Sending sensitive information via email between internal users in Office 365 - is it safe?

Copper Contributor

When two users inside same Office 365 tenant send email to each other and the message contains some sensitive information (eg. social security numbers). Is this message encypted inside Office 365 without any extra configuration? Just thinking this from GDPR perspective.

 

 

2 Replies

Yes, it is, this is called encryption at rest and in transit, this means without having to do anything data in Office 365 is protected.

 

Encryption in Office 365.png

 

See plenty of details here - Encryption in Office 365. However, for different reasons you still might want to employ additional measures to protect confidential data, especially when it's being sent externally.  Here are some ways of doing that:

 

Office 365 Message Encryption (OME)

 

"With Office 365 Message Encryption, your organization can send and receive encrypted email messages between people inside and outside your organization. Office 365 Message Encryption works with Outlook.com, Yahoo!, Gmail, and other email services. Email message encryption helps ensure that only intended recipients can view message content."

 

IRM for email messages

 

"Information Rights Management (IRM) allows you to specify access permissions to email messages. IRM helps prevent sensitive information from being read, printed, forwarded, or copied by unauthorized people. IRM also helps organizations enforce corporate policy governing the control and dissemination of confidential or proprietary information, both within the organization and with customers and partners."

See https://www.petri.com/office-365-encrypted-email for details about the new Encrypt feature. This is available for OWA now and will soon be in Outlook desktop. Outlook mobile clients can read encrypted messages.

 

The Encrypt feature is based on top of rights management (IRM) and the same feature is due to appear in Outlook consumer. If you really want to protect data, apply a protection template to restrict what users can do when they receive messages.