For decades the University has operated a secure mail solution called DataMotion that we have recommended for use in transmitting Sensitive Information.  After several years of security improvements to our email system, deployment of multifactor authentication, and improvements in our data classification and data management policies and processes, we would like to reframe the requirements for using of DataMotion in a way that we think most people will find favorable. 

First, your regular BU email is sufficiently secure for Public, Internal Use, and Confidential data as defined in the Data Classification Policy.  Unless you are transmitting Restricted Use data, you do not need to use DataMotion.  This means that DataMotion is not required for budget data, salaries, performance evaluations, or student record data unless it includes Restricted Use data elements.   

When it comes to Restricted Use data, the requirement is a bit more nuanced. Restricted Use data may include Personally Identifiable Information (PII) associated with financial account information (bank accounts, credit cards), driver’s licenses, Social Security Numbers, Protected Health Information (PHI) including HIPAA and Human Subjects Data, authentication credentials, and criminal background data. 

Overall, our Office 365 Outlook solution is sufficiently hardened for Restricted Use data.  However, if your account gets compromised, email is often one of the first things that gets targeted.  If you rarely send Restricted Use data (i.e. once or twice a year), and are only sending a few records each time, email is an acceptable solution.  With each additional record you send, the value of your email account to an intruder increases, therefore, please consider: 

• The best solution is not to send Restricted Use data over email in the body or as an attached document.  Consider storing the data in One Drive, Teams, or SharePoint and sending a link to the data instead.  This scenario allows access to be easily revoked, particularly if sent to the wrong recipient, and makes the recipient’s access to the data auditable.  In addition, using this method avoids producing additional copies of the data by default.
• If your job requires you to frequently send Restricted Use information and linking to files is not an appropriate solution, please continue to use DataMotion and reach out to Information Security at buinfosec@bu.edu to discuss alternative approaches.  

We may not have anticipated every possible use case and are happy to discuss your needs for DataMotion to determine what best fits your needs.  We do not have any imminent plans to retire DataMotion but would like to help eliminate extra steps from our workflows where there is little value added.  If you have any questions, please feel free to reach out to BU Information Security at buinfosec@bu.edu. 

We thank you for your cooperation to ensure data stays protected.