Date Established: 3/26/2012
Date Last Revised: 5/9/2022
Category: Information Technology
Responsible Office: Enterprise Infrastructure Services
Responsible Executive: Vice President and Chief Information Officer
Email is an essential tool for accomplishing the university’s academic and administrative activities. This policy outlines the expectations and responsibilities of the UB community to keep email accounts secure and comply with relevant laws and regulations.
The University at Buffalo (UB, university) is committed to providing a central email system to support the education, research, and administrative activities of the university. Email is an official communication channel, and the university expects faculty, staff, and students to use, read, and respond to their email regularly. Email usage must comply with federal and state laws and university policies, including those governing computing resources, information security, and ethics. The Computing and Network Use Policy provides the framework for acceptable use of university information technology (IT) resources.
Email accounts are provided to students, faculty, and staff, and may also be provided to volunteers, alumni, retirees, and others affiliated with the university at the discretion of the Vice President and Chief Information Officer (VPCIO). University employees are encouraged to obtain a personal email account for non-university communication.
System administrators do not routinely monitor email, however, they may access email for a legitimate business purpose including diagnosing and resolving technical problems, investigating possible misuse of email when there is reasonable suspicion of a violation of law or university policy, or an approved investigation, or addressing an imminent health or safety issue.
For security and confidentiality purposes, all university business must be conducted with a VPCIO-supported email system. Automatic forwarding of email to a third-party email system is prohibited. Use of a third-party email system by a university employee for university business is prohibited. Use of third-party email systems may result in the inability to verify employee identity as well as sensitive, proprietary, or regulated data being improperly stored on systems not controlled by the university. Improper storage of university data on third-party systems could result in a reportable data breach for which the university could incur financial penalties and reputational damage.
All endpoints, devices, and servers on the university network that send outgoing email must do so through a centrally managed service. Email servers not supported centrally by the VPCIO organization or that are not created for research or instructional purposes are prohibited.
Exceptions may be allowed for IT systems to leverage email as a communications subcomponent (e.g., help desk ticketing systems) and other justifiable cases (e.g., applications that are jointly managed by UB and the involved third party) at the discretion of the VPCIO.
All email accounts will be subject to message hygiene processing:
Federal and state rules regarding discovery of electronically stored evidence require the preservation and production/disclosure of any electronic evidence that is regularly and routinely available, including email messages, when there is an expectation of litigation. Email messages, including personal communications, may be subject to and released in response to government and court-ordered legal actions under the New York State Freedom of Information Law and to comply with E-Discovery responsibilities and demands. Users must exercise judgment in sending content that may be deemed confidential or that they otherwise do not wish to be disclosed. Email transmissions may not be secure, and contents that are expected to remain confidential need to be communicated via means other than email.
The university retains deleted email for seven days, after which the email is permanently deleted and cannot be recovered. Originators and recipients of email are responsible for identifying and saving documents that must be retained to comply with federal, state, or local laws and to meet operational, legal, audit, research, or other requirements.
The university recognizes that it may be necessary to allow access to electronic data contained within a deceased or incapacitated individual’s UB account.
A request to access electronic data must originate from a legally authorized individual (e.g., executor, holder of power of attorney) supported by a legal document demonstrating authorization in accordance with the Accessing Accounts of Deceased or Incapacitated Individuals Policy.
Use of university email must follow all other relevant university policies. Using university email to violate policies, laws, or regulations is prohibited. Examples of misuse include:
Violations of this policy may result in appropriate disciplinary measures in accordance with university policies, applicable collective bargaining agreements, and state and federal laws.
The university must be able to communicate quickly and efficiently with employees and students to conduct official university business. Email is an efficient, cost-effective, and environmentally sustainable medium for such communication. However, inappropriate use of email can reduce employee productivity, burden the IT infrastructure, hinder the university’s ability to deliver critical messages, and diminish the effectiveness of emails received. Recognizing these expectations and concerns, this policy establishes email as an official form of university communication and establishes the requirements for use.
This policy applies to individuals with access to a centrally supported university email address, including UB faculty, staff, students, and volunteers.
A list of email system providers known to deliver spam or malicious messages. Various organizations maintain such lists and make them available, usually as part of a paid service, to email system providers. Email system providers will often not accept emails from providers on this list.
The process of preserving, securing, reviewing, and exchanging electronically stored information in the context of modern litigation or other legal processes.
Processing email to organize it according to specified criteria. Most often this refers to the automatic processing of incoming messages, but the term also applies to the intervention of human intelligence in addition to anti-spam techniques, and to outgoing emails as well as those being received.
Posting a message to multiple list servers or news groups with the intention of reaching as many users as possible.
Eliminating or quarantining email messages determined to be spam, or which contain malware, viruses, phishing attempts, or otherwise malicious content.
New York State Freedom of Information Law (FOIL)
Provides the public right to access records maintained by government agencies with certain exceptions.
The use of electronic messaging systems, including most broadcast media and digital delivery systems, to send unsolicited bulk messages indiscriminately.
|May 2022||Full review. Updated the policy to: |
• Change the policy title from UB IT Central Email Policies and Procedures to Central Email Policy
• Revise the Summary, Policy Statement, Background, and Applicability sections
• Add a section to address email forwarding and third-party email systems to:
▫ Prohibit automatic email forwarding to a third-party email system
▫ Prohibit use of a third-party email system that has not been approved by the VPCIO as a justifiable case
• Add a definition for Block List, Flooding, and Message Hygiene
• Revise the definitions for E-Discovery and NYS FOIL
• Remove detailed language relating to spam management and filtering
• Revise the Misuse of Email section (previously titled Email With Forged Header Information) to be more inclusive of other types of misuse