Cybersecurity and USC’s Policy on Email Retention, Forwarding, and Business Use
The following memorandum regarding USC’s policy on employee email was distributed to all faculty, staff, and emeriti in October 2016:
To: USC Faculty, Staff, and Emeriti
From: Douglas Shook, Chief Information Officer
Date: October 27, 2016
Subject: Cybersecurity and USC’s Policy on Email Retention, Forwarding, and Business Use
Recent high-profile breaches, such as those at Sony, Anthem, Dropbox, and Yahoo, reveal that cybercriminals commonly operate on a large scale, amassing vast stores of information about individuals. USC is not immune to cyberattack; in fact, we typically repel more than 20,000 attempts per week to gain access to our computer systems. Email, in particular, is very attractive to cybercriminals, because it is easily searchable and contains a wealth of private details about both account holders and their contacts.
To address the increased risk of hacks and security breaches, we must continually implement new approaches to secure both the university’s business systems and the personal information of faculty and staff. More importantly, we are obligated to do all we can to secure information related to our students and our patients.
For these and other reasons, USC has updated its policy to standardize the requirements for the retention, forwarding, and use of USC email by employees. The policy is available at policy.usc.edu/employee-email and applies to all university email systems, including those subdomains maintained by schools or units.
The policy has two main components. First, in an effort to reduce the amount of old information that is stored in USC email systems, the university will implement a 16-month retention limit on messages stored in default email folders (e.g., Inbox, Sent Items, and Deleted Items). You will be able to store any messages you deem important beyond the 16-month limit by moving them to a personal folder that you deliberately create as a top-level folder. Many of you already manage your email this way, and simple instructions for creating top-level personal folders are available at itservices.usc.edu/office365/folders. We urge you to delete messages that you no longer need, including those that you store in your personal folders.
Second, email administrators will be required to disable the automatic forwarding of USC email to external, non-USC, email domains. This means that you will no longer be able to set up the automatic forwarding of all your email to non-USC domains such as Gmail. You may still forward individual messages. For the reasons outlined above, USC must be able to take adequate measures to protect the information communicated via USC email. The university cannot secure, protect, and manage email that is stored in independent systems.
We recognize that these policy changes may be burdensome; however, we urge you to consider the sorts of personal and sensitive information that you may have stored in your USC account—including personal information that you may have received about students, colleagues, and others.
To give faculty and staff adequate time to manage their accumulated email, the requirements of the policy will be applied in the phases outlined below.
- On January 18, 2017, the retention limit will be applied to staff email.
- On March 15, 2017, the retention limit will be applied to faculty, affiliate, and emeriti email.
- On March 15, 2017, the automatic forwarding of USC email to external domains will be disabled for staff, faculty, emeriti, and affiliates.
You will receive reminders from email@example.com about the approaching retention deadlines, along with instructions for saving the email that you wish to retain.
Thank you for your understanding and cooperation.
Todd R. Dickey, Senior Vice President for Administration
Michael W. Quick, Provost and Senior Vice President for Academic Affairs
James M. Staten, Senior Vice President for Finance and Chief Financial Officer