One of the most significant risks that we face is data loss. Whether it is a cyber-breach, a stolen mobile device, or a stack of spreadsheets accidentally thrown away in an unsecured receptacle, the result is the same: our information falls into the hands of folks who are not authorized to view it. We can mitigate or reduce the effects of data loss in some cases, but there are less obvious ways that data “leaks” out that are harder to control.

Regardless of the intention, the results are the same: personally, identifiable information just leaked out.

None of these examples of sending the information is “okay,” not to mention that it violates UT policy. Moreover, the data is now stored in the sender and all recipient’s email boxes. Given the synchronous nature of email now, where it’s also conveniently pushed to a mobile device, the information is also on the sender AND recipient’s phone, laptop, or workstation. If the mobile device isn’t protected by a PIN, password, or encryption, neither is the data. 

Mitigating Data Loss

These are tough actions to mitigate. Data Loss Prevention (DLP) controls allow us to put technical controls in place that examine outgoing email BEFORE you press “Send” and remind you that it “looks” like you’re sending information that should be protected. The warning can be acknowledged and the email sent. However, the system also logs the event and alerts Information Security staff for a possible investigation. A follow-up notice may be sent to you, informing you that other options exist for transmitting sensitive information, for example: 

1. Password-encrypt Microsoft Office documents and Adobe Acrobat PDF files containing sensitive information. Don’t forget to share the password (verbally) with the recipients to un-encrypt the document. (GOOD) 

2. Send the document via the UTK Secure Courier (vault.utk.edu) to internal and external recipients. (BETTER) 

3. Share sensitive information securely through Google Drive or Microsoft’s OneDrive for Business internally to UT. Documents saved in OneDrive for Business can be added to an email in Outlook as a link, so no data is attached to the email but would require the recipient to authenticate using their NetID and password to access the information. (BETTER) 

4. Type the word “Encrypt” into the Subject line of an email sent from your UTK Microsoft 365 account to internal and external recipients. This option is similar to Vault, as the recipient will receive an email with information for obtaining the information. They will have to authenticate with their NetID and password or a one-time passcode to retrieve the message. (BETTER) 

As specified in the UT Acceptable Use Policy (IT0110-AUP), The University reserves the right to access, monitor, review, and release the contents and activity of an individual User’s account(s) as well as that of personal Internet account(s) used for University business. The AUP also states that “… users WILL NOT: Include or request personally identifiable or generally protected information such as passwords, social security numbers, or credit card numbers be included in electronic communication (email, instant message, text message, etc.).”  

Whether it’s an SSN, a credit card, or a grade-roll, there are ways to transmit this data SECURELY.

OIT is testing the DLP capabilities of Microsoft 365 and hopes to implement the controls soon. These controls won’t stop you from sending sensitive information in an insecure fashion but can serve as a reminder that there are other ways of communicating sensitive information. 

The message is still the same: regardless of what controls are in place, YOU are the only control that can reduce the exposure of sensitive information (data loss). All of these methods require effort, and they are not expedient. You may interpret expediency as good customer service; however, knowingly putting the customer’s personal information – your information – at risk is not good customer service and is a violation of policy.