How does eMonitor help with insider threat detection related to email?

Insider threats related to email typically follow a recognizable pattern: increased access to file directories, external email volume spikes, personal webmail access, and unusual after-hours activity. eMonitor's behavioral monitoring captures all of these signals across app usage, file activity, and upload/download behavior, giving security teams the correlated data they need to investigate before sensitive information leaves the organization.

Email Monitoring Feature

Employee Email Monitoring Software: Protect Sensitive Data Without Invading Privacy

Employee email monitoring software is a business tool that tracks email usage patterns, attachment transfers, and recipient addresses on company email accounts to detect data leakage, policy violations, and unauthorized external communications — with legal disclosure requirements. eMonitor gives you the visibility to act before sensitive information leaves the building, without reading personal messages.

Start Free Trial Book a Demo

7-day free trial. No credit card required. Trusted by 1,000+ companies worldwide.

eMonitor email monitoring dashboard showing outbound volume spikes, external recipient activity, and DLP alerts

Why Do Businesses Monitor Corporate Email Activity?

Most organizations adopt email monitoring for one of four specific, defensible reasons — not broad surveillance. Each reflects a genuine legal obligation or documented financial risk.

Data Exfiltration Before Departure

The most common trigger for email monitoring programs is the "departing employee" threat vector. When an employee has accepted a competing offer, they have both motive and opportunity to forward client lists, pricing models, source code, or strategic documents to a personal account before their access is revoked. The IBM Cost of a Data Breach Report 2023 found that insider-caused breaches — intentional and accidental — averaged $4.9 million per incident. A significant share of these incidents involve email as the exfiltration channel.

A realistic scenario: a sales director at a professional services firm accepts a role with a direct competitor. In their final two weeks, they forward client contact records, active proposal documents, and pricing schedules to a personal Gmail account — one external email at a time, in small batches to avoid detection. Without monitoring, this activity may not surface until the damage is done. With data loss prevention monitoring in place, the outbound volume anomaly triggers an alert the same day.

Regulatory Compliance Mandates

For regulated industries, email monitoring is not optional — it is a legal obligation with significant penalty exposure. Three frameworks are particularly prescriptive:

FINRA Rule 3110 requires broker-dealers to supervise electronic communications — including email — for compliance with securities laws. Firms that fail to maintain adequate email supervision programs face enforcement actions; FINRA has levied fines exceeding $10 million against single firms for unsupervised electronic communications.
HIPAA requires covered entities and business associates to implement technical safeguards that protect the privacy and security of protected health information (PHI) transmitted via email. Uncontrolled email represents one of the most common HIPAA violation patterns.
SOX Section 802 requires preservation of business communications, including email, that may be relevant to financial audits. Destruction or non-retention of such records carries criminal penalties.

See our dedicated guide on HIPAA-compliant employee monitoring for healthcare-specific requirements.

Legal Discovery and Litigation Hold

When litigation is reasonably anticipated, organizations must preserve relevant electronic records — including email — under what lawyers call a "litigation hold." The ability to produce complete, unaltered email records can be the difference between a defensible position and adverse inference instructions from a judge. Organizations with email monitoring and logging infrastructure are significantly better positioned for e-discovery than those relying on individual employees to preserve their own inboxes.

Acceptable Use Policy Enforcement

Most organizations prohibit using business email for personal communication, competitor research, or transmitting confidential information to personal accounts. Without monitoring, these policies are unenforceable. Email usage pattern data — time spent in email clients, access to personal webmail via browser, unusual recipient domains — gives HR and IT the factual basis to enforce the acceptable use policies that every employee signed at onboarding. Pair this with a solid employee monitoring policy template to ensure your enforcement is legally grounded.

What Does eMonitor Track in Relation to Email?

Understanding the exact scope of monitoring is critical — for legal compliance, for employee trust, and for configuring the system to generate useful alerts rather than noise. Here is precisely what eMonitor captures.

Email Application Time and Usage

eMonitor tracks how much time employees spend in email client applications — Outlook, Gmail in the browser, Apple Mail, Thunderbird — as part of its application and website tracking. This data reveals whether email is consuming a disproportionate share of the workday (a common productivity drain) and whether email activity spikes before or after normal business hours.

Personal Webmail Access During Work Hours

When employees access personal Gmail, Yahoo Mail, Hotmail, or other personal email services through a work browser during work hours, that URL activity is logged. This is particularly important for insider threat scenarios, where personal webmail is the most common channel for forwarding confidential data. The log captures the domain, time, and duration — not message content.

Outbound External Transfer Volume

eMonitor's DLP module tracks upload activity and external data transfers. When an employee's outbound external transfer volume spikes — sending many more files to external domains than is typical for their role — the system flags the anomaly. A financial analyst who normally exports two PDFs per day exporting 30 files to an external domain in a single afternoon is a pattern that warrants investigation.

File Movement and Attachment Activity

File creation, modification, copy, and deletion events are logged with file paths and timestamps. When large numbers of files are accessed in rapid succession and coincide with elevated webmail activity, the correlation creates a clear investigative record. This file-level data is the corroborating evidence that turns a suspicious pattern into an actionable case.

USB and Peripheral Data Transfer

Data exfiltration often uses email as a first step and USB as a secondary channel. eMonitor monitors USB insertion events in real time, blocking unauthorized external devices and logging all transfer attempts. The combination of email pattern monitoring and USB monitoring gives a complete picture of outbound data movement.

Upload and Download Violation Alerts

Configurable upload and download monitoring rules can flag transfers to specific external domains, file types (executable files, compressed archives, database exports), or unusual transfer sizes. Alerts include the domain, timestamp, and file details — creating an audit-ready log for compliance and legal review.

What eMonitor Does Not Do — and Why That Matters

Transparency about the limits of monitoring is as important as describing the capabilities. The following boundaries are not just legal requirements — they are design decisions that make eMonitor a tool employees accept rather than resent.

No Default Email Content Reading

eMonitor does not read, capture, or index the content of email messages by default. The platform monitors usage patterns, behavioral signals, and data transfer activity — not what employees write in their messages. This distinction matters enormously under GDPR's proportionality principle (monitoring must be no more intrusive than necessary) and under common-law privacy expectations in the US, Canada, and the UK.

If your organization operates in a sector where content monitoring is legally required — FINRA-regulated broker-dealers, for example — content scanning requires explicit compliance configuration with documented legal basis, disclosed to employees in writing. This is not a default state.

No Monitoring of Personal Devices

eMonitor operates on company-owned devices only. Personal email accessed on an employee's personal phone, personal laptop, or personal tablet is completely outside the monitoring scope. For BYOD environments, monitoring applies only to work-profile activity during declared work hours. See our BYOD monitoring policy guide for how to structure a legally sound BYOD program.

No Off-Hours Monitoring

Monitoring begins when an employee clocks in through the desktop agent and ends when they clock out. Activity outside declared work hours is not tracked. This work-hours-only design is the most defensible approach under proportionality requirements in GDPR, UK RIPA, and Canadian PIPEDA.

Employee Visibility Into Their Own Data

Every employee has access to their own activity dashboard — the same data their manager sees. They can review their email application usage, activity patterns, and any alerts their activity triggered. This transparency is not just an ethical choice: research consistently shows that employees who understand and can see their monitoring data report significantly higher trust in the monitoring program than those who cannot.

The Legal Framework for Corporate Email Monitoring

Email monitoring is legal in most jurisdictions when conducted on company systems with proper notice. The specific requirements vary significantly by geography, and organizations operating internationally need to understand the applicable rules for each employee population.

United States: ECPA and State Laws

The Electronic Communications Privacy Act (ECPA) permits employer monitoring of electronic communications on company-provided equipment and networks, provided at least one party to the communication consents. In practice, this means a written acceptable use policy — acknowledged by employees at onboarding — creates the consent basis for monitoring business email on company systems. Some states (California, Connecticut, New York, Delaware) have additional notice requirements beyond ECPA. California, in particular, requires employers to notify employees of monitoring in specific ways before the monitoring begins. Review the legality of employee monitoring practices in detail for US-specific requirements.

European Union: GDPR Requirements

Under the General Data Protection Regulation, employee email monitoring must satisfy three requirements simultaneously:

Lawful basis: Most organizations rely on legitimate interest under Article 6(1)(f) — protecting company data and meeting compliance obligations. This requires a Legitimate Interests Assessment (LIA) demonstrating the monitoring is proportionate to the privacy impact.
Proportionality: Monitoring must be no more intrusive than necessary. Behavioral pattern monitoring (usage time, external volume, anomaly detection) is inherently more proportionate than full content scanning. A DPIA (Data Protection Impact Assessment) is recommended for systematic monitoring programs.
Transparency: Employees must be informed in advance — typically through a privacy notice or employment contract addendum — that business communications may be monitored, what is monitored, for what purpose, and how long data is retained.

Our detailed guide on GDPR employee monitoring compliance covers the full framework, including the LIA template and recommended DPIA structure.

United Kingdom: RIPA and Employment Practices Code

Following Brexit, UK organizations operate under the Regulation of Investigatory Powers Act (RIPA) and the Information Commissioner's Office (ICO) Employment Practices Code. The core requirement is similar to GDPR: employees must be told that their communications may be monitored, and monitoring must be proportionate. The ICO recommends that employers distinguish between monitoring for performance purposes and monitoring for security/compliance purposes — with different disclosure obligations for each.

Canada: PIPEDA and Provincial Privacy Laws

The Personal Information Protection and Electronic Documents Act (PIPEDA) requires that employees be informed about the purposes for which personal information (including monitoring data) is collected, used, and disclosed. Quebec's Law 25 (effective since 2023) has introduced some of the strictest employee privacy requirements in North America, requiring a privacy impact assessment for any new technology that processes personal information. British Columbia's PIPA has similar notice requirements. Canadian organizations with a multi-province workforce should ensure their monitoring policies address each applicable provincial framework.

Email Monitoring for Regulatory Compliance: Industry-Specific Requirements

Four regulatory frameworks impose specific email oversight obligations on US organizations. Each has different technical requirements, retention periods, and enforcement mechanisms.

Financial Services: FINRA Rule 3110 and SEC 17a-4

FINRA Rule 3110 requires broker-dealers to establish a supervisory system that includes review of electronic communications — including email — for compliance with applicable securities laws. The rule requires that a qualified registered principal review a sample of correspondence with customers. SEC Rule 17a-4 requires preservation of business communications for three to six years depending on the record type.

Practically, this means financial firms need both monitoring (to detect and flag policy violations in real time) and archiving (to preserve complete records for examination). eMonitor handles the monitoring side — behavioral anomaly detection, external recipient volume, personal webmail access — while integrating with email archiving solutions for the retention requirement. The combination satisfies the supervisory obligation more completely than either tool alone.

A regional broker-dealer with 45 registered representatives, for example, can use eMonitor to flag any representative whose outbound email volume to non-firm domains spikes above a configured threshold, while the archiving layer preserves the full text of all business communications for examination purposes.

Healthcare: HIPAA Email Controls

HIPAA's Security Rule requires covered entities to implement technical security measures that guard against unauthorized access to electronic PHI transmitted over electronic communications networks. The Privacy Rule restricts disclosure of PHI to authorized recipients. Email represents one of the highest-risk transmission vectors for PHI — a single misdirected email can constitute a reportable breach.

eMonitor's email monitoring capabilities support HIPAA compliance in two ways: detecting patterns consistent with PHI exfiltration (large attachment transfers to external personal email accounts, unusual after-hours email activity) and providing audit records for breach investigation. The HIPAA-compliant monitoring guide covers the full technical safeguard requirements.

Public Companies: SOX Section 802

The Sarbanes-Oxley Act's Section 802 makes it a criminal offense to destroy, alter, or conceal records with intent to impede a federal investigation. Business email communications that may be relevant to financial reporting or audits must be preserved. Organizations with SOX obligations need email oversight that detects deliberate deletion of relevant communications and ensures retention policies are enforced.

While eMonitor is not an email archiving platform, its file monitoring capabilities detect mass deletion events — a common precursor to deliberate record destruction — and alert compliance teams in real time. Combined with eMonitor's insider threat detection capabilities, this provides a first line of defense against deliberate record tampering.

Government Contractors: CMMC and ITAR

Defense contractors subject to the Cybersecurity Maturity Model Certification (CMMC) must implement controls over the transmission of Controlled Unclassified Information (CUI), including via email. International Traffic in Arms Regulations (ITAR) restricts the transmission of technical data to foreign persons, including via email. Unauthorized disclosure of export-controlled technical data via email — even inadvertently — can result in civil fines and criminal prosecution.

Email activity monitoring that detects unusual external recipient domains, personal email access, and high-volume outbound transfers is a practical first-layer control for government contractors who cannot implement full content inspection on every communication but need to detect behavioral anomalies that suggest unauthorized disclosure risk.

Which Industries Rely Most on Business Email Monitoring?

While any organization with confidential data or compliance obligations can benefit from email activity monitoring, six industries have particularly concentrated need.

Financial Services

Banks, broker-dealers, investment advisers, and insurance companies handle client financial data, proprietary trading strategies, and regulated communications at scale. The combination of regulatory mandate (FINRA, SEC, state financial regulators), high-value proprietary data (trading models, client portfolios, M&A information), and high employee turnover to competitors makes email oversight a strategic priority. Our financial services monitoring guide covers the full landscape.

Healthcare and Medical

Hospitals, medical practices, health insurance companies, and healthcare IT vendors are HIPAA-covered entities or business associates with specific obligations around PHI. A nurse forwarding patient records to a personal account, a billing clerk emailing spreadsheets with member IDs to an external consultant without a business associate agreement, or a provider emailing unencrypted lab results to a patient's wrong email address — all represent reportable HIPAA breaches. Email pattern monitoring is part of the technical safeguard infrastructure that demonstrates due diligence.

Legal Firms

Law firms handle attorney-client privileged communications, confidential settlement terms, and litigation strategy — data that is extraordinarily sensitive to competitors and opposing parties. Attorney-client privilege requires strict access control and makes any unauthorized disclosure catastrophic. Email monitoring for law firms focuses on unauthorized external sharing and detecting the behavioral patterns of departing attorneys who may take client relationships with them. Our law firm monitoring guide addresses the specific confidentiality considerations.

Government Contractors and Defense

As described above, CUI and ITAR-controlled data require controls over email transmission to unauthorized recipients, particularly foreign nationals. Contractors with CMMC Level 2 and Level 3 obligations need to demonstrate systematic monitoring of data transmission pathways, including email.

Technology and Software Companies

For technology companies, source code, product roadmaps, patent-pending innovations, and client data represent the primary value of the business. The departure of a senior engineer with access to core intellectual property — and the temptation to forward relevant code to a new employer — is a documented threat. Email and file monitoring are the primary technical controls between a company's intellectual property and its competitors.

Insurance

Insurance companies handle large volumes of personal information (health, financial, property data) and are subject to state insurance privacy regulations as well as federal rules (GLB Act). Unauthorized disclosure of policyholder data via misdirected or deliberately forwarded email is both a regulatory violation and a reputational risk. Email activity monitoring provides the audit trail that demonstrates regulatory due diligence.

Behavioral Monitoring vs. Email Content Scanning: Which Approach Is Right?

There are two fundamentally different approaches to email oversight in the workforce monitoring market. Understanding the distinction helps organizations choose the right tool for their risk profile and legal obligations.

Dimension	Content Scanning (DLP)	Behavioral Monitoring (eMonitor)
What it monitors	Full email body text, attachments, keywords	Usage patterns, volume, recipients, file transfer activity
GDPR proportionality	Higher privacy impact — content is read	Lower privacy impact — behavioral signals only
Employee trust impact	Significant — employees know messages are read	Minimal — usage patterns, not content
False positive rate	High — keyword matching triggers on benign content	Lower — anomaly detection on behavioral baselines
Deployment complexity	High — requires MX record changes, email gateway config	Low — desktop agent, 2-minute setup
Best for	FINRA, SEC email supervision in regulated financial services	Most organizations: data loss prevention, acceptable use, insider threat detection
Legal basis required	Higher bar — employer must document specific compliance need	Standard legitimate interest basis with employee notice
Cost	Enterprise pricing, significant IT overhead	Included in eMonitor from $3.50/user/month

For most organizations — those not operating under a specific statutory requirement to read email content — behavioral monitoring provides the detection capability needed (exfiltration patterns, acceptable use violations, personal webmail abuse) with far lower legal risk and significantly better employee relations outcomes than full content scanning.

Financial services firms subject to FINRA supervision requirements will need a dedicated email archiving and content review platform alongside eMonitor's behavioral monitoring capabilities. The two approaches are complementary rather than competitive for regulated financial firms.

How to Set Up Email Activity Monitoring With eMonitor

Implementing email activity monitoring is straightforward technically. The more consequential steps are the policy and communication decisions that determine whether employees view the program as fair and transparent.

Step 1: Draft or Update Your Acceptable Use Policy

Before deploying any monitoring capability, ensure your written policy covers business email usage, personal webmail access during work hours, and the specific monitoring activities you intend to conduct. The policy should describe: what is monitored, why, how long data is retained, who can access it, and what constitutes a violation. Use the employee monitoring policy template as a starting point and have legal counsel review it for the applicable jurisdiction(s).

Step 2: Conduct the Required Legal Disclosure

Depending on your jurisdiction:

US: Update the employee handbook and have employees acknowledge the monitoring policy. Consult state-specific requirements for California, Connecticut, New York, and Delaware.
EU: Issue a privacy notice (or update the existing one) describing the monitoring activities and their legal basis. If conducting a DPIA, complete it before deployment.
UK: Update the employee privacy notice per ICO Employment Practices Code guidance.
Canada: Inform employees of the purposes for which monitoring data will be used before collection begins.

Step 3: Deploy the eMonitor Desktop Agent

The eMonitor desktop agent deploys to Windows, macOS, Linux, and Chromebook endpoints in under two minutes. No email gateway changes are required. No MX record modifications. The agent monitors application activity and web usage from the endpoint, so email clients and browser-based webmail are captured without touching your email infrastructure.

Step 4: Configure Application and URL Categories

In the eMonitor dashboard, categorize email client applications (Outlook, Apple Mail, Thunderbird) and personal webmail domains (gmail.com, yahoo.com, hotmail.com, outlook.com used as personal accounts) in the appropriate usage categories. This enables time-spent analytics for email and flags personal webmail access during work hours.

Step 5: Set DLP Alerts for External Transfer Anomalies

Configure upload and download monitoring rules to alert when outbound transfer volume to external domains exceeds a defined threshold relative to each employee's or role's baseline. Set USB monitoring to alert or block on unauthorized device insertion. These DLP controls are the primary technical layer for detecting exfiltration attempts. See eMonitor's full data loss prevention monitoring capabilities for detailed configuration guidance.

Step 6: Establish an Incident Response Process

Define who reviews alerts (IT security, HR, legal), what the escalation path looks like, and what actions are permissible in response to a confirmed exfiltration attempt (immediate device audit, legal hold, account suspension). Monitoring data is only valuable if there is a clear process for acting on what it reveals.

Email Monitoring as a Component of Insider Threat Detection

Insider threats related to data exfiltration rarely consist of a single suspicious action. They manifest as a pattern of correlated behaviors that, taken together, constitute a recognizable risk signature. Email activity is one signal in that pattern, and it becomes far more meaningful when correlated with other behavioral data.

A typical insider threat pattern — documented across multiple published breach investigations — looks like this:

Increased after-hours login activity (unusual time patterns in the activity log)
Elevated access to file directories outside the employee's normal work scope (file monitoring alerts)
Personal webmail access during work hours, with elevated browser session duration (URL monitoring)
Outbound external transfer volume spike (DLP upload monitoring)
USB insertion event, possibly with file transfer activity (USB monitoring)
Reduced productivity score and disengagement signals in the days preceding departure (activity monitoring)

No single one of these signals is definitive. Together, they constitute a pattern that warrants investigation. eMonitor captures all six signal types in a single platform, enabling security and HR teams to correlate the behavioral picture without juggling multiple tools. Read the complete guide on insider threat detection and prevention for the full framework.

According to the 2023 Ponemon Institute Cost of Insider Threats report, organizations that detected insider threats within 30 days incurred average costs of $11.2 million per incident, compared to $17.4 million for those that took more than 90 days to detect. The correlation between early detection and cost containment is stark. Behavioral monitoring that generates actionable signals — rather than requiring forensic investigation after the fact — is the single most effective lever for reducing insider threat cost.

Employee Email Monitoring: Frequently Asked Questions

What is employee email monitoring software?

Employee email monitoring software is a business tool that tracks email usage patterns, attachment transfers, and recipient addresses on company email accounts to detect data leakage, policy violations, and unauthorized external communications — with legal disclosure requirements. It monitors behavioral signals around email use rather than reading private message content by default.

Is it legal to monitor employee emails?

Yes, in most jurisdictions, monitoring business email on company-owned systems is legal provided employees are informed in advance. In the US, the Electronic Communications Privacy Act (ECPA) permits employer monitoring of business communications on company equipment. In the EU, GDPR requires proportionality, a documented legitimate basis, and advance notice. Canada's PIPEDA and the UK's RIPA impose similar notice requirements. Consult legal counsel to confirm the specific obligations for your employee locations.

Does eMonitor read the content of employee emails?

No. eMonitor tracks email application usage, time spent in email clients, outbound email volume and external transfer activity, access to personal webmail during work hours, and file movement correlated with email activity. It does not read, capture, or index message body content by default. Content scanning for compliance purposes (e.g., FINRA-required supervision) requires explicit compliance configuration and documented legal basis.

Can eMonitor detect when an employee is emailing company files to a personal account?

Yes. eMonitor's DLP module tracks upload activity, external transfer patterns, and file movement events. When an employee accesses personal webmail and coinciding file transfer activity is logged, the system captures the domain, timestamp, and file path details — creating an auditable record for investigation. Outbound volume anomalies (volume spikes relative to baseline) trigger configurable alerts.

What industries require email monitoring for compliance?

Financial services (FINRA Rule 3110 requires broker-dealers to supervise electronic communications), healthcare (HIPAA requires controls over PHI in email), publicly traded companies (SOX requires preservation of business communications), and government contractors (CMMC and ITAR require controls over controlled unclassified information and export-controlled technical data) all have specific email oversight obligations with significant penalty exposure for non-compliance.

How does GDPR affect employee email monitoring in the EU?

Under GDPR, employee email monitoring must have a lawful basis (typically legitimate interest under Article 6(1)(f)), be proportionate to the stated purpose, and employees must be informed in advance. A DPIA is recommended for systematic monitoring. Behavioral pattern monitoring is inherently more proportionate under GDPR than full content scanning. See the full GDPR employee monitoring compliance guide for the LIA and DPIA frameworks.

What is the difference between email monitoring and email archiving?

Email archiving captures and stores the full content of email messages for discovery and compliance retention (FINRA, SEC, SOX). Email monitoring tracks behavioral patterns — volume, recipients, time spent, attachment activity — to detect anomalies and policy violations in real time. Most regulated organizations need both: archiving for legal hold and monitoring for real-time risk detection. eMonitor handles the monitoring layer; dedicated archiving platforms handle retention.

Can employees see their own email monitoring data?

Yes. eMonitor includes employee-facing dashboards showing each person their own activity data, including time spent in email and other applications. This transparency is a core design principle — employees who understand and can see their monitoring data report significantly higher trust in the monitoring program. Transparency reduces resistance and supports a culture of accountability rather than suspicion.

Does eMonitor monitor personal email on personal devices?

No. eMonitor only monitors activity on company-owned devices during work hours after clock-in. Personal email accessed on personal devices is completely outside the monitoring scope. For BYOD environments, only the work-profile portion of a managed device can be monitored during declared work hours. See the BYOD monitoring policy guide for structuring compliant BYOD programs.

How should employers communicate an email monitoring policy to employees?

Employers should issue a written acceptable use policy covering company email, describing what is monitored (usage patterns, external recipients, attachment activity), the business purpose, and consequences of violations. This should be acknowledged in writing at onboarding and referenced in the employment contract. The employee monitoring policy template provides a legally-reviewed starting point covering all major jurisdictions.

What is the risk of not monitoring corporate email?

The IBM Cost of a Data Breach Report 2023 found insider-caused breaches average $4.9 million per incident. FINRA fines for unsupervised electronic communications have exceeded $10 million for single firms. The Ponemon Institute found organizations that detected insider threats within 30 days incurred $11.2 million average costs versus $17.4 million for those taking more than 90 days. Unmonitored corporate email is among the highest-probability vectors for both accidental and deliberate data exposure.

How quickly can eMonitor detect a data exfiltration attempt via email?

eMonitor logs external transfer activity and outbound volume anomalies in real time. When an employee's activity deviates significantly from their behavioral baseline — for example, accessing personal webmail for the first time in months, combined with elevated file access and outbound transfer activity — the system flags the pattern immediately. Configurable alerts notify security or HR teams within minutes of the anomalous pattern occurring.

What does eMonitor monitor specifically in relation to email?

eMonitor tracks: time spent in email client applications (Outlook, Gmail, Thunderbird, Apple Mail), access to personal webmail services via browser during work hours, outbound external transfer volume and recipient domain anomalies via DLP upload monitoring, file movement events correlated with email activity, and USB device insertion events. It does not capture, index, or store email message body content. All monitoring is scoped to company devices during declared work hours only.

Sources

IBM Security. Cost of a Data Breach Report 2023. IBM Corporation, 2023. Average insider-caused breach cost: $4.9 million.
Ponemon Institute. 2023 Cost of Insider Threats: Global Report. Proofpoint, 2023. Breach cost by detection time: $11.2M (under 30 days) vs. $17.4M (over 90 days).
FINRA. Regulatory Notices and Enforcement Actions: Electronic Communications Supervision. Financial Industry Regulatory Authority, multiple years. Fines for unsupervised electronic communications.
U.S. Department of Health and Human Services. HIPAA Security Rule: Technical Safeguards (45 CFR § 164.312). HHS, current edition.
European Data Protection Board. Guidelines 05/2020 on consent under Regulation 2016/679. EDPB, 2020. Proportionality requirements for employee monitoring.
Information Commissioner's Office. Employment Practices Code. ICO, UK, current edition.
FINRA. Rule 3110 — Supervision. Financial Industry Regulatory Authority, current edition.
Office of the Privacy Commissioner of Canada. PIPEDA Fair Information Principles. OPC, current edition.