the example above, had the employee destroyed unnecessary emails and attachments as soon as they were no longer needed per the records retention schedule or for a business purpose depending on its classification, the number of individuals whose personal information was compromised would have been dramatically reduced.

To manage the amount of data a public entity maintains, it should:

• Ensure that all employees understand what information they have that is an official record, what is not and how the records retention schedule applies to that.
• Provide time for and require that employees securely destroy files regularly to comply with the retention schedule or business purpose needs. An example would be that the entire organization dedicates one day a year to purging files, documents and data.

Email Should Be Pass Through, Not Storage System

Email is not intended to function as a data storage service. Rather it should be treated like a physical mailbox, where individuals retrieve communications that are opened and either trashed or filed securely elsewhere. No one keeps sensitive documents in a mailbox at the end of the driveway permanently. As such, no one should keep sensitive data in email systems either.

If employees have historically saved or held onto emails as a ways and means of tracking work or as a personal backup, they need to evolve their practices to limit what bad actors could potentially gain access to. What may have felt like a great efficiency and a trusted back up, now needs to be seen as a vulnerability in the work process and a liability within the organization.

For employers that utilize a document management service or customer relationship management service program, once an email is uploaded to the system, employees should be instructed to remove the original message from the email system.

If an organization does not have such programs or services, employees should be trained on how and where to store essential information in secure places, such as private network drives. After emails have been saved outside of an email account, employees should then delete messages from their accounts to avoid unnecessary duplication of data.

Secure Data Storage

Once information is no longer needed for regular work purposes but must be retained per the records retention schedule, a public entity should consider moving the record containing that information to a secure, offline archive. If the information is needed, it can be retrieved, but it is sequestered from the network. If a hack occurred, those records could not be accessed, thus limiting the effects of the attack.