Executive Policy #23
Approved July 7, 2004
BACKGROUND
Electronic correspondence is increasingly used for distribution of information to members of the University community. Electronic forms of correspondence such as e-mail, instant messaging, and web-enabled forms of correspondence are timelier and more efficient than traditional means (e.g., paper sent via campus mail or USPS), providing better service to the recipient and potential cost-savings to the University. However, electronic forms of correspondence are also susceptible to unauthorized disclosure, tampering or forgery.
DEFINITION
Electronic correspondence in this policy includes both traditional two-way or multi-way communications between or among correspondents (i.e., individuals, businesses, agencies, and other corporate bodies) and to official, one-way, targeted messages, announcements, or other forms of communication from the University.
PURPOSE
This policy sanctions electronic correspondence as an authorized means of communication for Washington State University provided that this correspondence is carried out to ensure confidentiality, authenticity, and integrity as required.
POLICY STATEMENTS
Electronic correspondence shall be one of the authorized means of communication from Washington State University to students, faculty, staff, and other constituents.
All University electronic correspondence that contain individually-identifiable, confidential, or operational information must be sent via secure mechanisms that ensure message confidentiality, authenticity, and integrity (See Executive Policy #8, University Data Policies). Commercially reasonable standards for electronic correspondence shall be adhered to in order to protect these communications. University electronic correspondence containing confidential and/or operational information that is not identified with an individual should be sent via secure mechanisms when technically and operationally feasible. Nonsecure electronic correspondence may be used to communicate open (public) information.
Electronic correspondence to Washington State University from external sources that does not meet a commercially reasonable standard for ensuring confidentiality, authenticity, integrity, and delivery may not be considered an official means of notification.
Secure Electronic Correspondence
In order to be considered secure, an electronic correspondence must maintain three characteristics from origination throughout its life as a public record: 1) the contents of the message must be protected from unauthorized disclosure to protect confidentiality, 2) identification of the sender must be retained to ensure authenticity of the message, and 3) the integrity of the correspondence must be maintained to guarantee that the message remains as sent.
University Provided Delivery Mechanisms
Washington State University shall provide secure electronic correspondence delivery mechanisms to faculty, staff, and students consistent with commercially reasonable standards. Washington State University units providing electronic delivery mechanisms are responsible for providing systems that meet or exceed the security standards set within this policy.
Recipient Responsibility
Just as they are responsible for any printed correspondence that is delivered by nonelectronic means, faculty, staff, and students are responsible for all information sent to them via University-provided electronic correspondence delivery mechanisms. The University expects that all University business-related electronic correspondence would be received and read in a timely fashion. A recipient is deemed to have received a University electronic correspondence upon logon to a secure University electronic communication service. No follow-up notice(s) to the recipient are necessary.
Originator Responsibility
University electronic correspondence may be used only to meet academic instruction, research, public service, and administrative needs of the University (see Executive Policy #4, Electronic Publishing Policy: Policy on Electronic Publishing and Appropriate Use of Computing Resources, Information Technologies, and Networks). Originators are responsible for selecting the appropriate electronic correspondence mechanism according to the guidelines below. Delivery tracking mechanisms should be used when necessary to ensure legal or business procedure compliance.
Electronic Correspondence Guidelines
- Electronic correspondence containing information as outlined below must be sent and delivered by secure means. In the event that secure mechanisms are not available, information as specified below must not be sent electronically.
- Individually identifiable information other than a person's directory information (directory information includes a person's name, address, phone number, e-mail address, and student major)
- Individually identifiable directory information (name, address, phone number, e-mail address, and student major) for a person who has restricted use of that information
- Information subject to the Family Educational Rights and Privacy Act (FERPA), http://www.registrar.wsu.edu/Registrar/Apps/FERPA.ASPX
- Information subject to the Health Insurance Portability and Accountability Act (HIPAA), http://www.hipaa.org
- Information subject to the Gramm-Leach-Bliley Act (GLB Act), http://www.ftc.gov/privacy/privacyinitiatives/glbact.html
- Any other information that either the recipient or originator would reasonably expect to be considered confidential
Where there is any doubt regarding the need to keep the message confidential, a secure electronic correspondence mechanism must be used or the message must not be sent electronically.
- It is permissible to send an unsecured e-mail directing the recipient to a secure site where private information may be obtained provided such notice does not, itself, contain any private information.
- WSU shall progress toward the goal of securing all electronic correspondence mechanisms as it becomes technologically and operationally feasible to do so.
Electronic Tracking of Receipt/Delivery
Electronic correspondence requiring proof of delivery must be sent via secure means and using a form of electronic tracking service. If such means are not available then traditional paper-based means must be utilized.
Commercially Reasonable Standards
Commercially reasonable standards are practices and procedures in widespread use in the business community generally considered to represent prudent and reasonable business methods. These standards provide methods of data encryption, message authentication and user identification, digital signatures, etc. The use of these standards provides evidence that due diligence has been exercised by the University.
In order to adhere to a commercially reasonable standard for electronic correspondence, the university has adopted policies defining eligibility to have a WSU Network Identity (See Executive Policy #16, University Network Policies) and strong and secure passwords for that identity (See Executive Policy #18, Computer and Network User Identification and Password Policy), and has established a secure server for message storage with an encrypted channel for message retrieval and delivery. Electronic correspondence shall not be forwarded out of the environment where the University can exercise control over authentication, authorization and message integrity except by the designated recipient when this will not violate any university, local, state or federal regulations.