Question: Is it safe to put CSS case information in Office 365 products?
The short answer for Federal tax information is no, CSS does not put FTI in any O365 product.
For example: The Excel Arrears Computation spreadsheet can contain FTI and must not be stored in Office 365 products.
The longer answer is regarding customer Personal Identifying Information (PII).
DHS Office 365 is in the Azure Government Cloud which does offer a greater level of security for our data than the commercial cloud. However, CSS staff must exercise caution when putting case information in O365 products.
Sharing is a central part of Office 365, and Microsoft has implemented sharing functionality into almost every tool (or App) for managing Office 365. Most of the sharing now occurs through SharePoint and OneDrive and is integrated into the other available tools like Teams and Delve. As an added layer of protection CSS staff must turn off the sharing documents feature in Delve.
For instance, documents uploaded into a channel on Teams lands in SharePoint. Who can see those documents depends on if the Teams channel is public or private. If a Teams channel is public, the documents are accessible to anyone in organization via SharePoint (even if they are not actually a member of that channel). They can be found just by looking at an individual’s profile on Delve. If the Teams channel is private, the documents are accessible to any member of that channel.
OneDrive also allows easy file sharing. Staff can easily share a document or a folder of documents with multiple people. But it’s important to ensure that the individuals with access at any given time are appropriate.
When using O365 tools to house any CSS case data, staff must ensure they are not giving access to someone that should not have it, both at the time of upload and in the future. If staff do not know who has access to a Teams channel or SharePoint site or if it is public or private, they should not upload CSS case data there. This is new technology for many of us and the responsibility is on the user to ensure there is not a security breach.
Per the State of Oklahoma PII breach notification law, PII includes first name and last name or first initial and last name in combination with SSN, driver’s license #, bank account #, or credit card #. DOB, Address, DCN and FGN are also considered PII when used in conjunction with other identifying information.
Even when the breach is unintentional, security breaches often require an investigation by the Office of the Inspector General (OIG) and in many instances a formal notice of a breach must be sent to the affected party (CPs and NCPs for CSS).
We would urge all CSS staff to be cautious when putting any CSS case data in O365 products because of the increased opportunity for an unintentional security breach.
Also, see the CSQuest article FTI: Using the Shared Documents folder.