Revisiting Sensitive Data Sent in Email
In the last year, the Information Security team has turned on a Data Loss Prevention system (DLP system) included in our Microsoft-licensed software. We have found that sensitive data is routinely being sent through email. The data types include Social Security numbers, bank account numbers, and credit card numbers. It is important to note that we are not able to see the content of the emails or attachments. We are only alerted to the type of sensitive data, who originated the email, and who it was sent to.
The majority of these incidents involved a staff member, faculty member, or student including these data types in emails sent to one of Wright State’s departments or an outside agency. At times, an outside agency originates the email. Currently, with the way our DLP solution is configured, we do not have control over what an individual outside of Wright State sends to someone through email. In other words, we are not currently blocking these emails from outside sources. However, each of us does have control over what we do with such emails once they are received.
If you receive an email containing sensitive data, the best course of action is to remove or redact that data from the email before responding or forwarding the email to others. This would also apply to documents attached to an email. If this isn’t done, the action of resending the email is in violation of our information security policies. If the information is needed for a business process, the data should be stored in a secure location such as your departmental H, K, or R drive. If you need to send the information to others working at Wright State, use SecureShare (secureshare.wright.edu) to send the information.