When You Should Encrypt Your Email

This article explains when you should encrypt your emails and how to do it.

IMPORTANT: This article will make references to Confidential information (“CI”), Personal data (“PD”), or High-risk confidential information (“HRI”). For definitions of these terms see the Data Privacy Policy listed on https://www.seattleu.edu/policies/ for the most up to date definitions.

Do You Need to Encrypt Your Emails?

1. Know the categories of information

  • Confidential information (“CI”) is the most comprehensive category and covers all non-public information about Seattle University and its stakeholders, including employees, students, and donors. If something is not public information, it is considered confidential by default.
    Examples include:

    • budgets

    • prospective student information

    • contracts with third parties

    • business plans

  • Personal data (“PD”) is a subset of confidential information that is information about people. Examples include

    • educational records

    • health and medical information

    • credit card numbers

    • employment records

  • High-risk confidential Information (“HRI”) includes an individual’s name in conjunction with the individual’s (1) Social Security, credit or debit card, individual financial account, driver's license, state ID, or passport number, (2) human subject information or personally identifiable medical information, or (3) biometric information.

  • Personally identifiable information (“PII”) is any data that could potentially identify a specific individual. According to NIST, PII can be divided into two categories: linked and linkable information.

     

Linked information is more direct. It could include any personal detail that can be used to identify an individual, for instance:

  • Full name

  • Home address

  • Email address

  • Social security number

  • Passport number

  • Driver’s license number

  • Credit card numbers

  • Date of birth

  • Telephone number

  • Owned properties e.g. vehicle identification number (VIN) 

  • Login details

  • Student ID number

  • Processor or device serial number* 

  • Media access control (MAC)*

  • Internet Protocol (IP) address*

  • Device IDs*  

  • Cookies*

Linkable information is indirect and on its own may not be able to identify a person, but when combined with another piece of information could identify, trace or locate a person. 

Here are some examples of linkable information:

  • First or last name (if common)

  • Country, state, city, zip code

  • Gender

  • Race

  • Non-specific age (e.g. 30-40 instead of 30)

  • Job position and workplace

NIST states that linked information can be “Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, well-defined group of people”. That means cookies and device ID fall under the definition of PII.


2. Are you sending email internally or externally?

IMPORTANT: Not all contacts listed in the Global Address List are internal contacts. You must verify the email address of the recipient before sending the message if you are including any protected data in your message.


Scenarios

I’m sending email to an external email address that includes protected data†

If you are sending an email to an external recipient†† that contains Confidential information (“CI”), Personal data (“PD”), or High-risk confidential information (“HRI”) or Personally identifiable information (“PII”). You are required to encrypt your message.

I’m sending email to an external email address that does not include protected data†

If you are sending an email to an external recipient†† that does not contain Confidential information (“CI”), Personal data (“PD”), or High-risk confidential information (“HRI”) or Personally identifiable information (“PII”). You are not required to encrypt your message.

I’m sending email to an internal email address that includes protected data†

If you are sending an email to an internal recipient that contains Confidential information (“CI”), Personal data (“PD”), or High-risk confidential information (“HRI”) or Personally identifiable information (“PII”). You are not required to encrypt your message.

I’m sending email an internal email address that includes protected data†

If you are sending an email to an internal recipient that contains Confidential information (“CI”), Personal data (“PD”), or High-risk confidential information (“HRI”) or Personally identifiable information (“PII”). You are not required to encrypt your message.

A third party wants to send me an email that includes protected data†

If a third party wants to send you an email that contains Confidential information (“CI”), Personal data (“PD”), or High-risk confidential information (“HRI”) or Personally identifiable information (“PII”). Ask them to encrypt their message.


Related articles

Protected data is any data that contains Confidential information (“CI”), Personal data (“PD”), or High-risk confidential information (“HRI”) or Personally identifiable information (“PII”).

†† An external recipient is any recipient who does not have a seattleu.edu email address. Ex. @yahoo.com, @gmail.com, etc.