Privacy is a big deal to many individuals, but often they really don’t think how to extend that privacy to their actions at work. It isn’t just important to protect your own privacy. For real privacy, we must also protect the privacy of others, the privacy of the data we store, the privacy of the data that we send. It is easily combined with security and, in many cases, probably should be. IT is coming under more and more scrutiny as malware and ransomware are sporting hundreds of percents in incident increases this year alone. Implementing security policies that enhance privacy is what we need to do to protect ourselves, our clients, and the people we work for. Fortunately, Microsoft 365 has a lot of privacy and security settings that make this task a little easier.
Exchange transport rules
Recently, I wrote an article showing you how to deploy a couple of Exchange rules that can be used to enhance the privacy of customers. These are encrypted on-demand and rules to keep some email chains internal. Both make use of transport rules in Exchange. Both of these rules make use of keywords to identify the content that you want to protect.
Data loss prevention (DLP)
Another method for implementing data privacy is data loss prevention. DLP requires a higher level of licensing than some people have, but as you move from Office 365 to Microsoft 365, you’ll find it included.
Data loss prevention is all about labeling documents so that you know what level of protection a particular document requires. It’s also key in privacy and compliance for legislation like HIPAA.
DLP requires a user to understand something about privacy and security. That’s not a trivial matter, but these days we have much higher expectations of people who handle business data, and that is unlikely to reverse course. We also have the capability of automatically assigned DLP policies using data-watching bots.
Implementing DLP policies is a big IT project. My staff has spent about 12 hours in training so far, and I’ve spent far more than that. We’ve rolled them out to ourselves and are just now beginning to roll it out to our clients. It’s not only a technical challenge, but it also requires knowledge of the customer’s business and the soft skills to guide them through the process of identifying different levels of data.
You have to start somewhere with this project, and while Microsoft provides some default policies, we think it best to begin with our own so that they are consistent with others that we’ll add later. We decided to start with Confidential and Confidential View Only.
Together, these two policies allow the company to begin the process of labeling by looking inward at what information is private information. After that, we could add labels for files that contain sensitive information relating to clients, like application license codes, orders, usernames, etc. That way, when a vendor sends us an email that contains information like this, we can immediately label it and apply the necessary protections to keep that information private. Even if our vendors don’t consider something to be the private information of the end-client, we do, and now we can protect it that way. If you’re in manufacturing, perhaps it is drawings and processes that need to be protecting. If you operate in the health-care sector, it’ll be everything about the patient. If your business is in the law field, everything about cases. Each business will have its own set of private information to protect.
In our Confidential View Only policy, we’ve not only labeled it but also applied file protections. In this case, we take ownership of the file by making ourselves co-owner and encrypting the file. This way, any sensitive information that is delivered to us via email can be easily protected. These labels don’t just apply to email; they traverse and are accessible in all of the data storage locations in Microsoft 365. So, no matter where data lands, we can apply the same labeling to it. In addition, no matter where the files go, even if it drifts into personal space or outside the company, the label and restrictions are still in effect.
Default DLP policy
The default DLP policy automatically protects data with sensitive information like credit cards, SSNs, and more, and when it does, it keeps those documents from exiting the company. This also assists in helping us protect our customers’ privacy.
And when that policy is tripped, the following actions are applied to the file.
GDPR and customer lockbox
Going further along in this process, Microsoft 365 also has a GDPR center to monitor and walk you through complying with the General Data Protection Regulation. While that’s an EU law, it applies to anyone doing business with any person or business in the EU. Most countries of the world, except the United States — although many states have enacted their own rules — have implemented data privacy laws that are similar. Privacy is bound to come to the U.S. eventually, so getting familiar with this dashboard will help you get a leg up on that and can assist you in your own privacy journey.
If you have the GDPR Dashboard available, you’ll find it here.
Customer lockbox is a privacy feature that lets you specify that any access to data in Microsoft 365 requires your explicit permission to access and then only for a specified period. This applies to support situations where Microsoft might need to help resolve and email problem with your mailbox, for example, or a problem with Microsoft Teams. Since those stores contain data, the support staff would have to get your explicit permission to enter those areas. This relates to privacy because one of the cardinal rules of privacy is to know who may have seen the data.
If you have this feature available, you’ll find in the admin center under Settings/Org-Settings, then move to the Security & Privacy tab. Implementing is as simple as checking the box.
Time-based data access
In OneDrive and SharePoint, we can specify by policy that when data access is granted to an external person that that access expires after a number of days by default. That way, shared data doesn’t continue to be share out forever. Again, this speaks to the goal of always knowing who is accessing the private information and limiting the scope of that access. In days of old, we used to remind clients to clean up their FTP server to remove access, clean up files that no longer need to be shared, and it was always difficult to get them to spend that time. Now we can just set a policy that makes it happen. Those shared files from OneDrive and SharePoint simply expire, and notifications are sent when they are accessed.
Getting users to stop attaching files to an email is a compatible goal. It’s a hard row to hoe, but stopping file attachment is the only way to maintain control over your data because once you attach a file to an email, it belongs to the person you sent it to.
Is this privacy or security? Technically, it’s security, but any data in the wrong hands at the wrong time could turn into a privacy or security nightmare. It could be the privacy of the person or the privacy of the corporation or, in the case of government contracts, the privacy of the DoD that we need to secure.
There are some excellent tools for protecting the privacy of the data we create, the data we receive, and the data we store in Microsoft 365. Some of this requires licensing, but much of it rides along with the full Microsoft 365 suite subscriptions.
Traditional definition of privacy
Microsoft has added privacy controls to Microsoft 365, and they provide visibility in the Trust Center. You can manage privacy from Microsoft for Windows, macOS, iOS, and Android. This article will get you started on that journey.
The Trust Center is another place where Microsoft reveals its privacy stance. Microsoft takes privacy very seriously, and right at the top, they say this:
Privacy is a fundamental human right. We are committed to providing products, information, and controls that let you choose how your data is collected and used. — Brad Smith, president & chief legal officer
Microsoft 365 privacy: There’s a lot there
Microsoft 365 has really put a lot of thought into privacy and provided us with many tools. Now we just have the job of implementing the policies, rules, alerts, and staff training that make privacy a normal part of doing business.
Featured image: Shutterstock / TechGenix photo illustration