I have set a MS O365 DLP policy to stop Social Security Numbers in email (including sent to or sent from outside and within our company). The policy was fully tested and working properly within the last 10 days. Now I have found the policy will not consistently block the email when the social security number is in the body of the email.
We are using policy tips.
It seems that sometimes SSNs with dashes are identified (policy tips are displayed) and SSNs with no dashes are not identified (no policy tips are displayed). Other times it is the opposite - where SSNs with dashes are not identified (no policy tips) and SSNs with no dashes are identified (policy tips are displayed)
In all these testing the Key word of SSN or Social Security Number is right before the actual number.
When SSN appears in an attachment, either with or without dashes it is identified and policy tips are displayed.
I have also have found the same issues when attempting to send email from outside sender - when SSNs in the body of the email - not blocked and when SSNs in the attachment - are blocked.
We need to be able to block Social Security Numbers from being transmitted in emails.
Does anyone know any options? How has the DLP policies in MS worked for others?I do not see where any DLP data is in the Audit logs. Are there any other locations to provide any information on the DLP activity?
I have see references to use Transport rules for blocking SSN - anyone have any thoughts (positive or negative)?