Exchange Online DLP is a built-in security feature of the Exchange Online server that scans your draft email composed in Outlook desktop client and Outlook Web Application (OWA) for social security, debit, and credit card numbers in combination with keywords such as "CC" or "SSN". These items are considered sensitive data and must be encrypted at rest and in transit, which means at all times: before, during, and after it is sent. Sending this information in the body of an email unencrypted is against university standards. For a full list of information that is considered sensitive, see this support page.

If you need to send sensitive information via email, you have several options

• Create an encrypted document containing the information and then send that encrypted document as an attachment.
• Encrypt the email before sending
• Use Microsoft 365 Sensitivity Labels available in Azure Information Protection to help protect the information.

Please see http://www.security.vt.edu/sensitiveinfo.html for more information.

DLP Policy Warning Content

If the DLP detects sensitive content, it displays the following message at the top of the email.

“Policy Tip: This item appears to contain the following sensitive information: U.S. Social Security Number (SSN)[and/or Credit Card Number if applicable]. Please be aware of the Virginia Tech sensitive data protection policy at https://it.vt.edu/content/dam/it_vt_edu/policies/Standard-for-High_Risk_Digital_Data-Protection.pdf.”

If the user hovers over the words Policy Tip, they will see an additional popup with the following message. Clicking the Report button sets a flag on the information that can be reviewed later.

This message appears to contain the following sensitive information
- Credit Card Number (if detected)
- U.S. Social Security Number (SSN) (if detected)

If you don't think this information is sensitive, please report.  

The DLP policy does NOT prevent a user from sending an email.  It simply warns the user that the email may contain sensitive information. If the user still sends the message, they will receive an email containing the original message with the same Policy Tip.