Sensitive Data Storage and Transmission in Microsoft 365 Applications

About Sensitive Data

Microsoft 365 applications, including Outlook Email and OneDrive accounts, do not provide adequate security for unencrypted files containing Social Security Numbers, credit card numbers, drivers' license numbers, bank account numbers, HIPAA information, or other sensitive data.

As a community, we must take steps to minimize the risk that the University's sensitive or confidential information could be compromised.

What are the risks when sensitive information is compromised?

A breach of personal information could lead to:

  • Financial costs, including fines and other penalties
  • Damage to the University's reputation
  • Legal or regulatory compliance action
  • Risks to the safety of community members

Data Types

The following lists will illustrate what common sensitive information a member of the La Salle community may encounter and/or use during the normal course of business. Further, it will explain what information is prohibited and may never be saved, and what information can be saved, but must be encrypted.

Allowed ONLY IF ENCRYPTED

Any file containing this data must be encrypted.  Strong passwords are required and MFA is recommended.

  • FERPA Data- Grades, Student Birth dates and Other Personal Information, Disciplinary Records, Parents' Information, etc.
  • GDPR Data- Any Personal Information Pertaining to EU Residents. (There are similar regulations for residents of Canada, the UK, Argentina, Australia, and other countries.)
  • GLBA Data- Federal Student Aid Awards, Students' and parents' Tax Returns and Other Financial Information, SSNs, etc.
  • PA-BPINA Data- SSNs, Drivers' License Numbers, Bank Account Numbers.  (PA-BPINA is Pennsylvania's Breach Notification Law.  All 50 states have similar laws covering their residents' data.)
  • University Confidential Data- Sensitive financial, operational, and institutional information.

PROHIBITED EVEN IF ENCRYPTED

  • HIPAA Data- Medical and Treatment Records
    Dept. of Health & Human Services requires a Business Associates Agreement for any cloud storage.

  • PCI-DSS Data- Credit Card Numbers, CVV2 Codes, Expiration Dates
    All electronic storage of cardholder data is prohibited by La Salle's merchant agreements

NOT RECOMMENDED

The University accepts no liability for individuals who store personal data in any University storage, including email and OneDrive.

  • Family Personal or Financial Data- Tax Returns, W2s, Medical or Insurance Information, Credit Card information, SSNs, Birthdates, etc.

 

Table of data types and locations
  FERPA GDPR GLBA PA-BPINA HIPAA PCI-DSS University Confidential Data Personal Data
Copilot (Bing Chat) No No No No No No No No
OneDrive Yes (if encrypted) Yes (if encrypted) Yes (if encrypted) Yes (if encrypted) No No Yes (if encrypted) No
Outlook Email Yes (if encrypted) Yes (if encrypted) Yes (if encrypted) Yes (if encrypted) No No Yes (if encrypted) No
Teams Yes (if encrypted) Yes (if encrypted) Yes (if encrypted) Yes (if encrypted) No No Yes (if encrypted) No
SharePoint Yes (if encrypted) Yes (if encrypted) Yes (if encrypted) Yes (if encrypted) No No Yes (if encrypted) No

What should all members of the La Salle community do to help prevent a compromise of sensitive data?

With regard to your Outlook/email account, every member of the community should follow these three (3) rules:

  • If you do not need to retain the email, delete the email from your Inbox, Sent Mail folder, and from any email folders where you may have copied the message.  Remember to also delete it from your Deleted Items folder.
  • If you must retain a copy of the email, forward a copy of the email to yourself after deleting the sensitive data. After forwarding the redacted email, delete the original from your Sent Mail, Deleted Items, and any other email folders.
  • If you need to send confidential data in an email, you should place the sensitive content in a Word document or Excel spreadsheet, encrypt the file with a strong password, and send the file as an email attachment. To maintain confidentiality, you should call or provide the recipient with the password in person. You should not send the password in an email.

With regard to your OneDrive account, every member of the community should follow these three (3) rules:

  • If you do not need to retain a file, delete it.
  • If you want to retain the file but do not need its sensitive content, delete or redact/black-out the sensitive data, and save the file.
  • If you need to retain the file with its sensitive content, encrypt the file with a strong password.

I received an attachment that contained a line titled "SSN", but only the last four (4) digits were included.  Do I still need to permanently delete or encrypt the message?

Deleting or encrypting documents that contain SSNs, even if it is only the last four digits of the SSN, is the best practice.  Any use of the SSN is considered Personal Identifiable Information (PII) and carries a risk of identity theft and fraud.  There are several ways in which thieves can use a partial SSN, and piece together enough additional information to determine the full SSN. Once that information is obtained, it can be used to access bank accounts, driving records, tax and employment histories, and other private information.

100% helpful - 2 reviews
Print Article

Related Articles (3)

Protect Sensitive Data
If you don’t protect sensitive data throughout its lifecycle, there could be serious consequences:
Exposing your and others’ personal data to criminals;
Risking fines and/or legal action for you and the university;
Damaging your professional reputation and La Salle’s brand.

Learn what sensitive data is and what you can do to protect it.