Purpose
This policy outlines the guidelines for email use and management within the OWWL Library System (“the System”), as well as guidelines for identifying, reporting, and mitigating phishing attacks to protect the information systems, data, personnel, and reputations of the System and its member libraries from unauthorized access and damage.
Questions or concerns regarding this policy should be directed to the Executive Director.
Scope
This policy applies to all authorized users as defined in the Systems Access and Confidentiality of Library Records Policy.[1]
Email Accounts
The System offers free email accounts for ‘Authorized Users’ at System headquarters and member libraries. The accounts are intended to facilitate communication between the System, member libraries, and within the library profession.
Information on authorized users, account creation, deactivation, password requirements, and shared accounts are outlined in the Systems Access and Confidentiality of Library Records Policy.
The System does not provide email accounts for unauthorized users, including, but not limited to, member library Boards, individual Trustees, or treasurers.
Account Creation
Email accounts for member library staff must be requested by the library director or their designee using the Account Maintenance Request Form on OWWL Docs. An email account for a member library director must be requested by the library’s Board President or the System’s Executive Director.
After the creation of an email account, the user will be assigned an email training and has 30 days to watch and complete the training. If the training is not completed within 30 days, access to the email account will be revoked.
Account Deactivation
In addition to the account deactivation process outlined in the Systems Access and Confidentiality of Library Records Policy, directors may request to have a departing user’s email account forwarded to their account for up to three months if necessary for business continuity.
In limited circumstances, an incoming director may request temporary access to the contents of the previous director’s mailbox to ensure business continuity.
Account Maintenance
To maintain a clean email database, the System will distribute a list of email accounts to each member library director on at least an annual basis. Directors are responsible for notifying the System immediately if users on the list are no longer Authorized Users at the library.
Aliases
The System may assign email aliases to certain users, such as directors. Aliases allow users to send and receive email from additional addresses inside their primary email account. Aliases can be assigned to one person at a time.
In limited circumstances, new member library directors may request that the old director’s email address be set up as an alias to ensure business continuity. This arrangement will last no more than six months.
Email Distribution Lists
Group Membership
All email accounts are added to the OWWL Library System mailing list.
Specific Distribution Lists
Each library has a dedicated mailing list. All Authorized Users at each member library are required to have their email addresses added to their respective library’s mailing list. Director email accounts will be included in both the County Director List and the comprehensive Director List. Additionally, circulation accounts are added to the circulation mailing list.
Appropriate Use of Distribution Lists
Communications sent through System email distribution lists must:
- Be sent using an authorized OWWL Library System email address;
- Be relevant to the selected distribution list;
- Use respectful, professional, and courteous language; and
- Adhere to all privacy laws and System policies.
To prevent an influx of irrelevant emails, users are prohibited from using distribution lists inappropriately. Inappropriate use of the system’s email distribution lists includes, but is not limited to:
- Sending spam, promotional, or unsolicited messages unrelated to library or list functions;
- Sending circulation-related communication (such as missing book notices) to the OWWL Library System Mailing List instead of the circulation specific distribution list;
- Sending non-work-related petitions or campaigns, personal messages, replies unrelated to the original content, or engaging in arguments;
- Forwarding spam or malicious content;
- Sending data that would violate the Systems Access and Confidentiality of Library Records Policy; or
- Sharing list addresses or information with outside groups.
Outside Groups
Email distribution lists are for internal use only. Outside groups must not access or send emails to email distribution lists maintained by the System for any reason.
Email Use
OWWL Email accounts must only be used for library business and communications.
Users with an OWWL email address are prohibited from using email for any illegal or unethical purposes. Email communication should be professional, respectful, and free from discriminatory or harassing language. All email users must uphold System and local library policies.
Auto-forwarding to move email from the System managed email system to a non-System managed email system is prohibited.
Email Management
Users are responsible for managing the contents of their own email accounts and ensuring that they comply with this policy.
Retention
For storage consideration, users should avoid retaining large amounts of email for long periods of time.
Email is not an appropriate place to retain library records; these records should exist outside of the System email system, and copies of those records must be retained by the library which originated them. Emails that the holder determines are of lasting value should be printed on paper and filed, or saved as a PDF to their computer or other digital storage media. Users should follow their local library’s Records Retention policy as it applies to email communication.
In the course of conducting business, account holders may use email to communicate confidential information about patron accounts and library usage, including patron personally identifying information (PII). In the event of an email hack or breach, messages containing such information put the System and its member libraries at risk for litigation, as well as financial loss through legal and administrative fees and staffing costs related to dealing with such a breach.
To lessen this risk, some shared email accounts (circulation, reference, etc.) have a 35-day retention protocol. After 35 days, email messages will be automatically deleted. This automatic deletion protocol applies to emails within all folders on the account. Once the emails are deleted, they are moved to a temporary holding folder on the System email server. After an additional 30 days, the emails are permanently deleted.
Shared print email accounts have a one-day retention protocol. After one day, email messages will be automatically and permanently deleted. This automatic deletion protocol applies to emails within all folders on the account.
This retention protocol does not apply to shared email accounts that are forwarded to an individual’s primary account, shared email accounts that are set up as an alias, and director email accounts.
Disposal
Users who send or receive email messages that contain confidential or sensitive information, such as PII, are expected to delete such messages from all email folders, including Inbox, Sent, and Trash, as soon as the email is no longer necessary for carrying out library business.
Storage Quotas
Email storage quotas will be implemented on each account to ensure adequate space for all users.
Users should regularly review and delete any unnecessary emails to conserve storage space. Users may request additional storage space by opening a support ticket.
Security and Phishing
Phishing is a form of social engineering in which a cybercriminal masquerades as a legitimate person or entity to deceive individuals into revealing sensitive information, such as account passwords or financial details, or to install malicious software (“malware”).
Phishing may also be used to facilitate other fraudulent activities, such as payroll diversion scams (in which an attacker attempts to change an employee’s direct deposit information) or executive impersonation scams (in which an attacker poses as a director or Board member to request the purchase and transmission of gift card codes). These examples are representative but not exhaustive; phishing tactics continuously evolve.
Variants include:
- Spear phishing: A targeted phishing attack directed at specific individuals, roles, or organizations.
- Whaling: A targeted phishing attack directed at organization leadership or executives.
- Vishing: Phishing attacks conducted through voice calls.
- Smishing: Phishing attacks conducted through SMS or text messaging.
- Angler phishing: Phishing attacks conducted over social media platforms, such as fake customer support accounts that trick users into sharing credentials or downloading malware.
- Credential harvesting: A phishing attempt specifically intended to capture login credentials, such as email or banking passwords, typically using fake login pages or deceptive forms.
Phishing may also occur through other communication methods, including direct messages on social media platforms or video calling services such as Zoom.
User Responsibilities
All users of the System’s information systems must exercise caution with unsolicited emails, messages, or calls requesting sensitive information, such as passwords or financial data. Users must not disclose sensitive information via email or in response to unsolicited requests.
Users must not click on suspicious links or download attachments from unverified sources. Users should avoid replying to suspicious communications.
Users should report suspected phishing attempts immediately according to the procedure outlined below. Users must cooperate fully with any investigation or incident response following a report.
Users must not forward phishing emails to others, except when instructed to do so as part of the reporting process.
In addition, all users are encouraged to regularly complete cybersecurity awareness and phishing training. The System offers a live cybersecurity training session for member library employees at least annually, which is advertised in OWWL Post no less than one month in advance. Directors may request a dedicated session for their library staff by submitting a support ticket. Additionally, a variety of businesses and government organizations offer free cybersecurity training resources, including Amazon[2] and the UK’s National Cyber Security Centre[3].
Users may save, print, and distribute Appendix A: Phishing Quick Reference Guide as needed.
System Responsibilities
The System will maintain technical defenses, including spam filters and domain protection, to help prevent phishing attacks.
The System’s Computer and Network Services (CANS) department is responsible for investigating phishing reports. Confirmed phishing attempts will be documented, and appropriate technical and administrative measures will be taken to contain and remediate the threat. These measures may include, but are not limited to:
- Blocking the sending domain and IP address;
- Resetting email login credentials of any affected users;
- Updating web filters to block URLs linked to the phishing attempt; and
- Reporting any email addresses or domains used in the phishing campaign to the email client or domain registrar.
Where appropriate, such as in the case of a data breach, phishing threats will be escalated to the System’s Executive Director, legal counsel, regulatory authorities, or affected third parties.
The System will inform member library employees of new or particularly convincing phishing attempts via email. The System also maintains an OWWL Docs page with phishing definitions and screenshots of real examples. Users should periodically check this page to stay informed of common phishing attempts seen throughout the System.
Reporting Procedures
If a suspected phishing attempt is received:
- Do not respond, click on links, or open or download attachments.
- Immediately report the phishing attempt by opening a support ticket, either by forwarding the suspected phishing email or summarizing the phone call, video call, text, or message.
If a user suspects they have interacted with a phishing attempt, including clicking a link, downloading a file, or entering information:
- Immediately report the incident by opening a support ticket, either by forwarding the phishing email or summarizing the phone call, video call, text, or message.
Confidentiality
The System will make reasonable efforts to maintain the integrity of email systems, but users should not regard email as a secure medium for the communication of sensitive or confidential information, such as patron PII. Users should exercise caution about sending sensitive or confidential information via email, and should limit any such communications to those with a legitimate need to know.
Accessing Email Accounts
The System has the ability and reserves the right to access email accounts when there is a legitimate need, including but not limited to investigating a data breach, responding to support tickets related to issues with the account, or as required by law.
Violations
Violations of this policy may result in suspension or blocking of email privileges when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of the System email system, or to protect the System and its member libraries from liability. Suspected violations will be reviewed by the System’s Executive Director and/or the Computer and Network Services Manager.
Last Updated by the OWWL Library System Board of Trustees on August 13, 2025
[1] https://owwl.org/system/systemsaccess
[2] https://learnsecurity.amazon.com/en/index.html
[3] https://www.ncsc.gov.uk/training/v4/Top+tips/Web+package/content/index.html#/