The LETU Data Classification Policy (Policy 6.2 in the LETU Policy Handbook) details the need to keep Confidential and Sensitive Information (CSI) protected. Specifically, Restricted and Confidential data (as defined by the policy) should be encrypted. Email is a convenient way to move messages back and forth. However, email is also the digital medium that is most vulnerable and at greatest risk for compromise. The approved way to send and receive CSI is to use dedicated TLS-based web systems or APIs designed by vendors and partners for purposes of securely collecting and storing such information.
Using email is not generally an authorized way of handling secured data and is specifically prohibited unless any applicable compliance regulations allow it, the instructions below are followed, no more appropriate option is available and all use is consistent with guidance in LETU Policy 6.2: Data Classification. If you are not certain that using encrypted email to transmit restricted or confidential data is approved per any and all applicable regulations you should not use it and should instead consult a University-approved expert on handling that data type for further counsel.
For purpose of LETU compliance with Policy 6.2: Data Classification, you should only use encrypted email to send confidential information under the following circumstances:
Overview: A message that is encrypted by Microsoft 365 Message Encryption is delivered to a recipient’s inbox just like any other email message. If the recipient has Outlook 2013 or 2016 and a Microsoft 365 email account, they'll see an alert about the item's restricted permissions in the Reading pane. After opening the message, the recipient can view the message just like any other.
Messages that have the encrypt-only policy applied can be read directly in Outlook on the web, in Outlook for iOS and Android, and now Outlook for PC versions 2019 and Microsoft 365. Other customers will see a message with a link. That link will take Microsoft 365 users to Outlook on the web to read the message. Users with other email accounts will be prompted to obtain a one-time passcode and read the message in a browser window.
If the recipient is using another email client or email account, such as Gmail or Yahoo, they'll see a link that lets them either sign in to read the email message or request a one-time passcode to view the message in a web browser.
Note: LETU may define rules to automatically encrypt messages that meet certain criteria. Any LETU-wide encryption rules will be applied automatically. The below discusses how you can choose to encrypt an individual message.
If you want to encrypt a message, you can apply a variety of different encryption rules before you send the message. To send an encrypted message from Outlook 2013 or 2016, or Outlook 2016 for Mac, select Options > Encrypt (on some clients it will be Options > Permissions), then select the protection option you need. You can also send an encrypted message by selecting the Protect button in Outlook on the web
As you can see above - while these options encrypt the message - in order to be read the message must ultimately be decrypted and displayed for reading by your recipient. At that point the security of the message and the data in the message and any attachments is fully dependent on the actions of the recipient.
In addition, if the recipient's remote mail account itself is compromised, whoever has access to the compromised remote email account will have access to authenticate with their email account information to decrypt this email.
As a result, native email encryption should only be treated as securing the message while it is in transit. It is very important to be confident in the security of the remote recipient's email account when sending.
In particular: If a message is misaddressed (ie to JaneSmit@gmail.com instead of JaneSmith@gmail.com, whoever owns JaneSmit@gmail.com will not only receive the encrypted message notice, but be allowed to use their email credentials to decrypt it.
To guard against this risk, always double check the recipient address - and where the information is extremely sensitive, you should include it in an encrypted word Document, Excel Spreadsheet, or PDF with a long password and transmit that password separately (ie via phone call) to the recipient. In this way, no one but the individual possessing the password for the encrypted attachment will be able to read the content).
You can read messages encrypted with the encrypt-only or do-not-forward policies in Outlook 2013 and Outlook 2016 for PC, Outlook 2016 for Mac, Outlook on the web, Outlook for iOS, and Outlook for Android.
Users with other email accounts will be prompted to obtain a one-time passcode and read the message in a browser window.
To reply to an encrypted message
Choose Reply or Reply All.
On the page that appears, type a reply and choose Send. An encrypted copy of your reply message is sent to you.
If you're not using Outlook with Microsoft 365, your encrypted message will contain a link in the message body.
Select Read the message.
Select how you'd like to sign in to read the message. If your email provider is Google, Yahoo, or Microsoft, you can select Sign in with Google, Yahoo, or Microsoft respectively. Otherwise, select sign in with a one-time passcode.
Once you receive the passcode in an email message, make a note of the passcode, then return to the web page where you requested the passcode and enter the passcode, and select CONTINUE.
Tip: Each passcode expires after 15 minutes. If that happens, or if you can’t open the message for any reason, start over by opening the attachment again and following the steps.