What is EIU's email forwarding policy?
Prohibition of Auto-Forwarding Email - Policy
In the interest of better securing email and reducing the risk and impact of potential cybersecurity incidents, Eastern Illinois University Information Technology Services will disable auto forward emails from @eiu.edu email addresses to external service providers.
Why now, and what about past practices?
The practice of users auto-forwarding potentially sensitive emails introduces increased security risks and liability related to accounts, data, privacy, phishing, and Illinois law compliance. The most common cybersecurity risk and attack vector starts with email phishing, which can easily cause account compromise, data loss, and intrusion.
The past practice of auto-forwarding emails outside the official supported EIU service has created a continual and unsustainable attack vector that increases and continues to impact the university and its mission. Any external email service is ultimately a less secure place for our university email. It greatly diminishes the university's ability to secure users, protect university data, and research potential security incidents.
Additionally - and equally important - auto-forwarding email to these personal and private accounts could subject any such account to potential Illinois Freedom of Information Act (FOIA) reviews, official access, and disclosure. As a result, university personnel might potentially require and demand access to any such personal accounts to search for, identify, and retrieve items in response to a legal request. EIU ITS always recommends using university email only for business needs and not personal matters.
Who is affected by this action?
All users (faculty and staff), who auto-forward any email from their EIU (@eiu.edu) email account are affected.
Role accounts, group accounts, service accounts, mail-enabled groups or lists and non-individual email accounts are not affected.
Is this really a problem?
Numerous users were found to be forwarding their official @eiu.edu email via O365 email rules.
There were concerns:
- It would be difficult to integrate with different systems and ensure that all emails are delivered correctly. Moreover, it would be difficult to maintain security and privacy standards across multiple systems. Last, it would be difficult to provide support for users who are using third-party systems.
- Phishing and email are the most successful cybersecurity attack vectors directed towards our university. Email is the most effective way for threat actors globally to introduce malware, gain unauthorized access, and attempt to steal EIU data. EIU ITS cannot provide much assistance when a user’s email is being forwarded to a service provider where attacks cannot be detected or dealt with internally.
- (For offsite forwards only) Again, employee email forwards allow a situation for the potential for personal accounts to become in scope for the Illinois State Records Act and FOIA requests. This puts individual personal privacy at risk, and EIU in a difficult position, being that it could not comply with laws unless owners somehow granted official access to their private email.
What is the plan?
The university will implement a new policy restricting email auto-forwarding for employees on July 1, 2023. Since this will require a change in user habits in reviewing official EIU email from external sources, EIU ITS will do the following in preparation and to assist in this transition:
- Identify and provide notice to all users who have auto-forward enabled to make changes and adapt to this new directive.
- Many users will have to do nothing after ITS implements a global policy change. All their EIU email will be in their account and no longer sent to external sources automatically.
- Provided support and guidance to users who need to convey the new requirement to their support people or have issues after the change.
When will the policy be implemented?
July 1, 2023
Can I request an exception?
Exceptions are not being considered for individual accounts as this is viewed as a campus-wide risk and this policy helps to combat cybersecurity threats as outlined on this page. We are sorry for any inconvenience this may cause in having to check a couple different email sources (personal and EIU related). We acknowledge several service providers have very reputable email infrastructures, but again those are private entities and cannot be supported or provided security incident response solutions by EIU. If you do not utilize a Microsoft O365-capable machine, please get with your department head and request a device that is able to successfully access your official @eiu.edu emails. As a reminder, everyone should utilize separate personal and business-related email accounts for privacy, law compliance, and in case of a life change (retirement, job separation, etc.).
Legal and regulation requirements
Some key regulation and legal requirements to be aware of:
- A Freedom of Information Act (FOIA) request is a formal request for information from a government agency. The FOIA requires agencies to disclose any information that is not specifically exempted from disclosure. Subpoenas are orders from a court or other legal authority that require someone to appear in court or to produce documents.
- Email FOIA requests are a type of FOIA request that specifically requests emails. Emails are often considered to be public records and they can be subject to FOIA requests. Subpoenas duces tecum are a type of subpoena that requires someone to produce documents including emails.
Laws governed by this policy decision
- The State Records Act (5 ILCS 160)
- The Freedom of Information Act (5 ILCS 140)