We can probably all agree that nobody wants their personal information and data such as Social Security Numbers, bank accounts, and credit cards to get into the wrong hands. Sending that kind of data in an email can leave you, other people, or GUC exposed to all sorts of criminal activity.  

IT’s Cybersecurity Team is addressing the risk through Microsoft Outlook’s Data Loss Prevention (DLP) policy. DLP policies are sets of conditions (similar to Outlook rules) that automatically detect sensitive data and take action to prevent users from inappropriately sharing that data. 

Last fall, IT staff ran the DLP policy in the background of Outlook to see how often this kind of sharing happens. They found that employees sent 26 emails containing sensitive items to email addresses outside of GUC between October and January. That comes to an average of two sensitive items per week. After reviewing this information, the team recommended implementing the DLP policy to detect and encrypt all sensitive data in GUC emails. Our Cybersecurity Task Force (made up of employees from across GUC) agreed with the recommendation, and the General Manager’s Office approved implementing the policy. Starting March 1st, all outgoing emails containing sensitive data will be automatically encrypted. 

What to Expect after March 1st
If your email contains sensitive information such as Social Security Numbers, bank account numbers, driver license numbers, etc., that data will automatically be encrypted for all recipients outside of GUC (refer to Figure A). This encryption process occurs once the email is sent and applies only to that data within the message, not the entire email thread. Future correspondences in that email thread will remain unencrypted unless they contain additional sensitive items (refer to Figure C). Remember, this applies only to data being sent from GUC to external email addresses, not data sent to people inside of GUC, regardless of whether they are physically inside or outside of GUC. 

How Does This Affect Me? 
If you send an email that gets encrypted by the DLP policy, you’ll receive an encryption notice specifying which items are being encrypted (refer to Figure B). You may also reach out to the email recipient to let them know to expect an encrypted email, especially if they are unfamiliar with its appearance, so they won’t think it’s a phishing attempt. 

DLP uses deep content analysis to detect sensitive information, but there may be times when the detection technology incorrectly flags content. A false detection is usually caused by similarity of sensitive items, like a software code being misidentified as a bank account number. If your email was encrypted but did NOT contain any sensitive information, please follow the instructions in the Encryption Notice to let the IT Help Desk know in case the settings need to be tweaked.