Below is a list of the most common “potholes” of email information security. Most policy violations have been of these types.
-
Replying to or forwarding an email is considered “sending” an email. If you reply to or forward an email that contained protected data, you are in effect emailing protected data, which is a violation of College policy and, potentially, Massachusetts laws.
-
Forwarding an email with an attachment that contains protected data is, in effect, emailing protected data, which is a violation of College policy and, potentially, Massachusetts laws. Always review attachments. If it contains protected data, contact the College’s Information Security Officer for guidance on how best to proceed.
-
Understand that certain forms commonly contain protected data. For example, tax , invoice, CORI , FASFA and other forms often contain protected data. Emailing such a form with protected data is against College policy and, potentially, Massachusetts laws.
-
Asking someone to email you protected data, or forms that contain protected data, is against College policy and may also be against Massachusetts laws.
-
If an outside organization or agency requires you to email them something protected, that does not grant you permission to do so. It is still a violation of College policy and the Law. Contact the College’s Information Security Officer for guidance on how best to proceed.
If you routinely receive unsolicited protected data via email, here are some suggestions to help minimize the likelihood that you make a mistake and send protected data via email:
-
Do not forward anything that you have not thoroughly read, including attachments.
-
Instead of replying to an email, consider copying and pasting the email address of the person into a new message, and typing your response. That way, if protected data existed in the original message, in the subject of the original message, or in an attachment, you minimize the likelihood that you will, in turn, re-send that information.
-
The College tags inbound messages that may contain protected data with [SSN] and [CCN] in the subject line to designate the potential of a social security number or credit card number, respectively. Consider creating a label and filter to color these messages a bright and noticeable color to remind you to take care in handling them. Instructions on how to setup filters and labels on the Google support site. Don’t hesitate to call the ITS help desk for assistance at 508-793-3548.
-
Consider scheduling a meeting with the College’s Information Security Officer to discuss your concerns and hear about potential technical options available to you. Most options have advantages and drawbacks, but they may suit your specific use of email. A second policy violation will automatically trigger this meeting, but you can schedule a meeting prior to that if you feel it may help.