Data and Email Encryption
November 13, 2013
Starting in mid-November, Drexel will begin automatically encrypting email that contains certain sensitive data. Senders will be told when the system automatically encrypts one of their outgoing messages so that we can highlight the kinds of data transmitted.
The definition of what is "sensitive" will change over time as the system is continually reconfigured to protect data required by law or just good common sense. Initially, the system will take notice of credit card and social security numbers. Later, the system will begin scanning for additional financial data and health records so that emails containing such information can also be encrypted.
Emails containing sensitive data should be encrypted when sent to an address outside of "@drexel.edu."
Drexel already offers encryption to protect sensitive email and attachments being sent off-campus. To encrypt a message, just add "[encrypt]" to the subject line when you compose a message. As an alternative, install the Sophos Encryption Add-in for Outlook from IRT's Secure Software Server (sign in required), and then click the "Encrypt" button when you want to send a message securely.
When someone receives an encrypted message for the first time, they'll be invited to setup an encryption account and password. After that, secure messages are delivered as password-protected PDF files. The PDF has a "Reply" button to encrypt replies; using the Outlook "Reply" button doesn't encrypt, but also doesn't include the sensitive data.