The Risks of Using Private Emails for Official Public Business

The Policy Gap in West Virginia

Currently, West Virginia law does not require elected or appointed officials to use government-issued email accounts for official business. Instead, public bodies are largely left to establish their own internal policies.

Bloodhound Media obtained one such policy from the West Virginia Department of Administration. The West Virginia Office of Technology (WVOT) Policy 1005 strictly prohibits the use of personal email to conduct state business but only applies to Executive Branch agencies using the state-provided email system that are not exempt under West Virginia Code §5A-6-8.

Because of this decentralized approach, many officials rely on standard email providers or their own private corporate domains for daily operations. This is especially prevalent for smaller public bodies that may lack the funding, technical infrastructure, or personnel needed to maintain official government websites and email systems. As a result, correspondence and attachments containing sensitive or legally protected information, including customer data, may be transmitted through standard Yahoo accounts, Gmail services, or private corporate IT networks rather than dedicated government-managed systems.

While legal, this practice raises a critical question: Is it safe?

The Cybersecurity Threat

Relying on non-governmental infrastructure to handle public data effectively bypasses the security protocols designed to protect municipalities from cyber threats. The major risks include:

• An Expanded Digital Footprint: Centralized government servers are closely monitored and regularly patched against vulnerabilities. When official government communications are spread across various private servers, the attack surface expands exponentially. It creates multiple soft targets for cyberattacks, phishing schemes, and ransomware.
• Lack of Centralized Security Controls: Government-managed systems can enforce mandatory multi-factor authentication, password policies, device management, logging, and encryption standards. Personal or privately managed accounts may not follow uniform security requirements, creating inconsistent protection across officials and agencies.
• Third-Party Data Access: When emails are hosted on commercial or private servers, those official records are subjected to the Terms of Service of third-party service providers. This means data could become accessible to service providers, their subcontractors, or advertisers, stripping away the confidentiality expected of government operations.
• Privileged Admin Exposure: Private IT support staff often have administrative access to domain-level information. The use of a private business domain may inadvertently expose confidential government information to private employees who lack the necessary security clearances or public accountability.
• Increased Phishing and Business Email Compromise Exposure: Public officials using generic email providers or private domains may be more vulnerable to impersonation attacks. Attackers often exploit public trust by spoofing officials or targeting weaker email security configurations.

The Threat to Transparency and Compliance

Beyond the immediate threat of a data breach, the use of private email fundamentally undermines the mechanisms of public transparency.

Under West Virginia law, an email sent from a personal account is still classified as a public record if it concerns the conduct of public business. The legal standard rests on the content of the message, not the account used to send it. However, enforcing this law becomes practically impossible when records are decentralized:

• Complex Records Retrieval: Commingling personal and public emails creates a logistical nightmare for open records laws. It reduces the reliability of searching, preserving, and producing records subject to West Virginia Freedom of Information Act requests or official investigations.
• Improper Destruction of Records: Any email used to conduct public business is legally a government record. If an official decides to clean their personal inbox and deletes official correspondence, they may have effectively destroyed a public record, potentially violating data retention laws without any oversight or backup to recover the lost data.

The Bottom Line

Ultimately, the issue is not whether public officials are acting with malicious intent, but whether the systems being used are adequate to protect sensitive information and preserve public accountability. In an era of increasing cyber threats and growing public concern over government transparency, relying on personal email accounts and privately managed networks for official business creates unnecessary risk. Without clear statewide standards requiring secure, government-controlled communication systems, West Virginia leaves critical public records, protected information, and public trust vulnerable to compromise.