Privacy & Cybersecurity, Employee Email Auto-forwarding, Disallow by Policy Effort FAQ

As part of an administration-driven effort to better secure email accounts originating from and owned by the University of Illinois, Technology Services Privacy and Cybersecurity will take actions on July 26, 2021 to restrict university employees' ability to auto forward from @illinois.edu, @uillinois.edu, and @uiuc.edu email addresses to external email accounts or providers.

What is this all about?

University of Illinois and its employees who auto-forward official Illinois email records face high and increasing risks, and liabilities related to account cybersecurity, privacy, phishing, and compliance with Illinois law.

Why is this happening?

Private email providers do not enable legal, ethical, and compliance requirements of the university. Forwarding faculty and staff email moves University of Illinois business into uncontrolled environments where the university cannot meet its commitments to secure personal information, university data, research, internal processes or business.
When auto-forwarding email from the university, your personal mailbox becomes subject to potential Freedom of Information Act (FOIA) reviews and disclosure. As a result, university personnel might potentially require access to any such personal accounts to identify FOIA items.

Which email accounts will be affected and not?

Individual employee email accounts assigned to faculty and staff will be affected by this change.
Role accounts, service accounts, mail enabled groups or lists and other non-individual email accounts will not be affected by this change.

What does the problem look like right now?

A few thousand employees currently forward official email offsite. There are two concerns here:

    1) Phishing and email are the most successful cybersecurity attack vectors upon our university. They continue to be the most effective vehicle for threat actors worldwide to spread malware, access our work, and steal our most valuable assets. Illinois' Cybersecurity cannot provide much value or relief when employee email is being sent to a place where attacks cannot be detected or dealt with.

    2) Employee email forwarding as an allowed practice has and will continue to build potential for putting personal accounts in scope for the Illinois State Records Act and FOIA. This puts individual personal privacy at risk. It also puts the university in a difficult position, being that it cannot comply with laws unless owners grant official access to private email.

What the university doing about it?

The university will be implementing a new policy that will disallow email auto-forwarding for employees. This will require new email habits for those who are used to fielding their official work email from a non-Illinois account.   
To prepare, the Chief Privacy and Security Officer, Tech Services, and partners all around the university are working to do 4 things:

    1) Identify and give ample notice to university employees and support personnel of those who auto-forward their email in EDE or via O365 rules.
    2) Provide guidance on how to eliminate rules or what to do.
            O365 "how-to" guidance
            EDE guidance
            OR "do nothing" (rules will not work and will disappear once we implement)
    3) Provide support and guidance to non-technical audiences who need to convey the new requirement to their support people.
    4) Quickly implementing and enforcing new policies within O365 and departmental mail services.

When will the policy be implemented?

July 26, 2021

Where can I find resources to guide me through the change or understand the laws involved?

    If you wish to wait for the implementation, there is nothing to do. Any rules set up will cease to function at the time the university disables auto-forwarding.

    If you wish to cease forwarding immediately, see:

        (EDE) "How to stop forwarding to an alternate email address": https://answers.uillinois.edu/illinois/86742
        (O365/Outlook) "How to Delete Inbox Rules from Outlook": https://answers.uillinois.edu/109993

Which laws are driving this?

        Illinois State Records Act (5 ILCS 160/): https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=86
    Illinois Freedom of Information Act (5 ILCS 140/)
        https://www.cyberdriveillinois.com/departments/library/about/foia.html
        https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=85&ChapterID=2

What if I am forwarding to an Illinois Google Email account (g.illinois.edu)?

In addition to not having ability to know about or react to cybersecurity events outside the O365 environment, the university has also deprecated its use of Google email for employees. Email forwarding to Illinois Google will no longer be an option for those university employees who have a primary affiliation of faculty or staff.
NOTE: This item pertains to Google email only. All other Google apps licensed by the university are still supported




Keywords:email, security, forward, forwarding, inbox, rules, policy, staff, employee, policy rule, EDE, disabled   Doc ID:110048
Owner:Security S.Group:University of Illinois Technology Services
Created:2021-04-01 13:37 CDTUpdated:2021-04-28 16:29 CDT
Sites:University of Illinois System, University of Illinois Technology Services
Feedback:  0   5