Encrypted Email
You are here:

Unencrypted email is not a secure method for transmitting confidential information or sensitive data over the Internet. If you have reviewed the information below and determined that it is necessary to send such information, take steps to secure it by encrypting your message, taking into account the sensitivity of the data being transmitted and the level of security at the source and destination systems.
At Long Island University, do not send sensitive data via email unless:

  • It is required by your role within the university and you’ve reviewed Your role within the university.
  • You’ve reviewed Choosing an appropriate storage solution for more secure alternatives.
  • The message either:
    • is encrypted by the Cisco Registered Envelope Service (CRES) and you’ve reviewed Sensitive data sent outside Long Island University, or
    • stays within the LIU email systems (Microsoft Exchange; not LIUmail) and you’ve reviewed Sensitive data sent within Long Island University.

For more about data protection, see Protecting Data.

Your role within the university

You should only send sensitive data via email if it is absolutely required in order to conduct the business function of the university. If you are unsure whether email is appropriate for a particular situation, consult with the university Data Steward in charge of the data involved, as well as with the University Information Policy Office.

Sensitive data sent outside Long Island University

The Cisco Registered Envelope Service (CRES) provides encryption for email sent from LIU mail servers to recipients outside the LIU network. While all outgoing mail is scanned for sensitive data, you should always force encryption of messages you know to contain such information. See What is the Cisco Registered Envelope Service (CRES)? and How can I ensure that mail sent from my Exchange account to an outside address is encrypted by CRES?

Sensitive data sent within Long Island University

Email sent from one account on a central LIU email server (i.e., an Exchange server) to another email account on the LIU Exchange servers has technical and physical safeguards, and is considered secure. However, because a recipient might forward any message you send, or might have his or her LIU email configured to send all messages to an outside account, you should tag all messages containing sensitive data, even ones to LIU addresses, to force encryption; see How can I ensure that mail sent from my Exchange account to an outside address is encrypted by CRES?

Security for large files

If the information you need to send securely is a large file, you might not be able to share it securely via email; LIU restricts the size of email attachments. See At LIU, what is the maximum size of email messages, and how can I send messages that exceed that size?
In these cases, you should use Slashtmp Critical. This service allows you to store sensitive data securely, for a limited time, and share it with specific recipients. See At LIU, what is Slashtmp, and how do I use it? and How do I upload a file larger than 2 GB to Slashtmp?

Your Slashtmp files will disappear automatically 30 days after you upload them (but you may delete them sooner if you wish). Slashtmp files are not backed up; when you delete a file, there is no way to recover it. Do not use Slashtmp as the only place to keep files you cannot afford to lose.
As you are aware, data breaches are in the news nearly daily, We at LIUIT want to remind all of you of the urgency and necessity to restrain from sending sensitive information through emails.  As a reminder, university policy prohibits Personaly Identifying Information (PII) including but not limited to the examples below from being communicated via email:
·         Social security numbers
·         Academic Student information
·         Date of birth, address, bio-demographical information
·         Credit card and debit card information
·         Passport information
·         Driver’s license and state ID information
·         Healthcare related information
There are secure methods to receiving/sending sensitive information containing PII data.  In the event that data of this nature must be transmitted via email, please contact your local Information Technology office for more information on secure methods available.
As a precaution, the university has implemented a Data Loss Prevention (DLP) protocol to prevent the possibility of inadvertent sensitive information from being sent out.  Here are some illustrations of this new product that is turned “on”.
This screen will appear in Outlook if you attempt to send an email that is determined to contain sensitive data. 

In the case the DLP mis-flagged an email as containing sensitive data in error, you can override the policy by clicking the override link.  A screen like this will appear:
You must put a reason for this override in the field provided.  These will be reviewed by our Information Technology security team and you will be contacted to discuss the override at a later date.
Information Technology takes security of all LIU information systems, assets and data very seriously.  As is the case with any new solution, there may be unforeseen issues that arise.   Please communicate with us and let us know how the process is going for you.
For more information about IT security best practices, policies, and your IT services visit it.liu.edu.
To send encrypted email to non-liu email addresses all you have to do is put the [encrypt] tag in the subject of your email. This works for both liu.edu and my.liu.edu emails.

When you receive an encrypted email from an LIU email address it may appear in your inbox with an attachment as following. Note: appearance can be different depending on email provider or email client.

2. Open the email and click the Click here link as instructed.

3. Depending on your email provider or email client, you may get a warning.
Click Proceed.

4. (First time use) you will then be taken to an account creation page.

(every time after) you will then be taken to a login page.

5. On this screen you can see all the emails that were securely sent to your email address. From here you can also reply, reply all and forward. Be sure to logout when done.

my.liu.edu email accounts are also supported

If you received an email message at your Long Island University account with a subject line that begins “Read:”, followed by the subject line of an email message you sent, that is likely a read receipt for a message encrypted by the Cisco Registered Envelope Service (CRES); see What is the Cisco Registered Envelope Service (CRES)? The read receipt indicates that your recipient has decrypted and read the email message you sent.
If you did not send sensitive data in the message, and did not intend for it to be encrypted, examine your original subject line. If it contains the phrase “secure message” or word “confidential”, CRES will always encrypt it, regardless of content; see How can I ensure that mail sent from my Exchange account to an outside address is encrypted by CRES? Avoid using those words if you do not want your messages to be encrypted.
If you do not want to receive further read receipts of encrypted messages, you must change the CRES settings for your account; see In CRES, how can I change my password or preferences? On the “Edit Profile” page, under “Preferences”, uncheck Request Read Receipt: Let me know when recipients open their messages.

Sensitive Personal Identifying Information (PII) is defined as information that if lost, compromised, or disclosed could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.
In general terms it is any information that could be used by criminals to conduct identity theft, blackmail, stalking, or other crimes against an individual. Federal and State laws, and University regulations dictate how this information must be stored, transmitted, and processed.
LIU requires that all laws and regulations are followed to ensure the protection and safety of our community. Contact  Information Technology at it@liu.edu for more information about PII.
Sensitive PII include:

  • Social security numbers
  • Academic Student information
  • Date of birth, address, bio-demographical information
  • Credit card and debit card information
  • Passport information
  • Driver’s license and state ID information
  • Healthcare related information

Listed below are some key regulations:

  • Cyber security framework based on Department of Commerce National Institute of Standards and Technology (NIST)
    A government-issued guideline document of standards, guidelines and practices for reducing cyber risk to critical infrastructure.
  • NYS Information Security Breach and Notification Act
    Business in New York who own or license computerized data which includes private information must disclose any breach of the data to New York residents.
  • Family Educational Rights and Privacy Act (FERPA)
    All student record data including financials are considered private.
    Examples: Student grades, major, and other academic/financial records
  • Health Insurance Portability and Accountability Act (HIPAA/HITECH)
    May apply to our clinic sites off campus
  • Gramm-Leach Bliley Act (GLBA)
    Federal legislation that deals with banking industry and the exchange of information.
    Example: GLBA applies to LIU since we collect financial information.
  • Payment Card Industry Data Security Standard (PCI-DSS)
    Europay, Mastercard, Visa technical standard (EMV)
    Example: Credit card transactions