Managing Data Loss Protection (DLP) Alerts

Questions

• What is Data Loss Protection (DLP) and why is Bowdoin using it?
• What sensitive data does DLP detect and protect?
• What applications or services does DLP work in?
• What happens if I try to share sensitive data to people outside of Bowdoin?
• How do I share documents safely or get help if what I'm sharing is blocked?

Environment

• Bowdoin students, faculty, and staff using services in Microsoft 365:
  • Outlook (email)
  • OneDrive
  • Microsoft Teams/SharePoint
  • Microsoft 365 Copilot.
• Data Loss Prevention services run automatically to prevent accidental sharing of sensitive, personal data outside Bowdoin.

Answers

What Data Loss Protection (DLP) does

• DLP detects and protects sensitive data (Social Security Numbers (SSN), U.S./U.K. passports, U.S. driver’s licenses, bank and credit card numbers).
• When content is shared externally, DLP may show a warning, encrypt email, block external access, or limit Copilot processing.
  • DLP policies do not apply to sharing within Bowdoin.
• Overrides: You may see an option to proceed with a documented business justification. All overrides are logged and reviewed by IT Security.

What you’ll see

Email (Outlook): If an email message or attachment being sent to an external recipient appears to contain sensitive data, you may see a policy tip.

• Depending on the volume of sensitive data, the system may:
  • Automatically encrypt the message.
  • Block sending.
  • Allow you to “override” by providing a business justification.
• When an email triggers a DLP policy, you will receive an email from "PostMaster@bowdoin.edu" informing you if the message was encrypted or wasn't delivered to all recipients.

OneDrive: If a file in OneDrive contains restricted data you will see a red "blocked" icon next to the file.

• If shared externally, the receiver will see an "Access Denied" message. 
• You can override this block by opening the file and and clicking "More Options" in the Policy Tip. 

Teams channels: If a file in a Teams channel contains restricted data you will see a red "blocked" icon next to the file.

• External Team members will not be able to see these blocked files.
• You can override this block by opening the file and and clicking "More Options" in the Policy Tip. 

Teams chats: Messages shared with external participants that contain restricted data may be blocked from external access.  Clicking "What can I do?" in the Policy Tip may allow you to override and send the message.

Microsoft 365 Copilot and Copilot Chat: Content labeled or detected as “Restricted” may be limited or blocked from processing. You may receive a notice that certain content cannot be used. No override is available.

Share content safely

• Remove sensitive data before sharing externally.
• Store sensitive files in internal-only locations; use sensitivity labels if available.
• Read policy tips—they explain what was found and safer options.
• Never email restricted data. If you must share, use Teams or OneDrive.

What to do if you’re warned or blocked

• Email: Remove/redact sensitive data. If an override appears and your department has approved use for this case, provide a clear business justification. Otherwise, use an approved secure alternative.
• OneDrive/Teams: Redact or remove sensitive data and re-share; or restrict to internal users only.
• Copilot: Rephrase to avoid sensitive content or use non-restricted files.

If you need to share but are prevented from doing so

• Redact fields (e.g., show only last four digits where appropriate).
• Check with your supervisor for approved secure methods.
• Overrides (if offered) require a clear business reason and are audited by IT Security.

Additional Help

If you need further assistance, please contact the Bowdoin College Service Desk and do not share the sensitive data itself.