When You Should Encrypt Your Email
This article explains when you should encrypt your emails and how to do it.
IMPORTANT: This article will make references to Confidential information (“CI”), Personal data (“PD”), or High-risk confidential information (“HRI”). For definitions of these terms see the Data Privacy Policy listed on Policies and Regulations for the most up to date definitions.
- 1 Do You Need to Encrypt Your Emails?
- 1.1 1. Know the categories of information
- 1.2 2. Are you sending email internally or externally?
- 1.3 Scenarios
- 1.3.1 I’m sending email to an external email address that includes protected data†
- 1.3.2 I’m sending email to an external email address that does not include protected data†
- 1.3.3 I’m sending email to an internal email address that includes protected data†
- 1.3.4 I’m sending email an internal email address that includes protected data†
- 1.3.5 A third party wants to send me an email that includes protected data†
Do You Need to Encrypt Your Emails?
1. Know the categories of information
Confidential information (“CI”) is the most comprehensive category and covers all non-public information about Seattle University and its stakeholders, including employees, students, and donors. If something is not public information, it is considered confidential by default.
Examples include:budgets
prospective student information
contracts with third parties
business plans
Personal data (“PD”) is a subset of confidential information that is information about people. Examples include
educational records
health and medical information
credit card numbers
employment records
High-risk confidential Information (“HRI”) includes an individual’s name in conjunction with the individual’s (1) Social Security, credit or debit card, individual financial account, driver's license, state ID, or passport number, (2) human subject information or personally identifiable medical information, or (3) biometric information.
Personally identifiable information (“PII”) is any data that could potentially identify a specific individual. According to NIST, PII can be divided into two categories: linked and linkable information.
Linked information is more direct. It could include any personal detail that can be used to identify an individual, for instance:
Full name
Home address
Email address
Social security number
Passport number
Driver’s license number
Credit card numbers
Date of birth
Telephone number
Owned properties e.g. vehicle identification number (VIN)
Login details
Student ID number
Processor or device serial number*
Media access control (MAC)*
Internet Protocol (IP) address*
Device IDs*
Cookies*
Linkable information is indirect and on its own may not be able to identify a person, but when combined with another piece of information could identify, trace or locate a person.
Here are some examples of linkable information:
First or last name (if common)
Country, state, city, zip code
Gender
Race
Non-specific age (e.g. 30-40 instead of 30)
Job position and workplace
NIST states that linked information can be “Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, well-defined group of people”. That means cookies and device ID fall under the definition of PII.
2. Are you sending email internally or externally?
IMPORTANT: Not all contacts listed in the Global Address List are internal contacts. You must verify the email address of the recipient before sending the message if you are including any protected data† in your message.
Scenarios
I’m sending email to an external email address that includes protected data†
If you are sending an email to an external recipient†† that contains Confidential information (“CI”), Personal data (“PD”), or High-risk confidential information (“HRI”) or Personally identifiable information (“PII”). You are required to encrypt your message.
I’m sending email to an external email address that does not include protected data†
If you are sending an email to an external recipient†† that does not contain Confidential information (“CI”), Personal data (“PD”), or High-risk confidential information (“HRI”) or Personally identifiable information (“PII”). You are not required to encrypt your message.
I’m sending email to an internal email address that includes protected data†
If you are sending an email to an internal recipient that contains Confidential information (“CI”), Personal data (“PD”), or High-risk confidential information (“HRI”) or Personally identifiable information (“PII”). You are not required to encrypt your message.
I’m sending email an internal email address that includes protected data†
If you are sending an email to an internal recipient that contains Confidential information (“CI”), Personal data (“PD”), or High-risk confidential information (“HRI”) or Personally identifiable information (“PII”). You are not required to encrypt your message.
A third party wants to send me an email that includes protected data†
If a third party wants to send you an email that contains Confidential information (“CI”), Personal data (“PD”), or High-risk confidential information (“HRI”) or Personally identifiable information (“PII”). Ask them to encrypt their message.
Related articles
-
Securing Your Windows Data: A Step-by-Step Guide to Enable BitLocker (ITS External Knowledge Base)
-
Enhanced macOS Data Security: Enabling FileVault 2 Step-by-Step Guide (ITS External Knowledge Base)
-
How to Send an Encrypted Email (ITS External Knowledge Base) — This article explains how to encrypt a message using Outlook or Outlook.com
-
When You Should Encrypt Your Email (ITS External Knowledge Base) — This article explains when you should encrypt your emails and how to do it.
-
Document Encryption (ITS External Knowledge Base)
-
Encryption Check - Windows (ITS External Knowledge Base)
-
Encryption Check - Mac (ITS External Knowledge Base)
† Protected data is any data that contains Confidential information (“CI”), Personal data (“PD”), or High-risk confidential information (“HRI”) or Personally identifiable information (“PII”).
†† An external recipient is any recipient who does not have a seattleu.edu email address. Ex. @yahoo.com, @gmail.com, etc.