At a minimum, the DLP solution SHALL restrict sharing credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) via email.

Why This Matters

Email is a primary vector for data exfiltration, and sensitive information like credit card numbers, Social Security numbers, and Individual Taxpayer Identification Numbers are frequently targeted by attackers or accidentally shared by employees. Without a Data Loss Prevention (DLP) policy restricting these data types, your organization risks compliance violations, financial penalties, and reputational damage under regulations like GDPR or HIPAA. Enforcing DLP restrictions on these common sensitive data types is a baseline security control recommended by CISA and CIS.

What Aether365 Checks

This check verifies that your Microsoft 365 Data Loss Prevention (DLP) solution includes policies that restrict the sharing of credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) via email. It appears in the Aether365 dashboard under the microsoft-365 service category and flags non-compliant tenants for medium severity risk.