Forum Discussion
Compliance Center DLP Policy Tips
Greetings!
We are in the middle of implementing the Compliance Center DLP solution using a variety of the advanced rules. We really love the idea of Policy Tips providing guidance to users on what they should do with their sensitive data. Our model is that we are allowed to send sensitive data to intended and verified recipients as long as it is encrypted.
So we have some rules that look for HIPAA and PII and inform the user that they should encrypt before sending. The selling point for us was the ability to provide users an override to the policy in cases where encryption wasn't necessary. It is less common, but makes up about 10% of our use-case.
Minus the normal bumps and issues, we are mostly happy with the way the system works! Users can override, encrypt, and we get good visibility on why users are sending data unencrypted if they do, so we can retrain or tune the system. Our issue is, of course, the wonkyness of the PolicyTips and how it checks for certain conditions and may or may not clear when a condition is met/not-met.
Issue: A user composes an email headed out of our company that contains sensitive data. The system catches this and throws a Policy Tip requiring they encrypt or override. They say, "oh ya! Thanks for reminding me" and hit that encrypt button. This doesn't clear the Policy Tip or the block condition and they cannot send the email, even though it is encrypted.
What I've Tried: I added the exception onto the rules to exempt if the Message Type is: Permission Controlled. I tried Message Type: Encrypted, but it doesn't work correctly at all. With this setup, everything works except the Policy Tip, which get stuck.
Example: blue box is original PolicyTip. Red box is button encryption.
Current Work-Around: The users hate it, because the button is way easier than the subject tags. Our current work-around is to "Clear the Policy Tip" by 1) Remove encryption by clicking link in PolicyTip, 2) Remove Recipient using same method inside Policy Tip. This resets the Policy Tip, so then the user can push the Encrypt button first, then add recipients, without redrafting the whole email.
Help!! What sort of logic do I need to make the Encrypt button clear out the Policy Tips? Or is this just it? Workaround city!
Thanks for reading and I'd love any help or guidance. Trust me, I've read every docs.microsoft article I can find about Policy Tips and DLP. But I'll take some more if you have them if they are relevant.
Hello jjboffy , I realize your question is 3 years old, but hopefully this will be helpful to others.
Our Purview setup is similar to yours.
A better workaround that we found -- since "Message Type is" is not currently compatible with policy tips (see: https://learn.microsoft.com/en-us/purview/dlp-ol365-win32-policy-tips#conditions-that-support-policy-tips-for-outlook-for-microsoft-365-users) -- is to have one Purview policy in enforced mode, containing the "message type is" exception (which corresponds to when people click the "encrypt" button) and no policy tip, but have a 2nd policy, which has a policy tip, but doesn't contain the incompatible condition (message type is.) This 2nd policy is in simulation mode with policy tips.
This way, people can still see the policy tip, but it doesn't prevent them from sending the message.
The only downside is that clicking the "encrypt" button doesn't dismiss the policy tip.
