Personally identifiable information (PII) doesn’t belong in your email | @theU – @theU

Have you ever sent or received information about yourself or someone else via email? If so, its possible youve handled personally identifiable information (PII), a type of restricted data that requires a high level of information security data that shouldnt be in your inbox.

PII includes but is not limited to such stand-alone elements as a full Social Security Number or passport number. It also includes a full name in combination with such elements as date of birth or ethnic affiliation. (Access the infobox below for more examples of personal identifiers.)

The Department of Homeland Security (DHS) defines PII more broadly any information that permits the identity of an individual to be directly or indirectly inferred, which if lost, compromised, or disclosed without authorization could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.

The definition and identifiers are part of the Us Data Classification and Encryption Rule, which provides guidance on how university organizations and users should handle PII and other restricted data to comply with myriad legal and regulatory standards.

Ultimately, it comes down to privacy, said Trevor Long, associate director for the Information Security Offices (ISO) Governance, Risk & Compliance (GRC) team.

It's 2022. We need to ensure that we're not sending confidential information through email. There are better ways, Long said.

Email, he said, is an inherently insecure mechanism to transmit and receive restricted and sensitive data, including PII. The ISO is particularly concerned about online forms and web apps that collect PII and other confidential information through user submissions, and send that data by email. This method is called being sent in the clear or clear text. In other words, anyone between the online form or web app server and the receiving inbox can read the message. When this happens, there are no protections around the data as it crosses the internet.

Long said alternatives exist that align with university policies and regulations.

Some services, such as UBox and the PeopleSoft admin tool for Human Resources, already have controls in place, he said. When an item is available for review, rather than sending the restricted data insecurely by email, the service sends users a notification or message with a link to the file or platform, where they must log in to access the information.

Thats the standard now, and it is supported by the growing body of privacy regulation. Organizations are updating their processes to make sure that confidential information is not sent through email, he said. Instead, you log in to a portal where there's multifactor authentication like Duo 2FA, logging, and other controls, and then you view the confidential information through an encrypted session.

The ISO encourages those still using outdated tools or business processes to handle PII to make updates to comply with university policy. Such policies and state and federal regulations, Long said, exist to better protect the data of the university and its students, faculty, staff, and patients, as well as the privacy of its guests.

We need to be willing to change as regulations and laws are updated and criminals change their tactics, he said.

Anyone with questions about the Us Data Classification and Encryption Rule or handling personally identifiable information can contact the GRC team at iso-grc@utah.edu for assistance.

Here is the original post:
Personally identifiable information (PII) doesn't belong in your email | @theU - @theU

Related Posts
This entry was posted in $1$s. Bookmark the permalink.