What is Data Loss Prevention (DLP)?

DLP enables an organization to reduce the risk of unintentional disclosure of sensitive data by identifying, monitoring and protecting confidential data while in use, in motion and at rest.
 

Why am I receiving a DLP Email notification?

Emails containing high risk data, such as Protected Health Information, Social Security numbers, and credit card numbers, being sent insecurely to an external mail recipient (this includes UIC Gmail) will be automatically notified of the data classification. 

With a DLP policy, UIC can reduce risk by:

  • Identifying sensitive information across many locations, such as Exchange Online, OneDrive for Business, and Microsoft Teams.

    For example, UIC can identify any document containing a social security number in OneDrive for Business.

  • Preventing the accidental sharing of sensitive information.

    For example, UIC can identify any document or email containing a health record that's shared with people outside of UIC and then automatically block the email from being sent. Note: UIC policies are configured to NOT block any email at this time.

  • Monitoring and protecting sensitive information in the desktop versions of Excel, PowerPoint, and Word.

    Just like in Exchange Online and OneDrive for Business, these Office desktop programs include the same capabilities to identify sensitive information and apply DLP policies. DLP provides continuous monitoring when people share content in these Office programs.

  • Helping users learn how to stay compliant without interrupting their workflow.

    For example, if a UIC employee tries to share a document containing sensitive information, a DLP policy can both send them an email notification and show them a tip in the context of the document library that allows them to override the policy if they have a business justification. The same policy tips also appear in Outlook on the web, Outlook, Excel, PowerPoint, and Word.

What is considered sensitive data?

Sensitive data includes protected health information (PHI) and personally identifiable information (PII) such as an individual's medical record, address, gender, social security number, credit card numbers, date-of-birth or any other identifiable health information.

Why does UIC need DLP?

HIPAA/HITECH regulations require UIC to identify confidential data within our information systems and minimize security and privacy risks associated with the use of that data. People have the expectation that we will only use their personal information as required to deliver quality services and will guard that information against inappropriate access, use, and disclosure. 

UIC is implementing Microsoft's Office 365 DLP solution that will identify sensitive data in our Office 365 organization and how it is being used. 

All Exchange Online email traffic will be automatically analyzed by Microsoft's DLP solution. DLP scans outgoing mail to ensure that sensitive information such as social security numbers or HIPAA-covered information is not being sent insecurely. When a match is found in an email, the sender will be notified via email about the sensitive information being sent or an automatic tool tip will appear within the Office application notifying the user of the possible policy violation before the message is sent.

If I have a question or concern about the Data Loss Prevention (DLP) program who do I contact?

For assistance with DLP issues, please visit help.uillinois.edu.