John Legarreta

John LegarretaJohn LegarretaJohn Legarreta

John Legarreta

John LegarretaJohn LegarretaJohn Legarreta
  • Home
  • Policies
  • More
    • Home
    • Policies
  • Home
  • Policies

External Email Communications Policy

Purpose

This Policy establishes mandatory rules and controls governing the creation, review, and transmission of email communications to recipients outside the Company. Its purpose is to protect confidential and sensitive information, ensure compliance with legal, regulatory, and contractual obligations, and maintain the Company’s professional reputation.

Scope

This Policy applies to:


  • All outbound email messages sent to external recipients from Company-managed accounts and devices.
  • Any forwarding, auto-forwarding, or redirection of Company emails to external addresses (including personal email accounts).
  • Any email content created, stored, or transmitted using Company systems (including mobile devices, webmail, and integrated collaboration platforms).

Definitions

  • External Recipient: Any email address not owned or controlled by the Company.
  • Sensitive Information: Data classified as Internal or Restricted, which includes (but is not limited to): personally identifiable information (PII), protected health information (PHI), payment card data (PCI), authentication credentials, proprietary business data, trade secrets, source code, security configurations, incident details, financial forecasts, M&A information, non-public contracts, and attorney–client privileged communications.
  • Data Loss Prevention (DLP): Technical controls that detect and prevent unauthorized transmission of sensitive information.
  • Encryption: Secure email methods to protect confidentiality and integrity in transit and at rest.
  • Legal Hold: A directive preserving records (including email) that may be relevant to litigation, investigation, or audit.
  • Review: A required approval step (pre-send or post-send audit) to verify compliance with this Policy and associated standards.

Policy Statement

No Expectation of Privacy

All email communications created, sent, received, or stored on Company systems are Company property. Users have no expectation of privacy in Company email. The Company reserves the right to monitor, log, access, review, retain, and disclose email communications for any lawful business purpose, including compliance, security, audit, investigation, and legal requirements.


Prohibition on Unauthorized Disclosure

Users must not send, share, or expose Sensitive Information to external recipients unless:

  1. The disclosure is explicitly authorized by business need and policy;
  2. Classification and labeling requirements are met;
  3. Appropriate encryption, access restrictions, and recipient validation are applied; and
  4. The communication passes any required pre-send review and DLP checks.


Mandatory Review and Approval

  • Pre-Send Review: Emails containing Sensitive Information or addressed to high-risk recipients (e.g., personal email domains, unknown vendors, media, regulators, competitors) must be reviewed and approved by the appropriate business owner and/or Information Security prior to sending.
  • Automated Controls: All outbound email is subject to automated DLP inspection, policy checks, and transport rules. Messages flagged by these controls will be blocked, quarantined, or routed for approval.
  • Post-Send Audit: The Company may perform ongoing audits to ensure conformance. Users must cooperate with audit inquiries.


Recipient Validation

Before sending any external email:

  • Verify the recipient’s identity, address, and domain.
  • Use approved distribution lists and contact records when available.
  • Avoid sending Sensitive Information to shared mailboxes or group aliases unless explicitly required and secured.


Minimum Security Controls

  • Classification & Labeling: Apply the correct sensitivity label/classification to all emails and attachments per the Company’s Data Classification Standard.
  • Encryption: Use Company-approved encryption for any email containing Sensitive Information.
  • Access Restrictions/Rights Management: When feasible, apply restrictions (e.g., do not forward, view-only) for sensitive or confidential content.
  • DLP & Transport Rules: Do not circumvent or attempt to bypass technical controls.
  • Attachment Hygiene: Avoid sending unredacted data, raw exports, system logs, credentials, or keys. Use secure portals when feasible.
  • Link Validation: Use secure, access-controlled links for documents rather than attachments when appropriate.
  • Multi-Factor Authentication (MFA): Maintain MFA on all accounts used to access Company email.


Prohibited Content and Practices

The following are strictly prohibited:

  • Sending Sensitive Information without authorization, labeling, and encryption.
  • Transmitting passwords, API keys, tokens, or other credentials.
  • Emailing regulated data (e.g., PII, PHI, PCI) to personal accounts or non-compliant third parties.
  • Forwarding Company emails to personal or non-approved external accounts (manual or auto-forward).
  • Sharing content under Legal Hold or with confidentiality obligations without Counsel approval.
  • Discussing ongoing investigations, incidents, or legal strategies outside authorized channels.
  • Using unapproved templates, signatures, disclaimers, or third-party email services.


External Auto-Forwarding

Automatic forwarding to external domains is disabled by default. Any exception requires written approval from Information Security and the data owner, with documented controls and review cadence.


Records Management and Retention

All emails are subject to Company records retention schedules. Users must not delete, alter, or obfuscate emails subject to retention or Legal Hold. Retention labels and policies apply and are enforced via Company tools.


Incident Reporting

Suspected or actual unauthorized disclosure (e.g., misdirected emails, improper attachments, failed encryption) must be reported immediately to Information Security via the Incident Hotline / Ticketing System. Do not resend or attempt self-remediation without guidance.

Roles and Responsibilities

Employees and Contractors

  • Comply with this Policy, related standards, and procedures.
  • Validate recipients and apply classification/labels correctly.
  • Use encryption and DLP-compliant methods where required.
  • Complete training and attestations.

Managers

  • Ensure team compliance and approve sensitive communications when required.
  • Reinforce training and escalate violations.

Information Security (InfoSec)

  • Define DLP policies, labels, encryption standards, and controls.
  • Operate monitoring, audit, and incident response processes.
  • Maintain allow/deny lists and manage exceptions.

Legal/Compliance

  • Advise on regulatory and contractual obligations.
  • Administer Legal Holds and coordinate investigations.

IT Operations

  • Enforce transport rules, logging, and retention.
  • Maintain secure email gateways and approved integrations.

Enforcement and Disciplinary Action

Violations of this Policy may result in disciplinary action, up to and including termination of employment or contract, and may expose the User and the Company to civil or criminal penalties. The Company may suspend accounts, revoke access, and notify regulators or affected parties as legally required.

Related Policies and Standards

  • Acceptable Use Policy
  • Data Classification and Handling Standard
  • Records Retention and Legal Hold Policy
  • Information Security Incident Response Plan
  • Vendor Management and Third-Party Risk Policy

Copyright © 2025 John Legarreta - All Rights Reserved.

Powered by

This website uses cookies.

We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.

Accept