Fredonia Mail Data Loss Prevention Policy for Credit Card Numbers (CCN) and Social Security Numbers (SSN)

Rev. 8.16.19

Purpose

The State University of New York at Fredonia is required by SUNY, New York State and Federal regulations to implement practices to limit the unintended exposure or unauthorized access to Social Security Numbers (SSNs) and Credit Card Numbers (CCNs). SSNs and CCNs are strictly prohibited from being transmitted (sending or receiving) via email. Therefore, the Fredonia Mail Data Loss Prevention (DLP) Policy for Credit Card Numbers (CCNs) and Social Security Numbers (SSN) is intended to actively filter and block fredonia.edu email accounts from sending and receiving this regulated data.  The Fredonia Mail DLP Policy will utilize an advanced algorithm and internationally accepted key phrases to effectively filter and then bounce emails that contain this data.

Scope
All inbound and outbound e-mails for fredonia.edu accounts.

NOTE: This also includes email within fredonia.edu domain.

Fredonia Mail Data Loss Prevention (DLP) Policy

• The Fredonia Mail DLP uses algorithms to distinguish between valid credit card numbers or valid social security numbers and other numeric strings of the same length and/or format. Detected numbers may not be actual numbers of either type.

• Filters based on the presence of any valid credit card number, or social security number and any known key phrases. This means that email accounts will be prevented from sending or receiving e-mails with a credit card or social security number and an associated keyword anywhere in the body, subject or attachment. If you are the sender, then you will receive a Message Quarantine Notification (bounce message.) If someone from outside of Fredonia sends to a fredonia.edu email account such a message, they will also receive the Message Quarantine Notification.

• Encrypted attachments cannot be scanned.  Therefore contents of encrypted attachments will not trigger this policy.

• The quarantine (bounce) notification will contain a copy of the original email. 

NOTE: If you have a valid business need to send this type of data via fredonia.edu email then please contact the Information Security Office at 716-673-4725 for an approved solution.

SAMPLE Message Quarantine Notification:

Compliance

• Payment Card Industry Data Security Standards (PCI-DSS)

• SUNY Information Security Policy #6900

• SUNY Information Security Guidelines: Campus Programs & Preserving Confidentiality #6608

• New York State Information Technology Policy: Information Security NYS-P03-002

• NIST Special Publication 800-171

• Fredonia Information Management and Cyber Security Policy

Related articles