You've Got (No) Mail! Major Law Firm Blocks Employee Email Access

from the overreaction dept

Cross-posted from

Personal email accounts introduce possible threats to firm computers. A careless employee could open a trojan horse attachment and unleash a virus on the system. Even if the attack only infects the local drive, confidential information may be at risk.

This puts firms in a bind. Either invest time and energy teaching basic Internet skills to their employees — lessons like, “don’t open attachments from unknown email addresses” — that most of us learned when we still had Prodigy emails, or condescendingly cut off access to a modern necessity because the employees are too hopeless to understand the rules.

Yesterday, a major law firm chose the latter route…

King & Spalding dropped this nugget on their employees yesterday:

The firm’s internal security experts, as well as our outside security experts, have advised us that accessing Personal Email Accounts from firm computers creates a significant security risk. Therefore, effective May 1, 2013, access to Personal Email Accounts (i.e., anything other than your kslaw.com email, including, but not limited, to personal email accounts like Gmail, Yahoo, Hotmail, cable company, etc.) from King & Spalding computers will no longer be permitted.

Most personal email sites will be blocked while you are on the firm’s network. However, you should not access Personal Email Accounts from a firm computer, even if you are not automatically blocked when trying to do so.

Yes, this policy was announced yesterday at approximately 4 p.m. Eastern time. So while the whole country was conversing over personal email (and its companion chat systems) about the latest news updates surrounding a national tragedy, King & Spalding was announcing that it would be cutting off this access. Perhaps less than savvy timing. Someone in a position of authority may have wanted to hold off for a week or so.

Employees can continue to check email on their phones not connected to the main network (a new “ksmobile” network has been set up for this purpose). This means all their employees will now spend an order of magnitude longer every day cruising their inboxes on 3.5-inch screens and typing detailed responses with their touchpads. EFFICIENCY!

King & Spalding isn’t wrong to recognize that third-party email services constitute a threat to the firm network. But the actual threat is entirely between the keyboard and the chair if you will. Gmail isn’t threatening the network, Donny Dips**t clicking on a link sent by a Nigerian Prince is threatening the firm network. In the estimation of King & Spalding, its firm email system can better guard against phishing and thus minimize the opportunity of its employees to expose the firm to harm. However, Internet users are getting smarter every year, and with the decline in these “user errors,” the whole phenomenon of phishing is in decline.

So after years of exposing the firm’s computers to risk, King & Spalding has opted now, while the risk is in decline, to take the drastic step of blocking personal email accounts. Perhaps this explains why King & Spalding didn’t survive the first round of the “Which Firm Has The Brightest Future?” bracket.

Full email below.

KING & SPALDING — FIRM-WIDE-ANNOUNCEMENT — EMAIL ACCESS

New Policy Prohibiting Access to Non-King & Spalding Email Accounts (“Personal Email Accounts”) from Firm Computers

The firm’s internal security experts, as well as our outside security experts, have advised us that accessing Personal Email Accounts from firm computers creates a significant security risk. Therefore, effective May 1, 2013, access to Personal Email Accounts (i.e., anything other than your kslaw.com email, including, but not limited, to personal email accounts like Gmail, Yahoo, Hotmail, cable company, etc.) from King & Spalding computers will no longer be permitted.

Most personal email sites will be blocked while you are on the firm’s network. However, you should not access Personal Email Accounts from a firm computer, even if you are not automatically blocked when trying to do so. For example, you should not access Personal Email Accounts from a firm laptop, even when the laptop is not connected to the firm’s network (i.e., from your home network, a hotel internet, etc.). The firm’s computer systems hold confidential information about our clients and the firm and, as you know from reading articles in the press, individual users who innocently click on malicious e-mails are often the cause of security breaches. We need your help in protecting our systems by following this and other security related policies, even when you can do things that you are not supposed to do.

In certain limited circumstances, clients require us to communicate via a third party email system. If you have such a client requirement, please contact Thomas Gaines or Gene Viscelli so that we can determine the best way to address your client requirement. Please do not simply access the third party email without checking with Thomas or Gene (or the Service Desk if you cannot reach Thomas or Gene first).

Permissible Ways of Accessing Personal Email Accounts

The prohibition against accessing Personal Email Accounts from firm computers does not impact your ability to access Personal Email Accounts such as Gmail, Yahoo or Hotmail from your own personal devices (e.g., smartphones, iPads, tablets, personal laptops, etc.) while at the firm.

The firm has installed a wireless network called “ksmobile” in each office. This wireless network is reserved for K&S personnel (not clients or visitors who should be directed to the ksguest network), is a direct route to the Internet, and is appropriately sized to accommodate the many personal devices that are being used by K&S personnel. Because ksmobile does not connect to the firm’s internal network, it provides the firm a more secure way to allow you access to your Personal Email Accounts while you are in the office.

If you wish to use the ksmobile network, you may obtain the password to access this network by calling the Service Desk at ext. 8-3000. After your initial connection to ksmobile, your personal device will automatically reconnect whenever you are in a K&S office and retain the connection throughout the K&S space without the need to reenter the password.

If you have any questions about this new policy, please contact Gene Viscelli, Thomas Gaines, or any member of the Technology Oversight Group (Pat Brumbaugh, Derek Hardesty, Ted Hester, John Keffer, Floyd Newton, Bob Perry, Glen Reed and Kathy Rhyne).

Gene Viscelli
Chief Information Officer

More stories from Above The Law

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “You've Got (No) Mail! Major Law Firm Blocks Employee Email Access”

Subscribe: RSS Leave a comment
42 Comments
Mike Raffety (profile) says:

Most financial institutions already block personal e-mail

Having worked at a couple, they’ve long (ten years or more) blocked access to personal e-mail accounts like Yahoo or Gmail. This is perhaps new-ish in the law firm field, but not in banks or brokerages.

I believe this was originally driven by regulatory requirements to preserve all written communications for possible audit and legal discovery purposes, and perhaps also to show that the firm had made all reasonable efforts to prevent inside information from leaking out to be traded on.

alanbleiweiss (profile) says:

Users are idiots

I don’t care how far we’ve come in educating the masses. The masses are still ludite-stupid in overwhelming ways. I’ve witnessed too many people educated, guided, cajoled, led, informed, encouraged and otherwise shown why they need to stop being stupid with their computer and internet habits.

And too many of them nod their heads, spit out yes, thank you, what would I do without you and blah blah blah when they’re given that assistance.

Only to fall right back into stupid-land.

Stupidity can’t be extricated from the masses.

But just for fun – let’s take it further – when you’re at work as an employee, why should you even be allowed to spend time with personal email? Save it for your break, on your own time, on your own connected device.

John Fenderson (profile) says:

Re: Users are idiots

Yes, but it’s important to recognize that it isn’t some group of others who are idiots. To quote Scott Adams:

Everyone is an idiot, not just the people with low SAT scores. The only differences among us is that we’re idiots about different things at different times. No matter how smart you are, you spend much of your day being an idiot.

btr1701 (profile) says:

Re: Re: Users are idiots

Yes, but it’s important to recognize that
it isn’t some group of others who are idiots.
To quote Scott Adams:

Everyone is an idiot, not just the people
with low SAT scores. The only differences among
us is that we’re idiots about different things
at different times. No matter how smart you
are, you spend much of your day being an idiot.

Exactly. I was about to say the same thing but Adams said it better. People who are computer/IT savvy love to haughtily rail about how stupid ‘the masses’ are, but the take them out of the IT realm and they suddenly become just another one of the stupid masses with regard to someone else’s expertise.

Anonymous Coward says:

Re: Re: Re: Users are idiots

The difference is being able to defer responsibility when you realize you’re outmatched.

When my car has a problem, I don’t go start taking apart random shit because I feel I can take care of it.

When I get a call over the phone telling me I won a million dollars but I need to give my credit card info in order to collect, I don’t go reaching for my wallet. I imagine most people would realize they are being scammed

Why is the internet any different? Why do people think that things they get over email is somehow more trustworthy than someone calling them on the phone?

alanbleiweiss (profile) says:

Re: Re: Re:2 Users are idiots

Exactly! Thanks AC – One of the most important life lessons I needed to grasp was “know when you don’t know WTF you’re talking about or doing” and “step away from the ____” whatever the ____ is that you are clueless about.

While I am no better than anyone else, given that I am human, I am more likely to use what we all to quickly label as “common” sense.

It’s called “critical thinking” and most people do NOT use it.

John Fenderson (profile) says:

Re: Re: Re:3 Users are idiots

One of the most important life lessons I needed to grasp was “know when you don’t know WTF you’re talking about or doing”

Yes, this is Kettering’s Principle of Intelligent Ignorance: the intelligent don’t lack ignorance. They just know what they’re ignorant about.

Two quotes from Kettering:

The great obstacle to discovery is not ignorance, it is the illusion of knowledge.

and

A person must have a certain amount of intelligent ignorance to get anywhere.

Anonymous Coward says:

While antivirus systems don’t catch everything it seems like a properly configured antivirus server would catch everything at a law firm. I do IT for a school and we have hundreds of students accessing their own email as well as many staff. Any viruses are caught and disinfected before they do anything.
The last virus outbreak was back in 2004 and that was due to a usb drive and not email.

But it is their computers and network and they can do what they want as long as it is legal.

Mark says:

Gotta agree

My last gig involved end user IT security. There’s no way to train adequately to prevent users screwing up. Why are they accessing their personal mail on company time anyway?

At the state park in which I volunteer, just last week someone managed to wipe out 2 PCs by opening an attachment in personal mail on one, then moving to another to try again.

Nick (profile) says:

Isn’t this normal? Most big companies don’t trust their employees not to goof off or use facebook, so block all internet access. Accessing personal emails seems like a normal deal to me (if being real strict jerks to their employees) and a company has every right.

Heck, I’ve worked at 4 jobs in my life, one which had no computers, two blocked everything but the intranet or the company website, and one that let me use the internet at will (which I…. promptly abused, watching a few too many cat videos on youtube).

And, well, even good computer users can be tripped up and introduce a virus. If a virus wants to get in, it will, and only staying off the internet is a good way to prevent a virus 100% of the time.

Stuart Gray says:

Wow.
How off the mark you are on this one.
Blocking personal email sites is smart.
How efficient are you supposed to be on company time replying to your personal emails?

You are obviously such an entitled punk and have had so much handed to you for so long you are no longer capable of understanding what “work” is.

You can not train the stupid out of certain people when it comes to email. We have been trying for decades.

You sir on this topic have proved to be an idiot of massive scale.

Anonymous Coward says:

Re: Re:

Only morons think that personal use at work is only for entitled punks.

Law firm issues aside, some personal use of the interwebz can lead to increased employee productivity. About 9%, on average.

Summary:
http://arstechnica.com/business/2009/04/study-surfing-the-internet-at-work-boosts-productivity/

Scholarship:
Coker, B. L.S. (2011), Freedom to surf: the positive effects of workplace Internet leisure browsing. New Technology, Work and Employment, 26: 238?247. doi: 10.1111/j.1468-005X.2011.00272.x

Now get back to work you lazy entitled punk shitheads who so obviously value empiricism over properly subservient work practices.

btr1701 (profile) says:

Nothing New

As many people here have already posted, this is hardly a new phenomenon.

Most federal government employees have been blocked from using personal email sites for about the last half decade. And in my agency, the list of blacklisted auto-blocked web sites grows exponentially every month.

I would estimate, for example, that on any given day, at least 40% of the links on the Drudge Report site come back blocked. And most of them are legitimate news sites.

It’s pretty ridiculous, but hey, that’s what iPads are for, no?

btr1701 (profile) says:

Re: Nothing New

After reading through the entire email, this seems to be a very reasonable approach and I really don’t see why TD has an issue with it.

Hell, the law firm even went out of its way to install a separate wifi network throughout its offices to facilitate employee’s use of their personal phones and tablets.

Like many in the comments here, I have to ask, what’s the big deal?

Paul Reinheimer (profile) says:

better idea than it may seem

On a simple skim this can seem silly, but dig a bit deeper and it can end up looking sensible.

As a law firm, the costs of losing control over privileged information can be very high, ranging up to firm-destroyingly-high should confidential & embarrassing records get published.

Add that to the fact that most security awareness training doesn’t work, and is even argued against[1]. In order for most training to be effective the we need to see our actions and the reward as coupled. With security training you sit in a boring seminar (or complete some basic computer based training program) once a year, then forget about it once the quiz is through. You may not be presented with a chance to apply your training for days, weeks, or months. Even then, the cost of failure might be nil, just like the reward for success. I can’t think of a less effective method for education.

Training every single employee of that law firm to behave correctly 100% of the time is unlikely to work. Instead IT, full of people with a better understanding of the problem at hand, manages all routes for data to reach internal computers. Email, web, gopher, whatever. They actively manage block lists, virus scanners, etc. all in attempt to minimize risk. Drop one of those horrible link manipulation tools on the mail server that runs the link through a checker at click-time, rather than receipt time (the delay between the two adding valuable minutes or hours for a block-list to be updated) for good measure. Delete or quarantine all password protected compressed files, and quarantine any attachment from an unknown mail address.

If the user avoids all of that, and downloads a compressed .rar file with a password from a spear-phisher over gmail, they’ve skipped over half the defense in depth from the start. All that stands between that virus and the network is the virus scanner, which is generally reactive rather than proactive.

[1] http://www.schneier.com/blog/archives/2013/03/security_awaren_1.html

who, me? says:

smart policy

“I knew I shouldn’t have clicked it, but I did anyway.” It doesn’t matter how much training you do, its going to happen. At least by limiting access to the corporate systems, you have the ability to filter what comes in.

They’re even setting up a separate net for personal systems/devices. Like most everyone else, I’m not seeing the complaint.

Richard Hack (profile) says:

I disagree

I think this is a good policy. The small amount of time the end users spend checking personal email on their personal devices is a small price to pay for removing a large section of vulnerability from the network.

In addition, while phishing may have dropped 15 percent for some sectors, it’s risen for others as the link posted shows. Phishing remains one of the best ways for hackers to breach a network.

Suggesting that PEBCAC is the reason doesn’t help. PEBCAC doesn’t go away without major training. Worse, hackers with proper reconnaissance can craft an email that NO ONE would refuse to click on because it would look exactly like something they should click on. That’s true whether the email comes in as company business or as personal business.

So removing one entire source of such phishing efforts is worth a small price in efficiency.

Personally, I think companies should follow CIA policy: two computers on each desk, one classified, one unclassified. The classified one runs on the main business network, the unclassified one runs on an entirely different network. And never the twain shall meet except via a specific protocol for transferring vetted data from one to the other. This goes beyond just having a firewall and a DMZ.

Danny (profile) says:

Comment from the Irony Department

I note the “Overreaction Department” tag line on the post.

The firm is taking very reasonable steps to protect their data (and their clients’ data). Agreed the security risk is the employee, not the technology. But they rightly recognize that no amount of training will completely eliminate employees mistakes, especially since the scammers keep inventing new ruses.

And the firm is taking the reasonable step of mounting a new network outside their firewall to support employee access to personal accounts. So the firm isn’t trying to wall off access completely during the workday, an action that would be problematic on several dimensions.

I’d say the overreaction here is on the part of our poster, not on the part of the law firm.

Anonymous Coward says:

Once a co-worker sent me an email with an executable attachment on my birthday. I physically walked over to make sure she actually sent the thing, and after she told me she did, I STILL didn’t execute the thing. I’m sure it was some sort of nice e-card, but I’m just not going to take that chance.

But I get the feeling that the person who sent me that thing would have clicked on a similar attachment without a second thought, had one been sent to her.

It’s annoying for users who know what they’re doing, when stuff gets locked down because of the people who don’t. But often, it’s needed.

Anonymous Coward says:

Someone should ask Mr. Masnick to please stop letting interns write articles. This has been standard policy in Fortune 100 companies for something in the neighborhood of 10 years now. Anyone who doesn’t know this already has no business writing articles for Techdirt. It tarnishes your image to pretend this is news, even if it IS a cross-post from some other rag.

Very disappointing.

Anonymous Coward says:

Am employee there could just simply set up a VPN on their home broadband connection. The software for the SoftEther VPN project will also let you set up your puwn private VPN as well on your home broadband connection.

As long as your home broadband has at least two IP addresses available, this can be done.

That is the easiest way to circumvent the filtering.

Joseph M. Durnal (user link) says:

Personal E-Mail is a Threat

When it comes to e-mail, I’ve been there & done that. Many companies and government organizations still think in terms of, protect the system, protect the network, and less in terms of, protect the data. Why, well, protecting the data can be hard for everyone who has been doing it the same way for the last 20 years. Confidential documents should be encrypted, everywhere. While the techdirt community isn’t a fan of DRM for content that the creators want everyone to have/pay for, DRMing your firms confidential documents can greatly reduce the risk of data leaks. We will always have ID10T errors, problems between the keyboard and chair, 10 years ago, never thought that today’s masses would still be so computer illiterate, but they are, and I don’t think it will change. Until IT shops develop systems for protecting the data, they’ll still have to protect the network and protect the systems, and this could include blocking personal e-mail accounts.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...