Central Email Policy

The University at Buffalo (UB, university) is committed to providing a central email system to support the education, research, and administrative activities of the university. Email is an official communication channel, and the university expects faculty, staff, and students to use, read, and respond to their email regularly. Email usage must comply with federal and state laws and university policies, including those governing computing resources, information security, and ethics. The Computing and Network Use Policy provides the framework for acceptable use of university information technology (IT) resources.

Email accounts are provided to students, faculty, and staff, and may also be provided to volunteers, alumni, retirees, and others affiliated with the university at the discretion of the Vice President and Chief Information Officer (VPCIO). University employees are encouraged to obtain a personal email account for non-university communication. 

System administrators do not routinely monitor email, however, they may access email for a legitimate business purpose including diagnosing and resolving technical problems, investigating possible misuse of email when there is reasonable suspicion of a violation of law or university policy, or an approved investigation, or addressing an imminent health or safety issue.

For security and confidentiality purposes, all university business must be conducted with a VPCIO-supported email system. Automatic forwarding of email to a third-party email system is prohibited. Use of a third-party email system by a university employee for university business is prohibited. Use of third-party email systems may result in the inability to verify employee identity as well as sensitive, proprietary, or regulated data being improperly stored on systems not controlled by the university. Improper storage of university data on third-party systems could result in a reportable data breach for which the university could incur financial penalties and reputational damage.

All endpoints, devices, and servers on the university network that send outgoing email must do so through a centrally managed service. Email servers not supported centrally by the VPCIO organization or that are not created for research or instructional purposes are prohibited. 

Exceptions may be allowed for IT systems to leverage email as a communications subcomponent (e.g., help desk ticketing systems) and other justifiable cases (e.g., applications that are jointly managed by UB and the involved third party) at the discretion of the VPCIO.

All email accounts will be subject to message hygiene processing:

• Inbound messages with a high probability of being spam or containing malicious content may be filed in a junk folder, quarantined, or not delivered.
• Outgoing messages with a high probability of being spam or containing malicious content may not be delivered. These messages are often sent by a compromised account and can result in the UB mail system being block listed, preventing the delivery of UB email to other email service providers.
• Both incoming and outgoing messages may be subject to message scanning and other services to identify unsafe links, flag protected information, and other protections to prevent malware and promote data security.
• Report concerns about proper message hygiene to the UBIT Help Center

Federal and state rules regarding discovery of electronically stored evidence require the preservation and production/disclosure of any electronic evidence that is regularly and routinely available, including email messages, when there is an expectation of litigation. Email messages, including personal communications, may be subject to and released in response to government and court-ordered legal actions under the New York State Freedom of Information Law and to comply with E-Discovery responsibilities and demands. Users must exercise judgment in sending content that may be deemed confidential or that they otherwise do not wish to be disclosed. Email transmissions may not be secure, and contents that are expected to remain confidential need to be communicated via means other than email.

The university retains deleted email for seven days, after which the email is permanently deleted and cannot be recovered. Originators and recipients of email are responsible for identifying and saving documents that must be retained to comply with federal, state, or local laws and to meet operational, legal, audit, research, or other requirements.

The university recognizes that it may be necessary to allow access to electronic data contained within a deceased or incapacitated individual’s UB account.

A request to access electronic data must originate from a legally authorized individual (e.g., executor, holder of power of attorney) supported by a legal document demonstrating authorization in accordance with the Accessing Accounts of Deceased or Incapacitated Individuals Policy.

Use of university email must follow all other relevant university policies. Using university email to violate policies, laws, or regulations is prohibited. Examples of misuse include:

• Forging or altering email information with the intent to deceive the reader including timestamp, sender and recipient information, title, IP addresses, and message content
• Sending spam
• Flooding email listservs

Violations of this policy may result in appropriate disciplinary measures in accordance with university policies, applicable collective bargaining agreements, and state and federal laws.

The university must be able to communicate quickly and efficiently with employees and students to conduct official university business. Email is an efficient, cost-effective, and environmentally sustainable medium for such communication. However, inappropriate use of email can reduce employee productivity, burden the IT infrastructure, hinder the university’s ability to deliver critical messages, and diminish the effectiveness of emails received. Recognizing these expectations and concerns, this policy establishes email as an official form of university communication and establishes the requirements for use.

This policy applies to individuals with access to a centrally supported university email address, including UB faculty, staff, students, and volunteers.

Block List

A list of email system providers known to deliver spam or malicious messages. Various    organizations maintain such lists and make them available, usually as part of a paid service, to email system providers. Email system providers will often not accept emails from providers on this list.

E-Discovery

The process of preserving, securing, reviewing, and exchanging electronically stored information in the context of modern litigation or other legal processes.

Email Filter

Processing email to organize it according to specified criteria. Most often this refers to the automatic processing of incoming messages, but the term also applies to the intervention of human intelligence in addition to anti-spam techniques, and to outgoing emails as well as those being received.

Flooding

Posting a message to multiple list servers or news groups with the intention of reaching as many users as possible.

Message Hygiene

Eliminating or quarantining email messages determined to be spam, or which contain malware, viruses, phishing attempts, or otherwise malicious content.

New York State Freedom of Information Law (FOIL)

Provides the public right to access records maintained by government agencies with certain exceptions.

Spam

The use of electronic messaging systems, including most broadcast media and digital delivery systems, to send unsolicited bulk messages indiscriminately.

• Review and update this policy as needed.

• Manage central email systems.
• Maintain spam filters for incoming and outgoing messages.
• Manage the retention of deleted emails.
• Monitor email for a legitimate business purpose including diagnosing a technical problem, investigating possible misuse of email, or addressing an imminent health or safety issue.
• Terminate a former employee's email account upon their termination or resignation from the university. Information in their UB mailbox not retained by the university will be deleted.
• Provide UB email communication to appropriate agencies and individuals in accordance with NYS FOIL and federal and state E-Discovery.
• Provide emails of deceased or incapacitated individuals in accordance with this policy and the Accessing Accounts of Deceased and Incapacitated Individuals Policy.
• Prevent automated forwarding of UB email accounts.

• Use, read, and respond to UB email regularly for official university communications.
• Use the university’s centrally supported email system for university-related email communications.
• Subscribe to official university communications; faculty and staff remain responsible for content even if they unsubscribe from official emails.
• Obtain an email account for personal email.
• Comply with the Computing and Network Use Policy.

• Use, read and respond to UB email regularly for official university communications.
• Subscribe to official university communications; students remain responsible for content even if they unsubscribe from official emails.
• Comply with the Computing and Network Use Policy.