U-M faculty, staff, and students can add an extra layer of security to their U-M GMail email messages by using Virtru. Virtru allows you to send end-to-end encrypted email. You choose whether to turn encryption on for each email that you send. Virtru includes a number of security features and options to help you control access to the email that you send when using the tool. With Virtru you can see whether the recipient has opened the email, prevent an email from being forwarded, set an expiry date beyond which the email cannot be read, revoke the ability to read an email after it has been sent, and more.
Virtru provides end-to-end encryption for individual U-M Gmail messages. While this provides additional security, some types of sensitive regulated data may not be sent through email, encrypted or not.
While you can use Virtru encryption to send Social Security numbers in email if required by law or essential business processes, you should generally not send them through email. It is preferred that you use institutional resources designed to house this data, such as the Data Warehouse. Information Assurance (IA) can help you explore appropriate storage locations or work with you to appropriately encrypt the data if those alternatives will not work for you. (Contact IA via the ITS Service Center.)
Additional requirements when using Virtru with Export Controlled Research:
- Contact the Export Control Program before using Virtru. Before using Virtru for Export Controlled Research, update your Technology Control Plan (TCP) and contact the Export Control Program at email@example.com to ensure that your use is properly documented.
- Do not send to specified countries. Export Controlled Research data cannot be intentionally sent to the following countries or foreign persons, even with the use of Virtru: Afghanistan, Belarus, Central African Republic, China, Congo, Cuba, Cypress, Entrea, Haiti, Iran, Iraq, Myanmar (Burma), North Korea, Lebanon, Libya, Somalia, South Sudan, Sudan, Syria, Venezuela, and Zimbabwe.
- Always use Virtru for emails with Export Controlled Research. Any emails that contain Export Controlled Research data must be encrypted using Virtru, even if sent to project team members or other U-M users.
- Do not transmit Export Controlled Research that is also Controlled Unclassified Information (CUI). Export controlled data that are also categorized as CUI CANNOT be transmitted via Virtru or any other commercial email service.
- Turn Virtru on before adding data. Be sure to enable Virtru encryption BEFORE adding Export Controlled Research data to your email. Virtru will encrypt draft emails before storing them in Google at U-M if it is turned on.
- Only share with authorized persons. Export Controlled Research data should only be sent to individuals who are approved to receive it.
- Do NOT put Export Controlled Research or other sensitive data in the subject line. The subject line is not encrypted.
- Large data transfers/ongoing storage. While email encrypted with Virtru is approved for sharing of Export Controlled Research data, we recommend using other solutions for large data transfers and/or ongoing data storage.
- Consider using additional Virtru features. Use Virtru's Disable Forwarding and Expiration Date features for additional security unless there are compelling reasons not to (for example, when sharing data with project sponsors who will need to reshare within their organization).