1.08 – Use of Email
Last updated : January 14, 2022
This policy is will be effective from Monday 17 January 2022
To see prior version, please click here.
Estimate Reading Time : 9 minutes
Upon formal notification or due to detection, and in accordance with the Company policy 1.1 – Responsible Use of Information Technology Resources, PT. Mandiri Tunggal Sejahtera Berkarya/ MTS Group Holding, LLC. (“Company”, “Company Network”) will take all necessary means, including but not limited to temporary disconnection from internet access or the college network, to stop illegal sharing of copyrighted material by users of Company Network services. ITS, as the recipient of formal notifications of illegal file sharing, will pass those notifications, along with an internal cease and desist notice, to any user whose computer has been identified by the claim of copyright violation. Upon receipt of notice, users must remove the named material from their computers.
Reason for Policy
Company is legally responsible to protect confidential information, including that contained in email. Company Network email systems comply with appropriate security standards. Because Company cannot guarantee the security of external systems, Company has chosen to prohibit the use of automated email forwarding and requires encryption for any email message containing confidential information that is sent outside the Company network.
Entities Affected by this Policy
PT. Mandiri Tunggal Sejahtera Berkarya/ MTS Group Holding, LLC (“Company”).
Who Should Read this Policy
All individuals provided with a PopIt Snack Account (“PSAID“) and has Company-supplied email account for accessing Platform information systems and accessing, storing, sending, receiving, or transmitting any Platform data.
Web Address of this Policy
Certain information such as protected health information (PHI), personally identifiable information (PII), or financial records are confidential and must be treated with extreme care to avoid inappropriate disclosure that could lead to exposure of risk to Company and its affiliates. A complete list of all data considered confidential by Company is available in the ITS 1.03 – Data Classification policy.
While the Company permits generally unhindered use of its information technology resources, those who use Company information technology resources do not acquire, and should not expect, a right of privacy. Company community members should not expect that personal communications will remain private and/or confidential. Automated email surveillance systems are in place to identify data that appear malicious in nature (e.g., viruses, spyware) or contain confidential information (e.g., protected health information and personally identifiable information) for further investigation.
2. Email Account Owner Responsibility
Company provides a centrally-managed email system for its department, staff, and affiliates. No additional email systems are permitted without approval of the Chief Information Officer. Company-supplied email accounts (@popitsnack.com) are unique and assigned to an individual for communication pertaining to Company. Except in cases approved by Company Human Resources, these email accounts are not transferrable to other users. Access to Company’s email system requires certain responsibilities for the account holder, including, but not limited to, the following:
- Do not share your email account password with anyone, including ITS (ITS will never ask you for your password). Use delegation, where appropriate, if another user needs access to your email.
- Do not use email to harass others.
- Do not falsify email accounts to send out email as another person.
- Do not flood/spam people with email in an attempt to disrupt their service.
- Do not accept credit card numbers sent in email for payment purposes.
- Do not create rules that enable automated forwarding to non-Company email accounts.
- Do not send confidential data to any party via email without using encryption.
- Do not use personal email addresses, such as Free email service Gmail or Yahoo!, for work-related communications.
3. Public Display of Email Addresses
As defined in the ITS 11.03 – Data Classification Policy, Company email addresses are not considered confidential data. In the interest of transparency, all active Company department and staff email addresses are published on the Company’s website, and directory. Company email addresses themselves are not confidential information (please see ITS 11.13 – Directory). A user’s credential is considered an identifier that could link to protected health information under HIPAA.
4. Email Attachment Policy
In order to align Company with generally accepted email standards, ITS limits the size of all outgoing and incoming email messages, including attachments, to 25 megabytes (MB). Many email systems cannot receive large emails and often do not provide feedback to the sender that the system has rejected the message. By aligning with the industry common practice of limiting email sizes, users should have a higher success rate in sending and receiving email. If attachments larger than 25 MB need to be sent via email, Company’s File Transfer Service should be used.
5. Transmission of Confidential Data
Any data considered by Company to be confidential in nature that must be transmitted via email shall utilize encryption when sent over an insecure network and shall only be sent to recipients that have a legitimate need for the information.
5.01 Internal Recipients (Company and Select Affiliates)
Email sent within Company’s network is considered to be contained within a trusted secure environment. Company’s network includes addresses ending in @popitsnack.com While an explicit encryption service is not required for data sent to these recipients, it is still strongly recommended to utilize Company’s File Transfer Service when sending large attachments containing confidential data.
5.02 External Recipients
Email containing confidential data that is sent outside of Company’s network (as defined in the previous section) must use encryption. Email messages smaller than 25 MB may be sent securely by adding #encrypt to the message subject. When using #encrypt, both the message body and attachments are encrypted. To securely send large attachments to external recipients, Company’s File Transfer Service shall be used; however, only the attachments will be encrypted and no confidential data is to be referenced within the subject or body of the message.
5.03 Routine Communication with External Agencies
For routine communication with external agencies (e.g., a business associate like a pharmaceutical company or a collection agency), ITS can assist in establishing an encrypted channel by enforcing Transport Layer Security (TLS), a popular encryption protocol for securing data in transit. Company utilizes opportunistic TLS to first attempt to negotiate a secure and encrypted connection with an outside domain. In the event the recipient domain does not support TLS, the connection will not be encrypted but messages will be sent. By choosing to force TLS, ITS will work with the external vendor to always force encryption between Company and the recipient domain. While this will guarantee a secure delivery, any anomalies or inaccuracies in the domain or a rejection by the recipient mail system will prevent messages from being sent altogether.
For entities performing services or functions on behalf of Company (e.g., a transcriptionist, answering service, etc.) that involve the exchange of confidential data, a Business Associate Agreement (BAA) shall be on file with the Company Privacy Office and encryption must be used to safeguard the message contents.
A list of external agencies with an established encrypted channel is maintained on the ITS selection.
5.04 Communication with User
Company community members wishing to communicate electronically may do so using the Company Connect service. It is strongly discouraged to communicate with user via email. However, if a user insists on email communication, encrypted email services must be used. Recipients must be cautioned to only reply within the secure mail console as replying to the notification (or otherwise outside the console) will result in the message being sent without encryption.
5.05 Email Confidentiality Notice
Individuals transmitting confidential or high risk data may add a confidentiality notice to the footer of their email in order to notify the recipient of the sensitivity of the data contained within the message. The following language is recommended for use in an email signature:
Confidentiality Notice: This email transmission, and any documents, files, or previous email messages attached to it, may contain confidential and/or privileged information and may be legally protected from disclosure. Any unauthorized review, use, disclosure, or distribution is strictly prohibited. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, please contact the sender by reply email and destroy all copies of the original message, including any attachments.
6. Email Forwarding
Automated email forwarding for active Company department members is permissible under certain circumstances to qualified affiliate domains. Any requests to allow forwarding must be approved by Company Human Resources. Company department, staff are not permitted to forward email once in expiry status.
7. Email Account Delegation
Delegation occurs when an email account owner (the “delegator”) grants permissions to another user (“the delegate”) to access the owner’s email, calendar, and/or contacts. Delegation is not permitted by sharing passwords or logging in to the account for the delegate to use – the delegate must be using his/her own account. Delegators have the ability to set variable permissions to the delegate, such that the delegate has the ability to only read emails or also create emails on behalf of the delegator.
Delegation is only to be used in situations where an assistant or coworker needs access to a mailbox account that are in the confines of the delegate’s job responsibilities. The delegator is responsible for ensuring that the delegate’s permissions are appropriate and consistent with his/her job description and training.
8. Email Account Retention
Once in expiry status, certain provisions apply in order to retain a Company email account. Department, staff, and students on a leave of absence are permitted to retain their Company email account. Any exceptions to the following provisions must be approved by Company Human Resources.
Apperentice who work at Company and do not continue an affiliation with Company are not permitted to retain full access to their Company-issued email account. The ITS data loss prevention tool is in place to monitor and block email potentially containing confidential data that is sent to apprentice personal email addresses. Company worker who become full-timer at Company will be provided with an Company email account .
At the discretion of a Department Administrator, Chairperson, Director, Company department may be permitted to retain their Company-provided email account for three (3) months while in expiry status. Any requests longer than three (3) months will need to be resubmitted and recertified.
Unless approved temporarily in exceptional circumstances by the Department Administrator and Human Resources or General Counsel, Company staff will immediately lose access to their email account once in expiry status.
9.01 Encrypted Email Services
To send an encrypted message to an external recipient (addresses that do not end in @popitsnack.com), #encrypt can be added anywhere in the subject line. The entire message and any attachments will be encrypted and securely delivered to the recipient.
To send large attachments to internal and external recipients, Company’s File Transfer Service should be used. The File Transfer Service can be accessed at https://popitsnack.com/. When utilizing this service, only attachments will be encrypted; therefore, no confidential data shall be disclosed within the body of the message.
Additional Information and User Guides:
Company File Transfer Service
To request persistent encryption for routine email correspondence with an outside entity, a support request should be submitted to ITS. Requests must include an adequate business justification and a list of the recipient email domain(s). A Business Associate Agreement should be on file with the Company Privacy Office.
9.02 Email Forwarding
Active Company department who wish to have their email forwarded to another account must submit a request to ITS support. The request should contain the desired forwarding account, a valid business justification, and the length of time the email should be forwarded. The request will be submitted to Human Resources or General Counsel for approval.
9.03 Email Account Retention
A Department Administrator, Chairperson, or Director wishing to permit a Company department member in expiry status to retain his/her email account must submit a request to ITS support. The request should contain the Department Administrator, Chairperson, or Director’s approval and a valid business justification. Forwarding rules will expire after three (3) months and must be resubmitted for approval for any extensions. The Company department member is not permitted to forward email to another account when in expiry status.
10. Related Documents
The following documents are also relevant to this policy:
1.03 – Data Classification
1.09 – Data Loss Prevention
1.13 – Directory
1.14 – Email Security
These definitions apply to institutions and regulations as they are used in this policy. Definitions of technical terms are supplied by NIST IR 7298 Revision 2, Glossary of Key Information Security Terms.
- Company PT. Mandiri Tunggal Sejahtera Berkarya/ MTS Group Holding, LLC.
- ITS Information Technologies & Services Department
- BAA Business Associate Agreement
- PII Personally identifiable information, as defined in GAO-08-536 Privacy Protection Alternatives, is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
- PHI Protected health information, as defined in Title 45 CFR §160.103, is individually identifiable health information that is (i) transmitted by electronic media; (ii) maintained in electronic media; or (iii) transmitted or maintained in any other form or medium. Protected health information excludes individually identifiable health information (i) in education records covered by the Family Educational Rights and Privacy Act (FERPA), as amended, 20 U.S.C. 1232g; (ii) in records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) in employment records held by a covered entity in its role as employer; and (iv) regarding a person who has been deceased for more than 50 years.
- confidential As defined in ITS 11.03 – Data Classification, confidential data includes, without limitation, the following: PHI; PII; financial data, including data covered under the Gramm-Leach-Bliley Act (GLBA) and the information pertaining to credit cards covered by the Payment Card Industry Data Security Standard (PCI DSS); employment records, including pay, benefits, personnel evaluations, and other staff records; research data involving human subjects that are subject to the Federal Policy for the Protection of Human Subjects (Common Rule) as defined in Title 45 CFR §46.101 et seq.; and user account or system passwords that provide access to information systems or applications containing any of the above confidential data elements.
- expiry Expiry is used to classify department, staff, voluntary, consultants, temps, or apprentices that leave PT. Mandiri Tunggal Sejahtera Berkarya/ MTS Group Holding, LLC. An expiry may occur in any of the following scenarios: resignation, retirement, graduation, layoff, discharge, abandonment of job, cessation of department appointments, or expiration of a contracted or otherwise temporary affiliation.