{"id":58842,"date":"2025-06-18T16:00:00","date_gmt":"2025-06-18T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=139469"},"modified":"2025-06-18T16:00:00","modified_gmt":"2025-06-18T16:00:00","slug":"data-breach-reporting-for-regulatory-requirements-with-microsoft-data-security-investigations","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/data-breach-reporting-for-regulatory-requirements-with-microsoft-data-security-investigations\/","title":{"rendered":"Data Breach Reporting for regulatory requirements with Microsoft Data Security Investigations\u200b\u200b"},"content":{"rendered":"

Seventy-four percent of organizations surveyed experienced at least one data security incident with their business data exposed in the previous year as reported in Microsoft\u2019s <\/span>Data Security Index: Trends, insights, and strategies to secure data<\/span><\/span><\/a>\u202freport.  Despite the best people, process and technology we can apply to prevent it, confidential information is sometimes improperly exposed.  Depending on the specifics of the incident, organizations must report these breaches to regulators, customers or other stakeholders.  <\/span> <\/span><\/p>\n

Regulatory standards like General Data Protection Regulation (GDPR), Gramm-Leach Bliley Safeguards (GLBA), Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA), Network and Information Systems Directive 2 (NIS2), SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules and an ever increasing list of others require disclosure of data breaches to regulators and potentially to customers or other stakeholders.  <\/span> <\/span><\/p>\n

The requirements to report after an organization discovers the breach can be demanding.  For instance, under GDPR, any breach requires notification to the EU data protection authorities and potentially individual affected users within 72 hours from the time the breach is discovered.  <\/span> <\/span><\/p>\n

NIS2 requires and initial notification to the relevant national authority within 24 hours of detecting a significant cyber event and a detailed report within 72 hours.  <\/span> <\/span><\/p>\n

PCI-DSS requires merchants and service providers to immediately notify the credit card companies in the event of a breach.<\/span> <\/span><\/p>\n

Under the SEC rules, a company must file a Form 8-K within four business days of having discovered a material breach which must be done \u201cwithout unreasonable delay.\u201d  Materiality is determined by management based on the risk posed to shareholders by the exposed data.<\/span> <\/span><\/p>\n

Organizations discover they\u2019ve had a data breach from their security tools, unusual system behavior, reports from employees, customers or law enforcement.  Available information is often incomplete and scattered across systems.  Understanding the true scope of the breach is challenging.  <\/span> <\/span><\/p>\n

Scoping the breach is an exercise not only in enumerating files and instances of sensitive information but also understanding the context, what data is sensitive, and the degree of risk the various exposed data presents to the organization and its stakeholders.  <\/span> <\/span><\/p>\n

Management often turns to the CISO to understand the scope and risk of the data exposed to inform the organization\u2019s reporting.<\/span> <\/span><\/p>\n

There can be a huge volume of information available from the organization\u2019s IT systems that must be reasoned over in a short time.  Context is important as are semantics to understand the scope of the breach and risk to the organization, customers, other data subjects, employees and shareholders.  There will be high demand on the information security team and its service providers.  A force multiplier, in the form of artificial intelligence is needed to scope data breaches accurately and efficiently.<\/span> <\/span><\/p>\n

DSI, an integrated part of the Microsoft Purview Data Security solution, allows an administrator to search Microsoft 365, locates documents, emails, Teams messages, Copilot prompts and prompt returns relevant to a data breach.  Customers can also upload non-Microsoft 365 data to a SharePoint site for analysis.  <\/span> <\/span><\/p>\n

DSI reasons over the impacted data with Azure OpenAI, categorizes it in terms of the specific risks it poses to the organization e.g. credentials, customer information, health, financials and a range of other types of data exposed.  It goes beyond keywords using deep content analysis to understand the nature and risk severity of the data.  This can be part of determining the materiality of a breach for reporting purposes.<\/span> <\/span><\/p>\n