Privacy & Cybersecurity: Employee Email Auto-forwarding Retirement Effort FAQ
As part of an administration-driven effort to better secure email accounts originating from and owned by the University of Illinois, Technology Services Privacy and Cybersecurity will take actions to restrict university employees' ability to auto forward from @illinois.edu, @uillinois.edu, and @uiuc.edu email addresses to external email accounts or providers.
What is this all about?University of Illinois and its employees who auto-forward official Illinois email records face high and ever-increasing risks and liabilities related to account cybersecurity, privacy, phishing, and compliance with Illinois laws.
Why is this happening?Private email providers are not focused on the same legal, ethical, and compliance requirements as the university. Forwarding email moves University of Illinois business into uncontrolled environments where the university cannot meet its commitments to secure personal information, university data, research, and internal process or business decisions that shouldn’t become public.
When auto-forwarding email from the university, your personal mailbox becomes subject to potential Freedom of Information Act (FOIA) reviews. University personnel will then be required to go through personal correspondence to identify FOIA items.
What does the problem look like right now?A few thousand employees currently forward official email offsite. There are actually 2 separate concerns here:
1) This has in the past and will continue to build the potential for putting personal accounts in scope for FOIA searches. The potential alone puts individual personal privacy at risk. It also puts the university in a difficult position, being that it cannot readily comply with the state law unless personal account owners agree to turn official materials over.
2) As the #1 most common cybersecurity attack upon our university, phishing continues to be an effective way for threat actors worldwide to obtain valid Illinois account credentials with which to steal our most valuable assets and hijack our resources. Illinois' cybersecurity solutions to detect and mitigate this unfortunate reality will not provide any value if employee email is being sent to a place where it cannot detect an attack or mitigate the damage.
What the university doing about it?The university will be implementing a new policy that will disallow email auto-forwarding for employees. This will require new email habits for those who are used to fielding their official work email from a non-Illinois account.
To prepare, the Chief Privacy and Security Officer, Tech Services, and partners all around the university are working to do 4 things:
1) Identify and give ample notice to university employees and support personnel of those who auto-forward their email in EDE or via O365 rules.
2) Provide guidance on how to eliminate rules or what to do.
O365 "how-to" guidance
OR "do nothing" (rules will not work or disappear once we implement)
3) Provide support and guidance to non-technical audiences who need to convey the new requirement to their support people.
When will the policy be implemented?
Where can I find resources to guide me through the change or understand the laws involved?If you wish to wait for the implementation, there is nothing to do. Any rules set up will cease to function at the time the university disables auto-forwarding.
If you wish to cease forwarding immediately, see:(EDE) "How to stop forwarding to an alternate email address": https://answers.uillinois.edu/illinois/86742
(O365/Outlook) "How to Delete Inbox Rules from Outlook": https://answers.uillinois.edu/109993
Laws in play:Illinois State Records Act (5 ILCS 160/): https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=86
Illinois Freedom of Information Act (5 ILCS 140/)