Dealing with PII in Outlook
Information Security Procedure

Post

Information Security Procedures (ISPR) are developed to provide the steps needed to implement a specific Information Security Best Practice (ISBP).

Remediating PII Notifications from Outlook

In today’s evolving threat landscape, we must protect ourselves from those that would perpetrate fraud against us by constantly questioning how we store and transmit confidential information.

To prevent the accidental sharing of sensitive information, a data loss prevention (DLP) policy has been implemented in Outlook. If this policy detects an attempt to share personally identifiable information (PII) with someone outside the institution, it will email a warning notification, including the suspected data type, to both the sender and IITS.

Note: At times these security systems generate false positives (looks like confidential information but isn’t).

If the Email Contains Confidential Information

  1. If you are the recipient of an email that contains PII, remove or redact the offending data, and return one of the two following messages to the sender of the email:

    If the message contains student related PII:

    Long Beach City College (LBCC) is dedicated to protecting your personal information. The US Department of Education has declared that unencrypted emails containing FERPA-protected data are insecure and, therefore, prohibited. In the future, please do not offer District staff, faculty, or other personnel your Social Security Number, credit card number, password etc.

    If the message contains non-student related PII:

    Long Beach City College (LBCC) is dedicated to protecting your personal information. Since email is not a secure method for transmitting Social Security Numbers, credit card numbers, passwords, etc., LBCC prohibits the use of District email for this purpose. In the future, please do not offer District staff, faculty, or other personnel your confidential information.

  2. If it is necessary to share PII with someone outside the institution as part of an authorized business process defined by your department in concert with IITS, you may need to find another method to deliver the data; for instance, by using a fax machine, an encrypted USB, etc.

    Please contact the IITS Help Desk for assistance if you cannot find an appropriate alternative.

  3. If the need to share PII with someone outside the institution is legitimate but sensitive data is not required, remove or redact the offending data, or find an alternative delivery method.

  4. If the email does not meet the above criteria, take this time to delete all copies of the offending data from your email, computer, phone, etc. PII can only be stored on approved devices.

If the Data Has Been Misidentified

  1. If you still intend to share the email with someone outside the institution, you can either remove or redact the offending data, find an alternative delivery method, or contact the IITS Help Desk for guidance.

  2. If you no longer intend to share the email with someone outside the institution, there is nothing you need to do.

Redacting Information from PDFs

Adobe’s website provides detailed instructions on how to remove sensitive information from PDFs.

Non-Business Related Information

District information and technology resources should not be used for personal activities unrelated to appropriate District functions (including commercial use), except in a incidental manner (Administrative Regulation 6006).

Users should be aware that all communications conducted on or from district systems whether electronic or otherwise are subject to review and disclosure outlined by the California Public Records Act, current case law, as well as other Federal and/or State laws and regulations. Therefore, users should exercise extreme caution in using electronic communications to communicate or store information of a confidential or sensitive nature (Administrative Regulation 6006).

Furthermore, using District systems to transmit personal taxes, refinance forms, medical verification forms, or anything else containing your confidential information puts you at risk should your account, or the account of the business you deal with, become compromised.