ITS Data Loss Prevention Initiatives
Note: As Microsoft improves the Office 365 DLP product, users may see different behaviors in Outlook, depending on the client (e.g., web, desktop, mobile). If you experience any issue that impacts your ability to use Outlook, please contact the ITS Service Desk at email@example.com or 901.678.8888.
Terms to know
Data Loss Prevention (DLP): An organization's strategies for keeping private and sensitive data safe from unauthorized access
Personally Identifiable Information (PII): Data that can be used to identify a unique individual, such as social security and driver's license numbers (protected under FERPA and HIPAA)
Payment Card Industry data (PCI): Information such as credit/debit card numbers and bank account data that can be used for financial transactions (protected under GLBA and PCI DSS)
New DLP Tools
The University of Memphis currently enforces rigorous policies to keep data safe. ITS data storage guidelines provide an overview of how information may be stored and who should have access to it, and IT6005 – Data Security Policy details the expectations for all UofM employees to limit the risk of data exposure. ITS will soon implement new tools to further ensure data confidentiality and regulatory compliance.
Microsoft Office 365 DLP
Microsoft Office 365 (O365) now offers DLP functionality to warn users when it detects potentially sensitive information. Outlook users in a web browser composing emails that include PII/PCI will be alerted that the message or attachment could be in violation of University policy.
DLP policy tip in Outlook
A user who sends a message with data detected as potentially restricted will receive a system email describing the violation, and security administrators will be informed of the potential offense.
DLP warning email in Outlook
Implementation of the DLP feature is planned for all O365 Outlook users, including students.
Eventually, sending of Outlook messages that violate DLP policies will be curtailed by blocking emails with detected PII/PCI. Users will be able to report false positives to avoid disruptions caused by misidentified information.
Further functionality, such as detection of sensitive data in O365 Word and Excel, will be explored in the future.
Planned Implementation Schedule
Outlook warnings for all O365 users – May 17, 2021
Outlook email blocking – TBD
O365 full functionality – Under review
File-sharing portal and encrypted email
To address legitimate needs for sending confidential documents, ITS will also be piloting a secure file-sharing portal and encrypted email. These services will allow those with an approved business need to share confidential data with authorized users.
Planned Implementation Schedule
File-sharing portal and encrypted email pilot – May 2021
Expansion to campus – TBD, according to business needs
For questions regarding these new tools, contact firstname.lastname@example.org.
I sent an email with restricted data and received a warning email. What happens now?
A report will be sent to security administrators, who will determine whether any policies were violated. You may be contacted for more information and provided guidance on how to properly store and transmit restricted data.
What kind of restricted data will trigger a DLP warning?
A warning will be triggered if an email message or attachment contains text identified by the DLP system as certain restricted data elements, including but not limited to the following:
- U.S. Social Security Number (SSN)
- Individual Taxpayer ID Number (ITIN)
- Credit/debit card information
- Bank account information
- Driver’s license information
- U.S. passport number
I got a DLP warning, but my email didn’t include any restricted data. What should
The DLP software uses standardized rules to analyze text for PII and PCI data. An email could include text that the system incorrectly recognized as an indicator of such data, thereby generating a false alert.
If you are confident your message and any attachments did not include restricted data, please disregard the warning.
Does the DLP tool stop me from sending emails?
No. DLP in Outlook 365 will display a policy tip while the email is being composed in a web browser to warn the user that restricted data might be included. If the email is sent, a warning email will be sent to the user, and security administrators will be informed of a potential violation of University policy. The user’s original message is sent as intended.
Eventually, the DLP tool will be strengthened to initially block the sending of the message to provide further protection against inadvertent sending of restricted data. Even then, users will have the option to override the block by providing a justification for sending the message.
I received a warning email after sending my message, but I never saw a policy tip
while composing it.
Currently, DLP policy tips are available only in the Outlook 365 web browser interface. Tips are not available in the mobile app, and desktop app tips may show unexpected behavior as Microsoft continues to improve the DLP product. However, warning emails will still be delivered when restricted data is detected after a message is sent.
Are my emails being read by a University employee?
In accordance with University policy IT6003 – Acceptable Use of Information Technology Resources, “The University does not routinely monitor electronic communications, electronic activity, or electronic data for specific users.” The Outlook 365 DLP tool scans the text of all email and compares it to a set of rules designed to detect specific restricted data, such as SSN or credit card numbers, just as the spell check tool does for spelling and grammar. This text is treated the same as any other email.
However, as stated in IT6003 – Acceptable Use of Information Technology Resources: “The University may monitor electronic communications or electronic activity in the course of protecting University information,” including “investigations of misuse, unauthorized use or illegal activity.” In the event of a policy violation, appropriate administrators will follow-up with the user. Users should be aware of and follow all University policies regarding technology use, including IT6008 – Email Use. These policies can be found on the ITS Policies and Guidelines page.
I need to send a document that contains restricted data. How can I do that safely?
If you have a legitimate need to send restricted PII or payment data, please review the University Data Storage Guidelines. For more guidance, please contact the ITS Service Desk at 901.687.8888 or email@example.com.