Encrypting Emails Containing PII FAQs
By DON CIO Privacy Team - Published, October 26, 2012
Emails containing personally identifiable information (PII) in the body of the email or in an email attachment:
- Should only be sent to recipients with an official need-to-know.
- Should have "FOR OFFICIAL USE ONLY - PRIVACY SENSITIVE" in the subject line.
- Should have "FOR OFFICIAL USE ONLY - PRIVACY SENSITIVE: Any misuse or unauthorized disclosure of this information may result in both criminal and civil penalties" in the body of the email.
- Must be digitally signed.
- Must be encrypted. (Always check to see if the attachments you are sending contain PII. Check all tabs.
AM I REQUIRED TO ENCRYPT EMAILS THAT CONTAIN PII?
Yes. In October of 2008, the Department of the Navy Chief Information Officer released a GENADMIN message that reiterated guidance requiring DON users to digitally sign and encrypt email messages containing PII.
HOW DO I ENCRYPT AN EMAIL CONTAINING PII?
To encrypt an email manually, click on the "ENCRYPT" icon in the tool bar for the message in question.
To configure OUTLOOK for automatic encryption, go to:
"Tools" -> "Trust Center" -> "Email Security" -> "Encrypt content and attachments for outgoing messages"
WHAT DO I DO IF I ENCOUNTER PROBLEMS WHEN ENCRYPTING AN EMAIL?
HOW DO I PUBLISH A CERTIFICATE?
- Select "Cancel" in the pop-up and remove the failed recipient from your email. Send the email.
- Send a separate email to the unsupported email address(es) requesting a reply with a digitally signed email if their address is not in the Global Address List (GAL), or a reply after publishing their certificates, if their address is in the GAL.
- DO NOT select "Send Unencrypted."
- Go to Outlook: Tools/Trust Center/Email Security/Publish to GAL
- Right-click on the contact name and select "Add to Outlook Contacts"
- Click on the contact and attempt to send the encrypted email again
Note: When publishing certificates it may be necessary to wait a few minutes to allow the server to replicate and the user's GAL to sync.
HOW DO I MANUALLY SYNC THE GAL?
Go to: My Computer/System (C:)/Program Files/Microsoft Office/GlobalDirectory/GALSyncU.exe
IF A VALID CERTIFICATE IS VERIFIED FOR THE RECIPIENT AND I STILL CAN'T SEND THE EMAIL ENCRYPTED, WHAT SHOULD I DO?
- Go to the Outlook toolbar and click on the small arrow next to the Send/Receive button, and download the address book with "Full Details" (this may take 5-10 minutes). Attempt to send the encrypted email again.
- 'Cached Exchange Mode' can also cause encryption problems. To see if you are in this mode, perform the following in Outlook, go to: Tools/Account Settings/Email Security/Click on Change. If "Use Cached Exchange Mode" is checked, uncheck it and then attempt to send the encrypted email again. (Note: You will be required to shutdown and restart Outlook for the new settings to take effect.)