Data loss prevention (DLP) is technology designed to help protect sensitive information from being accessed or viewed by individuals or entities. Faculty, staff and students across the UM System come in contact with data that must comply with PCI, HIPAA and FERPA standards to ensure it is kept as secure as possible. Examples of these data include:
- Social Security Numbers
- Protected Health Information (PHI)
- Credit Card/Banking Information
- Other Personally Identifiable Information
This type of information should not be sent via email unless absolutely necessary. Additionally, per University policy email transmission of highly restrictive DCL4 data to an external email accounts is strictly prohibited except through encrypted means. Users have a responsibility to ensure they are transmitting data in an appropriate manner but to protect this type of information we are implementing DLP technology. With this new technology, when emails are sent to an external source our email security controls will check content for potentially sensitive data. If the system detects sensitive information, it will automatically encrypt the message before sending. The original sender will receive a Microsoft notification telling them the message was encrypted.
Frequently Asked Questions
How can I encrypt my emails?
Windows:
Mac:
Outlook for Mac may have two different versions an older version and a newer version.
Older Version:
When composing a new email, select "Options" at the top left. Select "Encrypt" to keep your information secure.
Newer Version:
The newer version appears to not have the "Encrypt" button by default so it will need to be added. When composing a new email select the ellipsis ("...") and then "Customize Toolbar". Several options will appear. To add the "Encryption" button, you will drag and drop the word "Encryption" to the toolbar at the top. When you go back to the email composition you will see "Encryption" at the top now. Select which encryption you would like. The recommended encryption options are "Encrypt-Only" and "Do Not Forward".
If I send an email with [secure] in the subject line, will it still get sent encrypted?
Yes it will still be sent encrypted but this is not the preferred method. The preferred method is via the encrypt button.
Will DLP notify me that my message contains sensitive information before I send an email?
In most cases, yes. When typing an external email that the system identifies as containing sensitive data, you will see a message pop-up in the top of your email window. This warning message reads "Policy Tip: This message contains sensitive information. This will be encrypted.” This tip provides warning that your recipient will receive an encrypted message. Use this visual cue to review your decision to communicate this type of information via email.
How will I know if a message I sent was encrypted?
If you send an email with protected data in it, the system will notify you via email that your original email message was encrypted. This notification email will state why the message was encrypted and what sensitive information was identified. The notification will also ask you to delete any existing copies of the email that are not encrypted, such as any copies that were sent to internal recipients which would be located in your sent items folder. After deleting it, be sure to delete the email from “Deleted Items” folder as well.
The information I sent was not sensitive. Why did I receive a notification email?
If you receive a notification email, check to see what the system flagged as sensitive information. For example, if the system believes there is a Social Security Number mentioned in the email, it will include: “Message contains the following sensitive information: U.S. Social Security Number (SSN)” in the detected issues portion of the email.
If there is no sensitive information contained in the content of your message, please reach out to umsystemsecurity@umsystem.edu.
I sent sensitive information. Why was my outgoing message not encrypted?
Although we are implementing policies and procedures to help us protect university data, it's still your professional responsibility to ensure you interact with sensitive information appropriately. If you do send an email that contains sensitive information and the data loss prevention system does not detect it, please reach out to umsystemsecurity@umsystem.edu and provide information on who received the email and the sensitive information that should have been identified so we can refine our processes.
What does an encrypted message look like for the external user?
External users who receive an encrypted email message will be prompted to login to view the message. Once they have logged in successfully, the system will redirect the user to the encrypted message. Below are examples of what encrypted messages might look like for the external user:
Will sensitive information on SharePoint and OneDrive be protected by the DLP policy?
Yes. If sensitive information is included in a Sharepoint or OneDrive file, the owner of the file will receive a notification from Microsoft identifying what type of sensitive information was found in the file and noting that access is blocked. The email will provide a link for the user to fix the issue in the file. A yellow triangle with an exclamation point will appear on the name of the affected file to warn the user of sensitive information. Some commands will not be available if sensitive information is detected in a file.
For example, any file that contains sensitive information cannot be shared with people who are given access to the item using the "anyone with the link" option. That option will be greyed out and unavailable. Users will still be able to use several other options, including, "people in your organization with the link," "people with existing access," and "specific people" settings. If you would like to use the "anyone with the link" feature, you will need to remove the sensitive information before doing so. In short, files with sensitive data in them must be shared with an explicit list of authorized individuals, rather than shared in a public manner.
Reviewed 2021-09-14