Remediating PII in Outlook
Information Security Procedure

Post

Information Security Procedures (ISPR) provide formal methods for which Information Security Regulations, Standards, and Best Practices are conducted.

PII and Outlook

In today’s evolving threat landscape, we must protect ourselves from those that would perpetrate fraud against us by constantly questioning how we store and transmit confidential information.

To prevent the accidental sharing of sensitive information, a data loss prevention (DLP) policy has been implemented in Outlook. If this policy detects an attempt to share personally identifiable information (PII) with someone outside the institution, it will email a warning notification, including the suspected data type, to both the sender and ITS.

Note: At times these security systems generate false positives (looks like confidential information but isn’t).

If the Email Contains Confidential Information

  1. If you are the recipient of an email that contains PII, remove or redact the offending data, and return one of the two following messages to the sender of the email:

    If the message contains student-related PII:

    Long Beach City College (LBCC) is dedicated to protecting your personal information. The US Department of Education has declared that unencrypted emails containing FERPA-protected data are insecure and, therefore, prohibited. In the future, please do not offer District staff, faculty, or other personnel your Social Security Number, credit card number, password, etc.

    If the message contains non-student-related PII:

    Long Beach City College (LBCC) is dedicated to protecting your personal information. Since email is not a secure method for transmitting Social Security Numbers, credit card numbers, passwords, etc., LBCC prohibits the use of District email for this purpose. In the future, please do not offer District staff, faculty, or other personnel your confidential information.

  2. If it is necessary to share PII with someone outside the institution as part of an authorized business process defined by your department in concert with ITS, you may need to find another method to deliver the data; for instance, by using a fax machine, an encrypted USB, etc.

    Please contact the ITS Help Desk for assistance if you cannot find an appropriate alternative.

  3. If the need to share PII with someone outside the institution is legitimate but sensitive data is not required, remove or redact the offending data, or find an alternative delivery method.

  4. If the email does not meet the above criteria, take this time to delete all copies of the offending data from your email, computer, phone, etc. PII can only be stored on approved devices.

If the Data Has Been Misidentified

  1. If you still intend to share the email with someone outside the institution, you can either remove or redact the offending data, find an alternative delivery method, or contact the ITS Help Desk for guidance.

  2. If you no longer intend to share the email with someone outside the institution, there is nothing you need to do.

Redacting a Digital Document

Properly redacting information in a digital document requires more than just hiding text by covering or highlighting PII with a black foreground.

If you receive a message that a document you tried to send or share contains PII, open it and perform a search using the PII identified in the warning. If the text is found, the PII was simply covered, not redacted.

Although MS Word provides no acceptable redaction method, Adobe provides detailed instructions on how to remove sensitive information from PDFs.

Non-Business Related Activities and Personal Accounts

District information and technology resources should not be used for personal activities unrelated to appropriate District functions (including commercial use), except in an incidental manner (Administrative Regulation 3720).

Users should be aware that all communications conducted on or from district systems whether electronic or otherwise are subject to review and disclosure outlined by the California Public Records Act, current case law, as well as other Federal and/or State laws and regulations. Therefore, users should exercise extreme caution in using electronic communications to communicate or store information of a confidential or sensitive nature (Administrative Regulation 3720).

Using District systems to transmit personal taxes, refinance forms, medical verification forms, or anything else containing your confidential information puts you at risk should your account, or the account of the business you deal with, become compromised.

Personal accounts used while conducting business may be subject to discovery in response to a request for production in a lawsuit or investigation.