| Mutiple sources periodically receives reports of users implementing mailbox forwarding rules that automatically forward messages from their work email to an external mailbox that is not monitored by their organization. Email forwarding to external non-work accounts via automatic forwarding rules or by manually forwarding messages poses several significant privacy and security risks to an organization’s information assets. It can lead to data leakage, such as personally identifiable information (PII), sensitive data, financial information, and more. Additionally, if these external non-work accounts are compromised, email forwarding can provide unauthorized access to the leaked organization’s information assets. This unauthorized access enables threat actors to exfiltrate sensitive data and implement their own mailbox rules to auto-forward emails to an external account controlled by them to obfuscate their malicious activities. Furthermore, forwarding emails can impact spam filters and message authentication checks, potentially resulting in emails being flagged as spam or failing to be delivered to intended recipients. Forwarding emails can also lead to a loss of trust and negatively impact an organization’s domain reputation. Organizations implement email policies with specific requirements or conditions when accessing and using their email services. These policies may prohibit users from transmitting, storing, processing, or sharing sensitive information using personal or unauthorized email accounts. The policies can include other unauthorized services, such as social media accounts, chat services, file storage, file synchronization, and file sharing. Since email forwarding can result in issues with compliance with applicable contractual, regulatory, and statutory requirements, users violating such policies are subject to disciplinary action, penalties, and fines. In the District Court of New Jersey’s Bramshill Investments LLC v. Pullen case, the defendant manually forwarded proprietary documents and information from her work email account to her personal email account. The plaintiff’s outside compliance consultant discovered the activity and notified the plaintiff, who later fired the defendant for violating the plaintiff’s business protocols, the defendant’s employment agreement, and regulatory and privacy regulations. In the District Court of New Jersey’s US v. Andrew Blum case , a former vice president of product development and co-conspirator at a New Jersey-based producer of oil products and proprietary flavors stole their employer’s trade secrets. The defendant and co-conspirator signed an employee handbook and a non-disclosure agreement (NDA), agreeing not to disclose or use proprietary or confidential information while employed or after termination. However, the employer’s IT team discovered that the co-conspirator used a personal email account on a work computer to forward files containing proprietary and trade secret information to the defendant to his personal email account. |