Personally identifiable information (PII) doesn’t belong in your email
Have you ever sent or received information about yourself or someone else via email? If so, it’s possible you’ve handled personally identifiable information (PII), a type of restricted data that requires a high level of information security — data that shouldn’t be in your inbox.
PII includes but is not limited to such stand-alone elements as a full Social Security Number or passport number. It also includes a full name in combination with such elements as date of birth or ethnic affiliation. (Access the infobox below for more examples of personal identifiers.)
The Department of Homeland Security (DHS) defines PII more broadly — “any information that permits the identity of an individual to be directly or indirectly inferred, which if lost, compromised, or disclosed without authorization could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.”
The definition and identifiers are part of the U’s Data Classification and Encryption Rule, which provides guidance on how university organizations and users should handle PII and other restricted data to comply with myriad legal and regulatory standards.
“It's 2022. We need to ensure that we're not sending confidential information through email. There are better ways,” Long said.
Email, he said, is an inherently insecure mechanism to transmit and receive restricted and sensitive data, including PII. The ISO is particularly concerned about online forms and web apps that collect PII and other confidential information through user submissions, and send that data by email. This method is called being “sent in the clear” or “clear text.” In other words, anyone between the online form or web app server and the receiving inbox can read the message. When this happens, there are no protections around the data as it crosses the internet.
Long said alternatives exist that align with university policies and regulations.
Some services, such as UBox and the PeopleSoft admin tool for Human Resources, already have controls in place, he said. When data is available for review, rather than sending the restricted data insecurely by email, the service sends users a notification or message with a link to the file or platform, where they must log in to access the information.
“That’s the standard now, and it is supported by the growing body of privacy regulation. Organizations are updating their processes to make sure that confidential information is not sent through email,” he said. “Instead, you log in to a portal where there's multifactor authentication like Duo 2FA, logging, and other controls, and then you view the confidential information through an encrypted session.”
The ISO encourages those still using outdated tools or business processes to handle PII to make updates to comply with university policy. Such policies and state and federal regulations, Long said, exist to better protect the data of the university and its students, faculty, staff, and patients, as well as the privacy of its guests.
“We need to be willing to change as regulations and laws are updated and criminals change their tactics,” he said.
Anyone with questions about the U’s Data Classification and Encryption Rule or handling personally identifiable information (PII) can contact the GRC team at firstname.lastname@example.org for assistance.
According to the U’s Data Classification and Encryption Rule, personally identifiable information (PII) includes but is not limited to:
- Any of the following stand-alone elements:
- Full Social Security Number (SSN)
- Driver license or state ID number
- Passport number
- Visa number
- Alien Registration Number
- Fingerprints or other biometric identifiers
- Full name in combination with:
- Mother's maiden name
- Date of birth
- Last four digits of an SSN
- Citizenship or immigration status
- Ethnic or religious affiliation
Need to send an encrypted message? Access this IT Knowledge Base article for instructions.
Please note: Although PII can be encrypted in UMail and the U’s instance of Gmail, Long said the ISO does not recommend it as a best practice since there are better, more secure methods of handling restricted and sensitive data.
Our monthly newsletter includes news from UIT and other campus/ University of Utah Health IT organizations, features about UIT employees, IT governance news, and various announcements and updates.