Email and OneDrive accounts do not provide adequate security for unencrypted files containing Social Security Numbers, credit card numbers, drivers' license numbers, bank account numbers, HIPAA information, or other sensitive data.
As a community, we must take steps to minimize the risk that the University's sensitive or confidential information could be compromised.
What are the risks when sensitive information is compromised?
A breach of personal information could:
- cost our students, their parents, faculty, staff, or alumni thousands of dollars and hours of frustration;
- bring adverse publicity, and impact enrollment;
- trigger breach notification requirements;
- result in fines and other legal penalties;
- jeopardize eligibility for programs such as Federal Student Aid
What if the information I save is personal information for myself or my family, and not La Salle data?
Even if the sensitive data only pertains to you or your family, you are exposing yourself and your loved ones to the risk of identity theft.
What should all members of the La Salle community do to help prevent a compromise of sensitive data?
With regard to your email account, every member of the community should follow these three (3) rules:
- If you do not need to retain the email, delete the email from your Inbox, Sent Mail folder, and from any email folders where you may have copied the message. Remember to also delete it from your Deleted Items folder.
- If you must retain a copy of the email, forward a copy of the email to yourself after deleting the sensitive data. After forwarding the redacted email, delete the original from your Sent Mail, Deleted Items, and any other email folders.
- If you need to send confidential data in an email, you should place the sensitive content in a Word document or Excel spreadsheet, encrypt the file with a strong password, and send the file as an email attachment. To maintain confidentiality, you should call or text the recipient with the password. You should not send the password in an email.
With regard to your OneDrive account, every member of the community should follow these three (3) rules:
- If you do not need to retain a file, delete it.
- If you want to retain the file but do not need its sensitive content, delete or redact/black-out the sensitive data, and save the file.
- If you need to retain the file with its sensitive content, encrypt the file with a strong password.
How will I know what information needs to be encrypted or deleted?
The following table will illustrate what common sensitive information a member of the La Salle community may encounter and/or use during the normal course of business. Further, it will explain what information is prohibited and may never be saved, and what information can be saved, but must be encrypted.
Allowed ONLY IF ENCRYPTED.
Any file containing this data must be encrypted. Strong passwords are required and MFA is recommended.
PII Guidelines
|
HIPAA Data
Medical and Treatment Records
|
 |
PROHIBITED EVEN IF ENCRYPTED.
Dept. of Health & Human Services requires a Business Associates Agreement for any cloud storage.
|
|
PCI-DSS Data
Credit Card Numbers, CVV2 Codes, Expiration Dates.
|
|
PROHIBITED EVEN IF ENCRYPTED.
All electronic storage of cardholder data is prohibited by La Salle's merchant agreements
|
|
FERPA Data
Grades, Student Birth dates and Other Personal Information, Disciplinary Records, Parents' Information, etc.
|
 |
Allowed ONLY IF ENCRYPTED.
Any file containing this data must be encrypted. Strong passwords are required and Multi-Factor Authentication is recommended.
|
|
GDPR Data
Any Personal Information Pertaining to EU Residents. (There are similar regulations for residents of Canada, the UK, Argentina, Australia, and other countries.)
|
|
Allowed ONLY IF ENCRYPTED.
Any file containing this data must be encrypted. Strong passwords are required and MFA is recommended.
|
|
GLBA Data
Federal Student Aid Awards, Students' and parents' Tax Returns and Other Financial Information, SSNs, etc.
|
|
Allowed ONLY IF ENCRYPTED.
Any file containing this data must be encrypted. Strong passwords are required and MFA is recommended.
|
|
PA-BPINA Data
SSNs, Drivers' License Numbers, Bank Account Numbers. (PA-BPINA is Pennsylvania's Breach Notification Law. All 50 states have similar laws covering their residents' data.)
|
|
Allowed ONLY IF ENCRYPTED.
Any file containing this data must be encrypted. Strong passwords are required and MFA is recommended.
|
|
University Confidential Data
Sensitive financial, operational, and institutional information.
|
|
Allowed ONLY IF ENCRYPTED.
Any file containing this data must be encrypted. Strong passwords are required and MFA is recommended.
|
|
Family Personal or Financial Data
Tax Returns, W2s, Medical or Insurance Information, Credit Card information, SSNs, Birthdates, etc.
|
|
NOT RECOMMENDED.
The University accepts no liability for individuals who store personal data in any University storage, including email and OneDrive.
|
I received an attachment that contained a line titled "SSN", but only the last four (4) digits were included. Do I still need to permanently delete or encrypt the message?
Deleting or encrypting documents that contain SSNs, even if it is only the last four digits of the SSN, is the best practice. Any use of the SSN is considered Personal Identifable Information (PII) and carries a risk of identity theft and fraud. There are several ways in which thieves can use a partial SSN, and piece together enough additional information to determine the full SSN. Once that information is obtained, it can be used to access bank accounts, driving records, tax and employment histories, and other private information.