What is this all about?

University of Illinois and its employees who auto-forward official Illinois email introduce increased risks and liabilities related to account cybersecurity, privacy, phishing, and compliance with Illinois law.

Why is this happening?

In a time where the university's #1 cybersecurity risks overwhelmingly start with email phishing leading to account compromise and intrusion, we must change practices we may have long enjoyed, but present great problems and risks in the here-and-now.

The past practice of auto-forwarding faculty and staff email outside the official, supported university service has created continual and unsustainable opportunity for cybersecurity intrusions to increase and continue to impact the university and its mission. Whether it's a consumer service like Yahoo or even another Illinois service that was set up only for student use like the Google g.illinois service, these are all unsupported, less controlled, and ultimately less secure places for our university employee business email. It diminishes the university's ability to secure its people, information, university data, research, internal processes, and business interests.

Additionally, auto-forwarding email to a private account, subjects any such account to potential Illinois Freedom of Information Act (FOIA) reviews, official access, and disclosure. As a result, university personnel might potentially require and demand access to any such personal accounts to search for, identify, and retrieve items in response to a legal request.

Which email accounts are/who is affected by this directive?

Employees (faculty and staff) who auto-forward any mail from their Illinois email account are affected.

Employees who use the electronic directory editor (EDE) to redirect their individual Illinois mail to another account are affected (Note, EDE use for mail redirection is currently deprecated and being phased out as well)

Role accounts, group accounts, service accounts, mail enabled groups or lists and other non-individual email accounts are not affected.

What did the problem look like when we started?

Roughly two thousand employees forwarded their official email via O365 e-mail rules or electronic directory editor (EDE). There were two concerns:

1. Phishing and email are the most successful cybersecurity attack vectors upon our university. They continue to be the most effective vehicle for threat actors worldwide to spread malware, access our work, and steal our most valuable assets. Illinois' Cybersecurity cannot provide much value or relief when employee email is being sent to a place where attacks cannot be detected or dealt with.
2. (For offsite forwards only) Employee email forwarding as an allowed practice had the potential for putting personal accounts in scope for the Illinois State Records Act and FOIA. This put individual personal privacy at risk. It also put the university in a difficult position, being that it could not comply with laws unless owners somehow granted official access to their private email.

What did the university do about it?

The university implemented a new policy restricting email auto-forwarding for employees on October 5, 2021. This required new email habits for those used to fielding their official work email from other places, or with different solutions.

To prepare, the Chief Privacy and Security Officer, Tech Services, and partners all around the university did 4 things:

1. Identified and gave ample notice to university employees and support personnel of those who auto-forward their email to make changes and adapt.
2. Provided guidance on how to eliminate rules or what to do:
   O365 "how-to" guidance
   EDE guidance
   OR "do nothing" (existing rules disabled once we implement)
3. Provided support and guidance to non-technical audiences who need to convey the new requirement to their support people.
4. Established a stakeholder group for feedback and guidance from university partners

When was the directive implemented?

Tuesday, October 5, 2021

Where can I find related resources?

• Identity Management, Leaving Campus for Faculty and Staff
• Email, How to set up email forwarding
• Email, Stopping redirection to an alternate email address
• [Link for document 109993 is unavailable at this time]

What if I was forwarding to an Illinois Google Email account (g.illinois.edu)?

In addition to not having ability to know about or react to cybersecurity events outside the O365 environment, the university does not support use of Google email for employees. Email forwarding to Illinois Google is not a supported option for university employees who have a primary affiliation of faculty or staff.

NOTE: This pertains to Google email only. All other Google apps licensed by the university are still supported.

What if I am forwarding to an Illinois subdomain or departmental Email account (*@dept.illinois.edu)?

People with Illinois email service provided within their unit by way of a local server or service will continue to be able to use such services. However, forwarding will no longer be an option for those employees in either the departmental subdomain or in the main O365 environment, including forwarding from one to the other.

How can I request more time to make the change, or request an exception?

The directive has been implemented. If for some reason it is necessary to explore this path, it might be possible, but the risks of any variance requested must be accepted by the executive officer at the unit level. Note also that on a logistics level, changes to email policy groups must be done manually, and will be processed as a work order, on roughly a 2-6 week timeline. You may still access your Illinois email in O365, see https://techservices.illinois.edu/email-how-to-log-in/. Cases presented are subject to approval and risk acceptance by campus governance and your unit executive.

Which laws are in play here?

• The State Records Act (5 ILCS 160)
• The Freedom of Information Act (5 ILCS 140)