Understand Pitt Digital's Data Loss Prevention (DLP) Framework

Overview

Pitt Digital’s Data Loss Prevention (DLP) framework is designed to enhance data security and promote best practices for handling sensitive information across multiple platforms. This framework is applicable to Microsoft Outlook and Exchange Online, Teams, OneDrive, and SharePoint.

All messages and documents shared via these services will be automatically scanned by Microsoft to detect items that:

  • Contain Restricted data or potentially sensitive information
  • Are not encrypted or do not have a sensitivity label applied
  • Are shared with recipients outside the University of Pittsburgh

The specific types of sensitive information detected by the policy may include:

  • Personally identifiable information (PII), such as social security, passport or driver’s license numbers
  • GDPR/sensitive European Union PII
  • GLBA/banking information
  • HIPAA/protected health information (PHI)
  • PCI DSS/credit card information
  • Sensitive IT information, such as usernames and passwords, API keys, and other types of secrets

Email messages meeting these criteria will be automatically encrypted for individuals who are within groups that handle HIPAA-protected data. For all others, at this time the DLP framework is intended for informational and educational purposes only.

This framework serves as a reminder for users to remain vigilant and ensure that data remains protected and secure.

Sensitivity labels remain the most effective tool for protecting sensitive content and should always be applied when knowingly sending sensitive data. To apply a label in Outlook, click the Sensitivity button near the top right of the ribbon, expand the University of Pittsburgh menu, and select the appropriate label for your content. For full instructions and guidance on available labels, refer to the Data Sensitivity Labels Security Guide.

Notification Processes

When a message or document meets all of the conditions outlined above, the sender or document owner will receive a notification detailing the type(s) of sensitive information that were detected and provide guidance to help protect future communications.

If the email message was automatically encrypted, the sender will receive a confirmation email with an encrypted copy of the message attached. If you receive this email, you do not need to take any action.

The notification method varies slightly depending on the service:

Microsoft Outlook and Exchange Online

The sender will receive a follow-up email with details and guidance if the message body or attachment(s) containing sensitive information is sent to an external recipient (excluding @upmc.edu email addresses). The email will link to Pitt Digital's Outlook Email Encryption Security Guide.

Teams

A tool tip message will appear at the top of the Teams chat window if sensitive information is detected in a chat that includes external participants.

OneDrive

The document owner will receive an email with details linking to Pitt Digital’s OneDrive Security Guide when documents containing sensitive information are shared with external collaborators.

SharePoint

The document owner will receive an email linking to Pitt Digital’s SharePoint Security Guide when documents containing sensitive information are shared with external collaborators.

 

Collaboration with UPMC Accounts

Microsoft Outlook and Exchange Online

The DLP framework applies to all email messages and attachments sent to external recipients. However, collaborators with @upmc.edu email addresses are excluded, meaning that sending sensitive information over email to UPMC contacts via Microsoft Outlook and Exchange Online will not trigger a notification.

Teams, OneDrive, and SharePoint

UPMC collaborators are not excluded from the DLP framework when using Teams, OneDrive, or SharePoint to share information. Documents and Teams messages shared with UPMC users will trigger the appropriate notification as described above.

Print Article