Data Loss Prevention

Policy Statement

All members of the Business are responsible for protecting the confidentiality, integrity, and availability of data created, received, stored, transmitted, or otherwise used by the Business. Business reserves the right to restrict the use of Information Technology Resources in order to preserve data security or comply with law or policy.

In order to further secure data and improve regulatory compliance, Business has implemented Data Loss Prevention (DLP). Business uses DLP to identify confidential data on the Business network and - in cases where intentional or unintentional use violates policy - block the creation, reception, storage or transmission of confidential data.

Reason for Policy

DLP is an automatic surveillance system that consistently watches activity on the network and on transmission desktop and laptop computers. It identifies confidential data (e.g. patient health information, driver's license numbers, and credit card numbers) and flags it for further investigation. In some cases DLP will stop the flow of data (e.g. if an email containing confidential data is sent to an inappropriate recipient, DLP may be used to temporarily or permanently block that email).

DLP has the ability to:

1. Monitor data in motion (e.g., emails and instant messages)
2. Search for and analyze data at rest (e.g., data residing on a file server or database) and data at the endpoint (e.g., files on a laptop, desktop, or in a flash drive).

By gathering this information, DLP can determine if data is confidential (per the Data Classification policy), and appropriately secure it to prevent security policy violations and maintain regulatory compliance.

Business handles a large amount of confidential data on a daily basis. Technologies that enable Business to function efficiently and make data easy to access and share also increase the risk of unauthorized disclosure and loss of confidential data. This has potentially serious consequences, including financial penalties, customer dissatisfaction, increased regulatory scrutiny, and reputational damage.

DLP is being used in conjunction with other security tools to protect confidential data and reduce the risk of it being compromised. This helps protect both the data that our organization is in charge of as well as the Business from the consequences of losing confidential data.

Principles

Certain information such as patient health information, personnel data, or financial records is confidential and must be treated with extreme care to avoid inappropriate disclosure with possible attendant fines or mandated notifications.

Business users should not expect that personal communications will remain private and/or confidential. While the business permits generally unhindered use of its information technology resources, those who use Business information technology resources do not acquire, and should not expect, a right of privacy.

For a complete list of all data considered confidential by Business, please review the Data Classification policy.

Procedures

DLP is already actively monitoring both data in transit and at rest on the Business network, including (but not limited to):

1. Email
2. Webmail
3. HTTP (message boards, blogs and other websites)
4. Instant Messaging
5. Peer-to-peer sites and sessions
6. FTP

Business Users should continue to abide by existing policies for appropriate use of ITS resources as provided in the ITS policies page.