William & Mary’s email services support the educational and administrative activities of the university and serve as a means of official communication by and between users and the university. The purpose of this policy is to ensure that this critical service remains available and reliable, and is used for purposes appropriate to the university's mission.
This policy applies to all members of the William & Mary community who are entitled to email services.
William & Mary provides electronic mail (email) services to faculty, staff and students, and to other affiliated classes of individuals. Use of William & Mary’s email services must be consistent with William & Mary’s educational goals and comply with local, state and federal laws and university policies.
William & Mary Email Addresses and Accounts
Faculty and Staff
Email services are available for faculty and staff to conduct and communicate university business. Incidental personal use of email is allowed with the understanding that the primary use be job-related, and that occasional use does not adversely impact work responsibilities or the performance of the network. With the exception of retired Emeritus Faculty, email services are provided only while a user is employed by the university and once a user's employment ceases their email account is locked and employees may no longer access the contents of their mailboxes. If a departing employee needs access to the email account for any legitimate business purposes after employment than the departing employee will need to apply for an affiliate account.
Faculty and staff email users are advised that in accordance with the the Commonwealth of Virginia’s Policy 1.75: Use of Electronic Communications and Social Media electronic data (and communications using the university network for transmission or storage) may be reviewed and/or accessed by authorized university officials for purposes related to university business. William & Mary has the authority to access and inspect the contents of any equipment, files or email on its electronic systems. For details on the rules and procedures for authorizing the access to and release of individual electronic records to university officials see the Policy on Granting Access to Electronic Records.
Faculty and staff of VIMS are advised to setup a rule to redirect their W&M email to their VIMS email mailbox. This rule should redirect all messages then delete the message from the William & Mary mailbox. The redirect feature maintains the original sender information allowing replies to those email messages.
Email services are available for students to support learning and for communication by and between the university and themselves. Student email accounts are active for 16 months after their last enrolled semester. This grace period is intended to provide adequate time for transferring mail and other content to a personal service.
Alumni and Others
Individuals with special relationships with William & Mary, such as affiliates or official visitors, who are neither employed nor enrolled at William & Mary, are granted limited email privileges, including an email address, commensurate with the nature of their special relationship. William & Mary is free to discontinue these privileges at any time.
Acceptable Use under University Policies
Email users have a responsibility to learn about and comply with William & Mary’s Acceptable Use Policy. Violation of William & Mary policies (including this one) may result in disciplinary action dependent upon the nature of the violation. Examples of prohibited uses of email include:
- Intentional and unauthorized access to other people's email.
- Sending "spam", chain letters, or any other type of unauthorized widespread distribution of unsolicited mail.
- Use of email for commercial activities or personal gain (except as specifically authorized by university policy and in accordance with university procedures).
- Use of email for partisan political or lobbying activities.
- Sending of messages that constitute violations of William & Mary Code of Conduct.
- Creation and use of a false or alias email address in order to impersonate another or send fraudulent communications.
- Use of email to transmit materials in a manner which violates copyright laws.
Security and Privacy of Email
Each employee mailbox is on a two-year legal hold meaning each email is kept for two years regardless if the owner of the email deletes it from their mailbox.
If an employee is under a legal hold from General Counsel, their mailbox is switched from the two-year legal hold to unlimited legal hold meaning each email is kept forever regardless if the owner of the email deletes it from their mailbox.
William & Mary attempts to provide secure, private and reliable email services by following sound information technology practices. However, William & Mary cannot guarantee the security, privacy or reliability of its email service. All email users, therefore, should exercise extreme caution in using William & Mary email to communicate confidential or sensitive matters or transfer sensitive or protected data.
Best Practices in Use of Email
- Sensitive Data - Never email sensitive data, ever.
- Malware - William & Mary email users should be careful not to open unexpected attachments from unknown or even known senders, nor follow web links within an email message unless the user is certain that the link is legitimate. Following a link in an email message executes code that can also install malicious programs on the workstation.
- Identity Theft - Forms sent via email from an unknown sender should never be filled out by following a link. Theft of one's identity can result.
- Password Protection - William & Mary’s policy requires the use of strong passwords for the protection of email. A strong password must contain digits or punctuation characters as well as letters.
- Departmental Email Boxes - To provide for continuity and security of university email, departments that provide services in response to email requests are required to use a shared mailbox.
- Compromised Accounts - An email account that has been compromised, whether through password-cracking, social engineering or any other means, must be promptly remedied with the appropriate means. The appropriate means will include a password reset, review of account settings, computer scans and malware disinfection to prevent possible leakage of personally identifiable information, spamming, potentially infecting others and degradations of network service. If the account is being used to harm others at William & Mary and the owner cannot be reached in a reasonable period of time (“reasonable” being driven by the negative impact to the William & Mary community), the Chief Information Security Officer (CISO) will direct the Identity Management team to reset the password. Should the same account be compromised three or more times in any 12-month period, the account will be immediately suspended, and will not be re-enabled until the user notifies the CISO to ensure that all remediation has taken place, and is provided with remedial training.
Authority and Implementation
This policy is approved by the Chief Information Officer at William & Mary. The Information Technology department is responsible for implementation and enforcement of this policy.