Traditional email is not a secure channel for sending or storing sensitive information, whether written in the body or included as an attachment.
Even if you and the person you're communicating with have a legitimate business need for the information, or if you only want to send the data to yourself so you can work on it later. Restricted information should never be sent or stored in email.
Although you need credentials to log in and access the email in your mailbox, email is sent from server to server, usually in clear text that can be read while in transit by anyone with the right combination of access and opportunity. There is no way to guarantee that all the connections between the sender and recipient are secure.
What is restricted information?
Never send or request any of the following information by email:
- Social Security numbers
- Driver's License numbers
- Passport numbers
- State-issued ID numbers
- Bank/financial account numbers
- Credit/debit card numbers
- Protected health information
- Any passwords or authentication credentials
How can I collaborate with others on restricted business information?
We have several options at ODU, whether you need to collect, store or share personal information with others at the University. Remember, you should never create multiple copies of documents that contain restricted data or store copies, except in designated locations.
Secure data collection and sharing options
I need to collect documents from external or ODU customers:
- Receive a secure fax to Banner Document Management (BDM) - Faxes can be sent to an MFP and directed to a BDM application where remote staff can access secure digital copies.
- Contact itshelp@odu.edu to have your MFP's fax function redirect to BDM.
I need to collect confidential information from external or ODU customers (including from students or prospective students):
- Create a secure data collection form with the ODU Forms Tool - Data and documents can be collected via the form and securely stored for further processing.
- In addition, electronic documents can be uploaded directly to the Forms Tool. Care should be taken not to create multiple copies of electronic documents that contain restricted business information.
- Contact itshelp@odu.edu to set up one of these options with the Forms Tool.
I need to send confidential information to an external party:
- Contact the external party to find their secure method of receiving the confidential information.
- Contact itshelp@odu.edu if unable to determine a secure way to transfer the confidential information.
I want to share information that contains restricted business information among others within my business unit:
- Use a special ODU network share called a SecDrive.
- Contact itshelp@odu.edu to set up a secure shared drive.
I need to have reports generated and delivered via Banner Jobsub:
- Jobsub processes (in Banner) should be written to the database, downloaded and stored per the regulated data matrix (versus being sent as a report via email).
- Care should be taken not to download files with restricted business information to a local workstation drive or a regular mapped drive. If it is necessary to download restricted business information to a workstation, please notify the ITS Risk & Compliance Office (email itshelp@odu.edu) so we can help you develop a more secure business process.
Secure storage locations
(You must be connected to wired network on campus or to the ODU VPN to use these options.)
To request use of any of the solutions above, or when in doubt, email itshelp@odu.edu. Based on the use case, ITS can help facilitate the appropriate solution for your secure business process needs.
What if someone sends me restricted data, even if I didn't request it?
If you do end up with restricted information in your inbox:
- Move the information or document to a secure storage location (see options above).
- Delete all copies of the message from your email.
- Permanently delete the message from your Deleted Items folder.
What if I accidentally try to email my personal information to someone else?
Mistakes can happen. If you try to send a message and Outlook detects a string of characters that may contain personally identifying information (numbers arranged in the format of a social security number, for example), a warning will pop up asking if you're sure you want to send the message. Contact your intended recipient and see if there's another way to submit the private personal information.
If you send the document before the notice appears, delete the file from the Sent folder, and permanently delete the message from your Deleted Items folder.