Good morning. This may be an edge case, but I can't imagine we're alone in this situation with all the data breaches out there. My security team is asking questions, and I confess I'm not 100% sure on how to answer them.
Use Case: A developer (agent) was working a ticket to resolve an issue with our Customer Billing System. As an example of the data he was pulling from the system, he attached a spreadsheet which contained PII to a comment on the ticket.
Behavior: The service desk system accepted the comment, but the user didn't notice the attachment, so the developer sent an e-mail containing the spreadsheet to the user in a second email, which mentioned the comment in the ticket. Our PII rules in M365 flagged the email and alerted my Security team to the presence of PII in a ticket.
Problem: My security team is asking what other tickets have PII and how we can be alerted when it happens. SWSD is a cloud system, and any sort of breach would mean we have a duty to inform the state of California to such a breach, but only if we can identify and find situations where there is PII in a ticket like this.
I've seen regex in Automation rules, and that seems like it might be able to alert my security team if we have PII going into a ticket (we are using regex in M365 and Mimecast both, so have some ready-built rules we can draw from), but it's not exactly clear as to what the "Keyword" search is actually looking at. Is it looking at everything in the title to my question? Title, Description, Fields, Comments, and attachments?
Is there any other functionality we could use to accomplish these kinds of alerts?
Thanks.