The Office of Administrative Hearings (OAH) has conducted a review of our policies concerning email that contains confidential information. Based on this review, we are implementing new procedures, on a pilot basis, that will make such emails secure by encrypting them during their transmission. The need to encrypt email that is sent from OAH is primarily the responsibility of staff in the Communications Intake Unit who respond to emails, faxes, correspondence and telephone inquiries from appellants and representatives, as well as staff handling litigation matters. However, these procedures must be followed by all OAH staff when sending an email containing confidential information to any individual[s] outside the NYSEmail Global directory.
Effective immediately, OAH will use Microsoft Exchange Hosted Encryption (EHE) for all emails that contain confidential information and that are being sent to non-NYSEmail Global directory addressees. This service encrypts OAH's outgoing emails and attachments and stores them on a secure server. By entering a password, the addressee can then retrieve the message from that server and, when necessary, send an encrypted response.
If the intended recipient of an email containing confidential information is not included in the NYSEmail global directory, OAH staff must encrypt that email.
When the OAH staff member sends the encrypted email, the recipient will receive an email indicating that the sender has sent an encrypted email. To view the email, the recipient must click on the attachment to this message, which is named "message zdm. html." After the recipient enters his/her password (see below), the encrypted email will be displayed and any attachments to the email will be available.
The recipient may respond to this email when it is displayed by clicking the "Reply," "Reply All," or "Forward" button, and that response or forwarded email will also be encrypted.
NOTE: Messages will only remain open for 15 minutes before timing out. After that, the recipient must log back into the server and reopen the message to redisplay it.
In order to retrieve an encrypted email from the secure server, a user who is not on the NYSEmail system must first establish a password. The user will be prompted to create a password the first time a message is retrieved. This password should be retained by the user as it can then be used to retrieve any other encrypted mail from OAH. A "Forgot Password" prompt is available.
Appendix I contains detailed instructions about establishing a password and about sending and receiving encrypted emails using EHE.
Appendix II contains OTDA's definitions of confidential and non-confidential information.
|