UniversalTemplate/logo.png UniversalTemplate/UTS.png

Google Data Loss Prevention (DLP)

To comply with state laws, business standards and industry regulations, Oakland University needs to protect sensitive information and prevent its inadvertent disclosure. For this reason, the University has enabled Google Data Loss Prevention (DLP), which prevents sharing of sensitive information outside the organization.

Sensitive information in question includes financial data and personally identifiable information (PII) such as

  • Credit/debit card numbers
  • Social Security numbers
  • Driver licenses
  • DEA Number, etc
  • GrizzlyID

With the DLP policy in effect, all Google Drive documents are scanned and the sharing of external recipients is immediately disabled on detected files.

University employees who work in the Google Drive platform may begin receiving notices, pop-up messages or emails indicating PII data has been detected. In such instances, drive documents containing the data should be:

  • Securely deleted by being moved to the trash and then emptied from the trash, or

  • Moved to an approved secure destination based on approved storage locations per data classification as outlined at https://www.oakland.edu/uts/common-good-core-resources/options/.

  • Important departmental documents with sensitive data should be stored in a Windows department share.

Benefits of enabling Google Data Loss Prevention (DLP)

  • Identifies sensitive information in all Google Drive and Team Drive documents
  • Reduces potential University risk and costs associated with inappropriate or accidental sharing
  • Prevents accidental sharing of sensitive information
  • Monitors and protects sensitive information in existing and newly created files.
  • Helps users learn how to stay compliant without interrupting their workflow.

Google Data Loss Prevention (DLP) for outgoing emails was also enabled on June 17, 2019

Why is Google DLP for email important?

Google (DLP) adds another layer of protection to prevent sensitive or private information from leaking outside of an organization. DLP is a tool that enables rules to prevent people from either accidentally or maliciously sending confidential data.

How Gmail DLP works:

Gmail DLP will automatically check all outgoing emails from all users and reject any message if contains and PII (Personal Identifiable Information) listed below.

  • Social Security Number
  • Driver's License Number
  • DEA Number
  • Global Credit Card Number
  • GrizzlyID (5 GrizzlyID are allowed up, if more than 5 GrizzlyID are detected, the message will be blocked to external users)

This will be set to all outbound email only and reject any messages that match with high "Confidence threshold".The rejected error message will be similar to this "Error: This message contains sensitive information, which should not be emailed to recipients as per our organization data policy."

Attachment scanning These scans don’t just apply to message subject and body, but also to content inside common attachment types―such as documents, presentations, and spreadsheets. Gmail DLP identifies each file type through a binary scan to provide more accurate data than relying on the supplied file extension, which can be inaccurate. Text is then extracted from the attachment using an algorithm specific to the file type, and processed via the DLP algorithm.

What do I do if my message is blocked?

  • Removed the sensitive information from the message body or attachment and resend.
  • Mask out data, Gxxxx0000, xxx-xx-0000, etc and resend.
  • There are no exceptions or overrides for sending to external recipients.

University employees with questions about this data security enhancement are advised to contact University Technology Services at [email protected] .