Data Breach Reporting for regulatory requirements with Microsoft Data Security Investigations

June 18, 2025 TH Author

Seventy-four percent of organizations surveyed experienced at least one data security incident with their business data exposed in the previous year as reported in Microsoft’s Data Security Index: Trends, insights, and strategies to secure data report. Despite the best people, process and technology we can apply to prevent it, confidential information is sometimes improperly exposed. Depending on the specifics of the incident, organizations must report these breaches to regulators, customers or other stakeholders.

Regulatory standards like General Data Protection Regulation (GDPR), Gramm-Leach Bliley Safeguards (GLBA), Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA), Network and Information Systems Directive 2 (NIS2), SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules and an ever increasing list of others require disclosure of data breaches to regulators and potentially to customers or other stakeholders.

The requirements to report after an organization discovers the breach can be demanding. For instance, under GDPR, any breach requires notification to the EU data protection authorities and potentially individual affected users within 72 hours from the time the breach is discovered.

NIS2 requires and initial notification to the relevant national authority within 24 hours of detecting a significant cyber event and a detailed report within 72 hours.

PCI-DSS requires merchants and service providers to immediately notify the credit card companies in the event of a breach.

Under the SEC rules, a company must file a Form 8-K within four business days of having discovered a material breach which must be done “without unreasonable delay.” Materiality is determined by management based on the risk posed to shareholders by the exposed data.

Organizations discover they’ve had a data breach from their security tools, unusual system behavior, reports from employees, customers or law enforcement. Available information is often incomplete and scattered across systems. Understanding the true scope of the breach is challenging.

Scoping the breach is an exercise not only in enumerating files and instances of sensitive information but also understanding the context, what data is sensitive, and the degree of risk the various exposed data presents to the organization and its stakeholders.

Management often turns to the CISO to understand the scope and risk of the data exposed to inform the organization’s reporting.

There can be a huge volume of information available from the organization’s IT systems that must be reasoned over in a short time. Context is important as are semantics to understand the scope of the breach and risk to the organization, customers, other data subjects, employees and shareholders. There will be high demand on the information security team and its service providers. A force multiplier, in the form of artificial intelligence is needed to scope data breaches accurately and efficiently.

DSI, an integrated part of the Microsoft Purview Data Security solution, allows an administrator to search Microsoft 365, locates documents, emails, Teams messages, Copilot prompts and prompt returns relevant to a data breach. Customers can also upload non-Microsoft 365 data to a SharePoint site for analysis.

DSI reasons over the impacted data with Azure OpenAI, categorizes it in terms of the specific risks it poses to the organization e.g. credentials, customer information, health, financials and a range of other types of data exposed. It goes beyond keywords using deep content analysis to understand the nature and risk severity of the data. This can be part of determining the materiality of a breach for reporting purposes.

Figure 1 – Exposed data is automatically categorized and assessed for risk severity by AI

DSI can categorize and report on data based on predefined risks. It can also search for custom categories important to the investigator. It uses vector based semantic search to identify similar information and user intent even in the absence of keywords.

DSI understands data in multiple languages so it can categorize and respond to questions on data even if the investigator doesn’t. DSI uses Copilot to assist the investigator throughout the examination with interactive answers to questions in natural language.

Figure 2 – DSI investigation page with scope and progress of the investigation with risk and mitigation reporting

Data breaches can result from the actions of external bad actors or trusted insiders. They can result from intentional or accidental exposure. DSI helps organizations to investigate all of these.

DSI can launch an investigation directly from a case in Purview Insider Risk Management, coming soon, or an incident in Microsoft Defender XDR.

Figure 3 – DSI investigation can be initiated directly from a Purview Insider Risk Management case

DSI can also initiate an investigation from its own part of the Purview Portal with or without the use of predefined search templates.

We’re focusing on data breach reporting in this article but DSI is a full scope investigatory tool for data security. DSI correlates the compromised data and the users which interacted with the data so that the source of the leak can be identified. DSI examines the data for credentials, security risks and evidence of threat actor discussion, explains its assessment and suggests mitigations, helping in the investigation and remediation.

Figure 4 – DSI visualizes the correlations between exposed data and users that have interacted with the data

Controls can be applied and vulnerabilities addressed to minimize the chances of a next data breach.

Role Based Access Control (RBAC) ensures that only users authorized to work with DSI will have access to this sensitive information and can collaborate on the investigation securely.

As part of scoping the DSI investigation, the investigator can triage, include or exclude data sources or locations, and deploy the AI to reason over the data, surface insights, risks, drill down and prepare reporting.

DSI is a pay-as-you-go consumption billed service. An organization does not need a Purview license to use DSI. The ability to triage and scope allows the analyst to have predictable investigation costs.

DSI saves security teams time as they work to scope breaches accurately in the time allowed by regulatory requirements. It is an essential tool for data breach response, protecting the organization and allowing efficient, auditable compliance with regulatory standards.

If you’d like to learn more about DSI:

Try DSI: Your Global Admin can begin using DSI by activating Purview pay-as-you-go billing and provision Security Compute Units as part of the current Public Preview.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Note: This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. This document is not intended to communicate legal advice or a legal or regulatory compliance opinion. Each customer’s situation is unique, and legal and regulatory compliance should be assessed in consultation with their legal counsel.