NEW Data Loss Prevention Email Service Launching 8/24

Email is a popular way to communicate, but it is never a secure way to send Social Security, credit card or BuckID numbers. Enterprise Security’s Data Loss Prevention email service helps secure information entrusted to the university.

The service, launching August 24, 2015, uses pattern recognition software on outgoing email (not student email) to locate Social Security, credit card and BuckID numbers. If the system recognizes those types of data, it creates an entry that is later assessed for validity by approved Enterprise Security analysts. No blocking will occur and messages will still be transmitted to their recipients.

  • Objective
    • The main objective is to prevent accidental and malicious loss of significant amounts of Social Security numbers, credit card numbers and BuckID numbers. Enterprise Security’s service only targets the loss of large amounts of this type of data – quantities that would fall outside an expected range for personal use.
  • Scope
    • This service applies to staff, faculty, sponsored guests, agents and contractors who use the university email system. Student and Wexner Medical Center email are not a part of this process.
  • What data is the university focusing on?
    • This service is designed to locate the following Restricted data items:

      Social Security Numbers
      Credit Card Numbers
      BuckID Numbers

  • Why are we focusing on this data?
    • Just like data you want to protect in your personal life, the university wants to protect data entrusted to us for university business. Detailed guidelines such as the Institutional Data Policy and its job aids can provide examples of secure use. The Institutional Data Policy states (Section II.B.4):

      “Restricted data is strictly limited as unauthorized use or disclosure could substantially or materially impact the university’s mission, operations, reputation, finances, or result in potential identity theft.”

      Social Security numbers are subject to Ohio regulation in the Ohio Revised Code section 1347.12 and contain overlap with HIPPA regulations. Credit card numbers fall under Payment Card Industry (PCI) regulations which can carry large fines.

  • Why email?
    • Outgoing emails often contain office documents and work information. However, email is not a secure way to send Social Security, credit card or BuckID numbers. This process allows Enterprise Security to prevent data loss through email.
  • Does this apply to BuckeyeMail or Wexner Medical Center email?
    • This does not apply to BuckeyeMail, Wexner Medical Center or student email. This only applies to staff, faculty, sponsored guests, agents and contractors who use the university email system.
  • Does the Enterprise Security Team have access to my email inbox?
    • No. The Enterprise Security team would only access a copy of a message and/or attachment if the software detects that the message contains large amounts of Social Security, credit card or BuckID numbers. Enterprise Security will not have the ability to view your entire mailbox.
  • How does Enterprise Security help protect my privacy?
    • Enterprise Security uses a narrow set of criteria so that only institutional data is highlighted; data that might pose a risk to the university and its customers if lost. Personal use of university resources is permitted by the Responsible Use policy and actions such as personal online purchases or personal tax documentation are examples of data that Enterprise Security is excluding.
  • What happens if the DLP email service locates a potential match for university Restricted data?
    • If the software determines an email might have a significant number of Social Security, credit card or BuckID data, the message will still be transmitted to its recipient(s). However, an approved Enterprise Security analyst will assess the email message. If it is determined to be a valid data loss, normal incident response processes may apply, which include disciplinary action if indicated. If a message is not determined to be a valid match for university data then the entry will be deleted after it has been analyzed. This process also provides insight into how we can prevent future data loss and guide training opportunities for faculty and staff.
  • What if I have concerns?
    • Enterprise Security is sensitive to any concerns about privacy and how the Data Loss Prevention email service works, and the team is available to answer concerns that individuals or groups may have. To contact Enterprise Security regarding DLP, email dlpsecurity@osu.edu.
Posted in: