Alternative Methods for Sharing PII
Information Security Procedure
Why Email and OneDrive Are Insufficient
Personally Identifiable Information (PII) includes sensitive data like Social Security numbers, financial details, and student records. As an educational institution, protecting PII is both a legal mandate and an ethical duty. While district tools like email and OneDrive are convenient for daily work, they do not provide the strict security required to handle PII safely.
The Risks of Email and OneDrive
Email is only protected on the way to the recipient’s server, which means LBCCD cannot guarantee that the recipient’s server is configured correctly or up to date. Furthermore, there is no control over the PII once it’s been delivered thereby making it easily accessible if a hacker gets access to the account, or the user accidentally shares it with an unintended audience.
On the other hand, OneDrive links are prone to human error. These links leave files permanently accessible on the internet until the user revokes them. Additionally, when a recipient accidentally forwards that link, or if their account is compromised, anyone can view or download the exposed PII without needing to log in.
Because PII is the primary target for identity thieves, it must always be secured via explicit user logins or end-to-end encryption. Transmitting PII insecurely also violates federal compliance mandates like FERPA (for student privacy) and GLBA (for financial data).
Approved Alternative Methods
To keep data secure, use specialized platforms designed for secure data handling:
- Encrypted Document Platforms: Use tools like DocuSign or Adobe Sign to protect data during the signing process. Standard password-protected PDFs are easily cracked by free online tools and should be avoided.
- Direct Vendor Portal Uploads: Submit files directly through secure, authenticated upload areas managed by the receiving institution.
- The Split-Delivery Method: Fill out the required form, but leave the sensitive Tax ID or Social Security number field blank. Email the incomplete form, then call your contact directly to provide the missing numbers over the phone.
Don’t Be a Victim of Phishing!
Whether you are working from the office or remotely, please maintain your cyber vigilance by:
- Recognizing and reporting Phishing Attempts and Common Types of Scams,
- Reviewing Password and Passphrase Best Practices, and
- Implementing Cybersecurity Best Practices When Working Remotely.