Overview
The Microsoft Data Loss Prevention (DLP) campus email scanning tool goes in effect on October 28, 2021.
DLP is one of the many cybersecurity solutions that works to detect and reduce the accidental release of University Level 1 and Level 2 data outside of our campus network. Furthermore, DLP helps prevent data exposures and breaches while minimizing instances of non-compliance with Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry (PCI).
Example of sensitive data matches include but are not limited to:
- HIPAA Data
- Level 1 Data:
- Credit Card Number (CC)
- U.S. Bank Account Number
- U.S. Driver's License Number (DL)
- U.S. Social Security Number (SSN)
- U.S. / U.K. Passport Number
Some of the benefits of DLP include:
- Ensures that data is managed in a uniform manner across the University.
- Warns users about disclosing Level 1 and Level 2 data outside the University.
- Monitors the usage of and secures data according to the Information Classification Standard.
Note: DLP was originally announced in a CSULB CIO message titled Preventing Accidental Exposure of Sensitive Information via campus email on 10/30/19, but was postponed.
Scope
The Data Loss Prevention (DLP) feature applies to faculty, staff, and students.
The automatic scan tool will display a warning message ("Policy Tip") on the following programs:
- Microsoft Outlook desktop client for both Windows and Mac computers
- Outlook on the web / Office 365 (mail.csulb.edu)
The Policy Tip does not display on the following programs, but users will receive the automatic warning email from Microsoft:
- Microsoft Outlook app for iPhone and Android phones/devices (downloadable from Apple and Google Play Stores)
- MacMail connected to campus email
The automatic scan tool does not work with Apple/Mac or Google native email clients.
Example - Outlook on a desktop
This is the message that will show up if an email is sent to an external recipient that Microsoft deems as having sensitive information (SSN, CC or Passport info). This information can be in the body of the message or in an attachment. The Policy Tip states: "This item conflicts with a policy in your organization. To send this message without removing the information, you must first click override."

This is the message that will show up when you click on the "override" link in the Policy Tip, which states: "You've chosen to send this message even though it appears to contain sensitive information. Your decision might be reviewed later by your organization."

Note: DLP will work on the Outlook desktop client for Windows and Mac as long as the user has the policy tip notifications enabled (which is the default). The message can be sent without clicking the override link.
Example - Outlook on the web / O365
This is the message that will show up if an email is being sent to an external recipient that Microsoft deems as having sensitive information (SSN, credit card, or Passport info). This sensitive information can be in the body of the message or in an attachment. Note: There is no override option in Outlook on the web, and Outlook on the web has additional viewing options the desktop client does not. The policy tip states, "Your email message conflicts with a policy in your organization. Show details."

If the user clicks on "show details" link, the following Policy Tip is shown, which states, "Your email message conflicts with a policy in your organization." It will then display the name of the external recipient along with, "This recipient isn't authorized to receive this type of information" with the option to remove recipient. It further includes, "view details about the information that appears sensitive" and link to learn more.

If a user clicks on the "Learn more" link, the following will display, which will state a relevant message such as the example, "This message appears to contain the following sensitive information: U.S. Social Security Number (SSN). If you don't think this information is sensitive, please click Report."

If the user chooses to send the email anyway (ignoring the warnings), he/she will receive a message like the following, which states:
The content of your email message is protected by our CSULB Information Security Policy and Standards and contains the following issues:
- Message is sent to people outside your organization.
- Message contains the following sensitive information: U.S. Social Security Number (SSN)
- Following Senders violate organizational policy: 'Jared.Kennedy@csulb.edu'.
Refer to the following websites for additional resources:

Example - Outlook Mobile App
The Policy Tip does not display, but if the user sends an email that fits the senstive information criteria, they will receive a message by Microsoft indicating so.