Re: E-mail and Data Privacy Issues around Law School and Professional Clinics

[Mike Wiseman <mike.wiseman () UTORONTO CA>]

This subject has been tossed about around here occasionally. There are a number of vulnerabilities in higher risk 
content email usage, here's a few: privacy for stored email sitting on an Exchange or IMAP server, privacy during SMTP 
transmission, and stronger authentication of email eg. using digital signatures. There are products to handle the first 
two - SecureMail from Voltage comes to mind. I looked at this and liked the concept of providing end-to-end encryption 
using enterprise authentication systems and not having to manage cert or key deployment for users.

Mike



Mike Wiseman
Information + Technology Services
University of Toronto



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gregg, 
Christopher S.
Sent: August-11-09 2:26 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] E-mail and Data Privacy Issues around Law School and Professional Clinics

I apologize if this has been covered, but I didn't see anything in the archives.

Have any of you run into the issue of trying to provide additional levels of data privacy, or running a separate e-mail 
service for professional clinics, law schools, or similar entities at your institutions?

We're a centralized Exchange shop for the entire university for e-mail and we're being asked about providing separate 
e-mail for our professional clinics and law school as a means of segregating the data from e-discovery and being able 
to enforce a different (read that higher) level of data privacy.  The concerns stem from issues of faculty and at times 
law students working as attorney's using university systems for communications and the need to maintain attorney/client 
privacy.

The scenarios we're coming up with are not very attractive, and I am curious to hear if others have already tackled 
this or opted to address this in other ways (like living with the risk).

Our scenarios so far are:


1.       Outsource this e-mail another provider - lose control to a degree and cannot retain school domain name

2.       Setup a second non-Exchange system (iMail or something like that) - separate system to manage and not hooked 
into automated account process

3.       Run a separate Exchange environment - costly, overkill, and may not even be possible in our architecture (at 
least with our school domain name)

I am also curious if we fall in a unique niche of having a law school and professional clinic, but being small enough 
that we have a single centralized e-mail and account infrastructure.

Thanks in advance for any feedback you're willing to share,

Chris

Chris Gregg
Director of Information Technology
Information Resources and Technologies
University of St. Thomas
2115 Summit Avenue
St. Paul, Minnesota 55105
csgregg () stthomas edu