You've Got (No) Mail! Major Law Firm Blocks Employee Email Access

from the overreaction dept

Fri, Apr 19th 2013 2:22pm — Above The Law

Cross-posted from

Personal email accounts introduce possible threats to firm computers. A careless employee could open a trojan horse attachment and unleash a virus on the system. Even if the attack only infects the local drive, confidential information may be at risk.

This puts firms in a bind. Either invest time and energy teaching basic Internet skills to their employees — lessons like, “don’t open attachments from unknown email addresses” — that most of us learned when we still had Prodigy emails, or condescendingly cut off access to a modern necessity because the employees are too hopeless to understand the rules.

Yesterday, a major law firm chose the latter route…

King & Spalding dropped this nugget on their employees yesterday:

The firm’s internal security experts, as well as our outside security experts, have advised us that accessing Personal Email Accounts from firm computers creates a significant security risk. Therefore, effective May 1, 2013, access to Personal Email Accounts (i.e., anything other than your kslaw.com email, including, but not limited, to personal email accounts like Gmail, Yahoo, Hotmail, cable company, etc.) from King & Spalding computers will no longer be permitted.

Most personal email sites will be blocked while you are on the firm’s network. However, you should not access Personal Email Accounts from a firm computer, even if you are not automatically blocked when trying to do so.

Yes, this policy was announced yesterday at approximately 4 p.m. Eastern time. So while the whole country was conversing over personal email (and its companion chat systems) about the latest news updates surrounding a national tragedy, King & Spalding was announcing that it would be cutting off this access. Perhaps less than savvy timing. Someone in a position of authority may have wanted to hold off for a week or so.

Employees can continue to check email on their phones not connected to the main network (a new “ksmobile” network has been set up for this purpose). This means all their employees will now spend an order of magnitude longer every day cruising their inboxes on 3.5-inch screens and typing detailed responses with their touchpads. EFFICIENCY!

King & Spalding isn’t wrong to recognize that third-party email services constitute a threat to the firm network. But the actual threat is entirely between the keyboard and the chair if you will. Gmail isn’t threatening the network, Donny Dips**t clicking on a link sent by a Nigerian Prince is threatening the firm network. In the estimation of King & Spalding, its firm email system can better guard against phishing and thus minimize the opportunity of its employees to expose the firm to harm. However, Internet users are getting smarter every year, and with the decline in these “user errors,” the whole phenomenon of phishing is in decline.

So after years of exposing the firm’s computers to risk, King & Spalding has opted now, while the risk is in decline, to take the drastic step of blocking personal email accounts. Perhaps this explains why King & Spalding didn’t survive the first round of the “Which Firm Has The Brightest Future?” bracket.

Full email below.

KING & SPALDING — FIRM-WIDE-ANNOUNCEMENT — EMAIL ACCESS

New Policy Prohibiting Access to Non-King & Spalding Email Accounts (“Personal Email Accounts”) from Firm Computers

The firm’s internal security experts, as well as our outside security experts, have advised us that accessing Personal Email Accounts from firm computers creates a significant security risk. Therefore, effective May 1, 2013, access to Personal Email Accounts (i.e., anything other than your kslaw.com email, including, but not limited, to personal email accounts like Gmail, Yahoo, Hotmail, cable company, etc.) from King & Spalding computers will no longer be permitted.

Most personal email sites will be blocked while you are on the firm’s network. However, you should not access Personal Email Accounts from a firm computer, even if you are not automatically blocked when trying to do so. For example, you should not access Personal Email Accounts from a firm laptop, even when the laptop is not connected to the firm’s network (i.e., from your home network, a hotel internet, etc.). The firm’s computer systems hold confidential information about our clients and the firm and, as you know from reading articles in the press, individual users who innocently click on malicious e-mails are often the cause of security breaches. We need your help in protecting our systems by following this and other security related policies, even when you can do things that you are not supposed to do.

In certain limited circumstances, clients require us to communicate via a third party email system. If you have such a client requirement, please contact Thomas Gaines or Gene Viscelli so that we can determine the best way to address your client requirement. Please do not simply access the third party email without checking with Thomas or Gene (or the Service Desk if you cannot reach Thomas or Gene first).

Permissible Ways of Accessing Personal Email Accounts

The prohibition against accessing Personal Email Accounts from firm computers does not impact your ability to access Personal Email Accounts such as Gmail, Yahoo or Hotmail from your own personal devices (e.g., smartphones, iPads, tablets, personal laptops, etc.) while at the firm.

The firm has installed a wireless network called “ksmobile” in each office. This wireless network is reserved for K&S personnel (not clients or visitors who should be directed to the ksguest network), is a direct route to the Internet, and is appropriately sized to accommodate the many personal devices that are being used by K&S personnel. Because ksmobile does not connect to the firm’s internal network, it provides the firm a more secure way to allow you access to your Personal Email Accounts while you are in the office.

If you wish to use the ksmobile network, you may obtain the password to access this network by calling the Service Desk at ext. 8-3000. After your initial connection to ksmobile, your personal device will automatically reconnect whenever you are in a K&S office and retain the connection throughout the K&S space without the need to reenter the password.

If you have any questions about this new policy, please contact Gene Viscelli, Thomas Gaines, or any member of the Technology Oversight Group (Pat Brumbaugh, Derek Hardesty, Ted Hester, John Keffer, Floyd Newton, Bob Perry, Glen Reed and Kathy Rhyne).

Gene Viscelli
Chief Information Officer

More stories from Above The Law

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: email, law firms, personal email

42 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Mike Raffety (profile), 19 Apr 2013 @ 1:47pm

Most financial institutions already block personal e-mail
Having worked at a couple, they've long (ten years or more) blocked access to personal e-mail accounts like Yahoo or Gmail. This is perhaps new-ish in the law firm field, but not in banks or brokerages.

I believe this was originally driven by regulatory requirements to preserve all written communications for possible audit and legal discovery purposes, and perhaps also to show that the firm had made all reasonable efforts to prevent inside information from leaking out to be traded on.
[ link to this | view in chronology ]
Anonymous Coward, 19 Apr 2013 @ 2:33pm

Yup. Worked at a financial advisory firm for several years and blocking all of our personal email access was the norm. Financial institutions have had this restriction for quite some time.

Compliance issues are more cumbersome than the security aspects, at least in that field.
[ link to this | view in chronology ]
John Lewis, 19 Apr 2013 @ 2:42pm

Nothing new
We've been blocked from personal e-mail accounts for years at my employer (a large manufacturing concern).
[ link to this | view in chronology ]
tomxp411 (profile), 19 Apr 2013 @ 2:42pm

guest network FTW
Sounds like they're going to stand up a guest network, so employees can use their iPads and laptops.

So in the end, this won't affect employees that much: if you work at a law firm and don't already have an expensive mobile device, something must be wrong with you. ;-)
[ link to this | view in chronology ]
alanbleiweiss (profile), 19 Apr 2013 @ 2:46pm

Users are idiots
I don't care how far we've come in educating the masses. The masses are still ludite-stupid in overwhelming ways. I've witnessed too many people educated, guided, cajoled, led, informed, encouraged and otherwise shown why they need to stop being stupid with their computer and internet habits.

And too many of them nod their heads, spit out yes, thank you, what would I do without you and blah blah blah when they're given that assistance.

Only to fall right back into stupid-land.

Stupidity can't be extricated from the masses.

But just for fun - let's take it further - when you're at work as an employee, why should you even be allowed to spend time with personal email? Save it for your break, on your own time, on your own connected device.
[ link to this | view in chronology ]
- John Fenderson (profile), 19 Apr 2013 @ 3:14pm
  
  Re: Users are idiots
  Yes, but it's important to recognize that it isn't some group of others who are idiots. To quote Scott Adams:
  
  Everyone is an idiot, not just the people with low SAT scores. The only differences among us is that we're idiots about different things at different times. No matter how smart you are, you spend much of your day being an idiot.
  [ link to this | view in chronology ]
  - btr1701 (profile), 19 Apr 2013 @ 4:01pm
    
    Re: Re: Users are idiots
    > Yes, but it's important to recognize that
    > it isn't some group of others who are idiots.
    > To quote Scott Adams:
    
    > Everyone is an idiot, not just the people
    > with low SAT scores. The only differences among
    > us is that we're idiots about different things
    > at different times. No matter how smart you
    > are, you spend much of your day being an idiot.
    
    Exactly. I was about to say the same thing but Adams said it better. People who are computer/IT savvy love to haughtily rail about how stupid 'the masses' are, but the take them out of the IT realm and they suddenly become just another one of the stupid masses with regard to someone else's expertise.
    [ link to this | view in chronology ]
    - Anonymous Coward, 19 Apr 2013 @ 6:02pm
      
      Re: Re: Re: Users are idiots
      The difference is being able to defer responsibility when you realize you're outmatched.
      
      When my car has a problem, I don't go start taking apart random shit because I feel I can take care of it.
      
      When I get a call over the phone telling me I won a million dollars but I need to give my credit card info in order to collect, I don't go reaching for my wallet. I imagine most people would realize they are being scammed
      
      Why is the internet any different? Why do people think that things they get over email is somehow more trustworthy than someone calling them on the phone?
      [ link to this | view in chronology ]
      - alanbleiweiss (profile), 19 Apr 2013 @ 6:35pm
        
        Re: Re: Re: Re: Users are idiots
        Exactly! Thanks AC - One of the most important life lessons I needed to grasp was "know when you don't know WTF you're talking about or doing" and "step away from the ____" whatever the ____ is that you are clueless about.
        
        While I am no better than anyone else, given that I am human, I am more likely to use what we all to quickly label as "common" sense.
        
        It's called "critical thinking" and most people do NOT use it.
        [ link to this | view in chronology ]
        
        John Fenderson (profile), 20 Apr 2013 @ 9:48am
        
        Re: Re: Re: Re: Re: Users are idiots
        One of the most important life lessons I needed to grasp was "know when you don't know WTF you're talking about or doing"
        
        Yes, this is Kettering's Principle of Intelligent Ignorance: the intelligent don't lack ignorance. They just know what they're ignorant about.
        
        Two quotes from Kettering:
        
        The great obstacle to discovery is not ignorance, it is the illusion of knowledge.
        
        and
        
        A person must have a certain amount of intelligent ignorance to get anywhere.
        
        [ link to this | view in chronology ]
- Theoden, 19 Apr 2013 @ 3:26pm
  
  Re: Users are idiots
  Ignorance can be taught.
  Stupid lives forever.
  [ link to this | view in chronology ]
JC Carter, 19 Apr 2013 @ 2:51pm

Every single place I have worked
Blocked personal email access. Seems a lot of article about something rather irrelevant.
[ link to this | view in chronology ]
Anonymous Coward, 19 Apr 2013 @ 2:55pm

I do not see the problem with this since people can just use their phone if they need to check personal email. Shit they should not be fucking around on net anyways when they're supposed to be working..

What do I do at lunch?

I check my email.
I surf a couple forums.
If I have time I might look for a funny video.
[ link to this | view in chronology ]
Anonymous Coward, 19 Apr 2013 @ 2:56pm

While antivirus systems don't catch everything it seems like a properly configured antivirus server would catch everything at a law firm. I do IT for a school and we have hundreds of students accessing their own email as well as many staff. Any viruses are caught and disinfected before they do anything.
The last virus outbreak was back in 2004 and that was due to a usb drive and not email.

But it is their computers and network and they can do what they want as long as it is legal.
[ link to this | view in chronology ]
- Anonymous Coward, 19 Apr 2013 @ 6:04pm
  
  Re:
  Yes, but personal email is tunneled through SSL. The antivirus system can only disinfect it once it has already infected a target system once that occurs.
  
  Plus I imagine the computers at your school district are far more locked down and restricted than people trying to do their work at a law firm.
  [ link to this | view in chronology ]
Mark, 19 Apr 2013 @ 3:05pm

Gotta agree
My last gig involved end user IT security. There's no way to train adequately to prevent users screwing up. Why are they accessing their personal mail on company time anyway?

At the state park in which I volunteer, just last week someone managed to wipe out 2 PCs by opening an attachment in personal mail on one, then moving to another to try again.
[ link to this | view in chronology ]
Some Guy, 19 Apr 2013 @ 3:19pm

If something is so important and you get an email on your phone there are plenty of options.....Like make a phone call on that phone you have. Pretty much agree with everyone else.
[ link to this | view in chronology ]
Nick (profile), 19 Apr 2013 @ 3:36pm

Isn't this normal? Most big companies don't trust their employees not to goof off or use facebook, so block all internet access. Accessing personal emails seems like a normal deal to me (if being real strict jerks to their employees) and a company has every right.

Heck, I've worked at 4 jobs in my life, one which had no computers, two blocked everything but the intranet or the company website, and one that let me use the internet at will (which I.... promptly abused, watching a few too many cat videos on youtube).

And, well, even good computer users can be tripped up and introduce a virus. If a virus wants to get in, it will, and only staying off the internet is a good way to prevent a virus 100% of the time.
[ link to this | view in chronology ]
- John Fenderson (profile), 20 Apr 2013 @ 10:08am
  
  Re:
  Most big companies don't trust their employees not to goof off or use facebook, so block all internet access.
  
  I keep hearing this, but have never actually experienced it even once. But then, the big companies I've worked for have been software companies. That might make a difference.
  [ link to this | view in chronology ]
This comment has been flagged by the community. Click here to show it

Stuart Gray, 19 Apr 2013 @ 3:45pm

Wow.
How off the mark you are on this one.
Blocking personal email sites is smart.
How efficient are you supposed to be on company time replying to your personal emails?

You are obviously such an entitled punk and have had so much handed to you for so long you are no longer capable of understanding what "work" is.

You can not train the stupid out of certain people when it comes to email. We have been trying for decades.

You sir on this topic have proved to be an idiot of massive scale.
[ link to this | view in chronology ]
- Anonymous Coward, 19 Apr 2013 @ 5:45pm
  
  Re:
  Only morons think that personal use at work is only for entitled punks.
  
  Law firm issues aside, some personal use of the interwebz can lead to increased employee productivity. About 9%, on average.
  
  Summary:
  http://arstechnica.com/business/2009/04/study-surfing-the-internet-at-work-boo sts-productivity/
  
  Scholarship:
  Coker, B. L.S. (2011), Freedom to surf: the positive effects of workplace Internet leisure browsing. New Technology, Work and Employment, 26: 238�247. doi: 10.1111/j.1468-005X.2011.00272.x
  
  Now get back to work you lazy entitled punk shitheads who so obviously value empiricism over properly subservient work practices.
  [ link to this | view in chronology ]
btr1701 (profile), 19 Apr 2013 @ 3:58pm

Nothing New
As many people here have already posted, this is hardly a new phenomenon.

Most federal government employees have been blocked from using personal email sites for about the last half decade. And in my agency, the list of blacklisted auto-blocked web sites grows exponentially every month.

I would estimate, for example, that on any given day, at least 40% of the links on the Drudge Report site come back blocked. And most of them are legitimate news sites.

It's pretty ridiculous, but hey, that's what iPads are for, no?
[ link to this | view in chronology ]
- btr1701 (profile), 19 Apr 2013 @ 4:23pm
  
  Re: Nothing New
  After reading through the entire email, this seems to be a very reasonable approach and I really don't see why TD has an issue with it.
  
  Hell, the law firm even went out of its way to install a separate wifi network throughout its offices to facilitate employee's use of their personal phones and tablets.
  
  Like many in the comments here, I have to ask, what's the big deal?
  [ link to this | view in chronology ]
Paul Reinheimer, 19 Apr 2013 @ 4:01pm

better idea than it may seem
On a simple skim this can seem silly, but dig a bit deeper and it can end up looking sensible.

As a law firm, the costs of losing control over privileged information can be very high, ranging up to firm-destroyingly-high should confidential & embarrassing records get published.

Add that to the fact that most security awareness training doesn't work, and is even argued against[1]. In order for most training to be effective the we need to see our actions and the reward as coupled. With security training you sit in a boring seminar (or complete some basic computer based training program) once a year, then forget about it once the quiz is through. You may not be presented with a chance to apply your training for days, weeks, or months. Even then, the cost of failure might be nil, just like the reward for success. I can't think of a less effective method for education.

Training every single employee of that law firm to behave correctly 100% of the time is unlikely to work. Instead IT, full of people with a better understanding of the problem at hand, manages all routes for data to reach internal computers. Email, web, gopher, whatever. They actively manage block lists, virus scanners, etc. all in attempt to minimize risk. Drop one of those horrible link manipulation tools on the mail server that runs the link through a checker at click-time, rather than receipt time (the delay between the two adding valuable minutes or hours for a block-list to be updated) for good measure. Delete or quarantine all password protected compressed files, and quarantine any attachment from an unknown mail address.

If the user avoids all of that, and downloads a compressed .rar file with a password from a spear-phisher over gmail, they've skipped over half the defense in depth from the start. All that stands between that virus and the network is the virus scanner, which is generally reactive rather than proactive.

[1] http://www.schneier.com/blog/archives/2013/03/security_awaren_1.html
[ link to this | view in chronology ]
who, me?, 19 Apr 2013 @ 4:15pm

smart policy
"I knew I shouldn't have clicked it, but I did anyway." It doesn't matter how much training you do, its going to happen. At least by limiting access to the corporate systems, you have the ability to filter what comes in.

They're even setting up a separate net for personal systems/devices. Like most everyone else, I'm not seeing the complaint.
[ link to this | view in chronology ]
Anonymous Coward, 19 Apr 2013 @ 4:21pm

Can't the employees just forward their personal email to their work email address.

Which then makes this whole policy moot.
[ link to this | view in chronology ]
Crashoverride, 19 Apr 2013 @ 4:26pm

Can't the employees just forward their personal email to their work email address.

Which then makes this whole policy moot.
[ link to this | view in chronology ]
- Paul Reinheimer, 19 Apr 2013 @ 4:29pm
  
  Response to: Crashoverride on Apr 19th, 2013 @ 4:26pm
  Not at all.
  
  By going through the corporate servers, all the protections it provides are enabled.
  [ link to this | view in chronology ]
Joe, 19 Apr 2013 @ 4:48pm

good idea
I've got no problem with this. Keep the internal network secure but still let's people check email on smartphones. At a company I worked for several years ago, we took away the desk phones from developer desks. They loved it. Less interruptions.
[ link to this | view in chronology ]
Richard Hack (profile), 19 Apr 2013 @ 5:58pm

I disagree
I think this is a good policy. The small amount of time the end users spend checking personal email on their personal devices is a small price to pay for removing a large section of vulnerability from the network.

In addition, while phishing may have dropped 15 percent for some sectors, it's risen for others as the link posted shows. Phishing remains one of the best ways for hackers to breach a network.

Suggesting that PEBCAC is the reason doesn't help. PEBCAC doesn't go away without major training. Worse, hackers with proper reconnaissance can craft an email that NO ONE would refuse to click on because it would look exactly like something they should click on. That's true whether the email comes in as company business or as personal business.

So removing one entire source of such phishing efforts is worth a small price in efficiency.

Personally, I think companies should follow CIA policy: two computers on each desk, one classified, one unclassified. The classified one runs on the main business network, the unclassified one runs on an entirely different network. And never the twain shall meet except via a specific protocol for transferring vetted data from one to the other. This goes beyond just having a firewall and a DMZ.
[ link to this | view in chronology ]
Danny (profile), 19 Apr 2013 @ 6:40pm

Comment from the Irony Department
I note the "Overreaction Department" tag line on the post.

The firm is taking very reasonable steps to protect their data (and their clients' data). Agreed the security risk is the employee, not the technology. But they rightly recognize that no amount of training will completely eliminate employees mistakes, especially since the scammers keep inventing new ruses.

And the firm is taking the reasonable step of mounting a new network outside their firewall to support employee access to personal accounts. So the firm isn't trying to wall off access completely during the workday, an action that would be problematic on several dimensions.

I'd say the overreaction here is on the part of our poster, not on the part of the law firm.
[ link to this | view in chronology ]
Anonymous Coward, 19 Apr 2013 @ 9:26pm

Once a co-worker sent me an email with an executable attachment on my birthday. I physically walked over to make sure she actually sent the thing, and after she told me she did, I STILL didn't execute the thing. I'm sure it was some sort of nice e-card, but I'm just not going to take that chance.

But I get the feeling that the person who sent me that thing would have clicked on a similar attachment without a second thought, had one been sent to her.

It's annoying for users who know what they're doing, when stuff gets locked down because of the people who don't. But often, it's needed.
[ link to this | view in chronology ]
Anonymous Coward, 19 Apr 2013 @ 10:24pm

Someone should ask Mr. Masnick to please stop letting interns write articles. This has been standard policy in Fortune 100 companies for something in the neighborhood of 10 years now. Anyone who doesn't know this already has no business writing articles for Techdirt. It tarnishes your image to pretend this is news, even if it IS a cross-post from some other rag.

Very disappointing.
[ link to this | view in chronology ]
Anonymous Coward, 19 Apr 2013 @ 11:46pm

Am employee there could just simply set up a VPN on their home broadband connection. The software for the SoftEther VPN project will also let you set up your puwn private VPN as well on your home broadband connection.

As long as your home broadband has at least two IP addresses available, this can be done.

That is the easiest way to circumvent the filtering.
[ link to this | view in chronology ]
- John Fenderson (profile), 20 Apr 2013 @ 10:15am
  
  Re:
  I recommend OpenVPN. You only need one IP address.
  [ link to this | view in chronology ]
Anonymous Coward, 20 Apr 2013 @ 3:31am

The employees, will simply configure their personal emails to be forwarded to their corporate email addresses.

People who come up with such solutions, are merely attacking the "symptoms."

There are simply no short cuts when it comes to security.
[ link to this | view in chronology ]
- John Fenderson (profile), 20 Apr 2013 @ 10:17am
  
  Re:
  he employees, will simply configure their personal emails to be forwarded to their corporate email addresses.
  
  This would be a stupid thing to do. Employers can, and most of them do, monitor and store all emails flowing through their corporate server. Do you really want your employer to have access to all you personal email?
  [ link to this | view in chronology ]
JustMe (profile), 20 Apr 2013 @ 7:28am

Sensible policies
Agree with the majority of the comments here. This makes good sense for many companies, especially when employee machines have access to sensitive information and many some email clients automatically render attachments and active elements.
[ link to this | view in chronology ]
Donglebert the Needlessly Obtuse, 22 Apr 2013 @ 2:44am

This is the first time I've seen an article on Techdirt
that has led to every single comment saying "huh?"

Clearly a non story.
[ link to this | view in chronology ]
Ninja (profile), 22 Apr 2013 @ 3:58am

Well, viruses are out there and even the most proficient filter will let bad stuff through. So wouldn't it be easier to make a closed environment for personal e-mail usage? Such as some sort of sandbox or whatever? When things go ugly just reset that sandbox and voil�!

With the added benefit it would protect the company as a whole.
[ link to this | view in chronology ]
William Chambers, 22 Apr 2013 @ 3:43pm

Just no
Do not continue posting this nonsense on TechDirt. It's totally misplaced and a waste of time.
[ link to this | view in chronology ]
Joseph M. Durnal, 26 Apr 2013 @ 6:03am

Personal E-Mail is a Threat
When it comes to e-mail, I've been there & done that. Many companies and government organizations still think in terms of, protect the system, protect the network, and less in terms of, protect the data. Why, well, protecting the data can be hard for everyone who has been doing it the same way for the last 20 years. Confidential documents should be encrypted, everywhere. While the techdirt community isn't a fan of DRM for content that the creators want everyone to have/pay for, DRMing your firms confidential documents can greatly reduce the risk of data leaks. We will always have ID10T errors, problems between the keyboard and chair, 10 years ago, never thought that today's masses would still be so computer illiterate, but they are, and I don't think it will change. Until IT shops develop systems for protecting the data, they'll still have to protect the network and protect the systems, and this could include blocking personal e-mail accounts.
[ link to this | view in chronology ]