Microsoft's renamed compliance portal provides guidance and rule-setting capability to help comply with ransomware and other security and privacy requirements. Credit: Melpomenem / Getty Images Nations across the globe are taking regulatory action to reduce the ransomware threat. In March, for example, new U.S. ransomware reporting requirements were signed into law. Covered entities that experience a cyber incident must report it to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours after the covered entity believes that the incident occurred. Additional guidance is still being worked on but at a minimum the following requirements will be included:Identify and describe the function of the affected information systems, networks that were, or are reasonably believed to have been affected by such cyber incident.Describe the unauthorized access with substantial loss of confidentiality, integrity, or availability of the affected information systems or network or disruption of business or industrial operations.Estimate the date range of such incident.Assess the impact to the operations of the covered entity.Report ransomware payments within 24 hours after they have been made.Submit any new or different information that becomes available surrounding the ransomware attack to CISA.Preserve data relevant to the covered cyber incident or ransom payment.Think of that list. Would you be able to report within 72 hours that you’d had a ransomware incident? Wouldn’t you still be in the middle of trying to recover from an incident? This is often the major difference between smaller businesses and larger businesses. Small businesses just want to get back in business. They often don’t want to deal with the reporting side or, worse, would not have the means to notify every impacted customer that their data is at risk.While ransomware notification is not yet mandated, data breach notifications are for many firms. The application for a cyber insurance policy for my firm asked for the number of people whose personal identity information was in my network. Businesses often have information siloes and hidden databases that we are unaware of and are not protecting.Managing compliance through Microsoft PurviewMicrosoft has products to help the Microsoft 365 customer identify and know how to better protect such information, but this compliance category of software and services is not often talked about other than in large enterprises. Microsoft’s compliance products have had a recent name change. They are now called “Purview.” You’ll want to test out various compliance options the Purview portal. The same information it provides for the European Union’s General Data Protection Regulation (GDPR), for example, might also be relevant to your firm’s other data breach notification requirements. Financial firms might want to review the guidance for the U.S. Gramm-Leach-Bliley Act (GLBA), which mandates consumer privacy. It’s an eye opener to think of all the world-wide governing regulations that may impact your firm that you aren’t aware of.You can review in the Purview portal what potential adjustments and changes you need to make in your organization. Like other Microsoft consoles, the Purview console rates your organization and provides you with a compliance score that you can increase. With solutions ranging from data loss prevention, ediscovery, information protection, insider risk management, and records management, the ability to begin the process of better analyzing the information you have inside your firm will help you discover those hidden siloes of information and databases you didn’t realize you had. Setting rules in PurviewToo often we focus on outside attackers and forget about the inadvertent internal “oopsie” that may release sensitive information. For example, in the Purview compliance console you can set up a communication compliance rule that monitors email, Teams and Yammer conversations for sensitive information. You can set up custom lists of items like the one below to be flagged should they be seen entering or leaving the firm. The Purview administrator will then be alerted when such information is not protected appropriately:ABA routing numberAustralia bank account numberAustralian company numberAustria tax identification numberCredit card numberCroatia personal identification (OIB) numberCzech personal identity numberEU driver’s license numberEU national identification numberEU social security number (SSN) or equivalent IDEU tax identification number (TIN)Germany tax identification numberHungarian social security number (TAJ)India unique identification (Aadhaar) numberInternational classification of diseases (ICD-9-CM)Japanese my number personalLuxembourg national identification number (non-natural persons)Malta tax ID numberNetherlands tax identification numberNew Zealand Inland Revenue numberNew Zealand Ministry of Health numberNew Zealand Social Welfare numberPolish REGON numberPortugal tax identification numberSlovakia personal numberSlovenia tax identification numberU.S. bank account numberU.S. driver’s license numberU.S. Social Security number (SSN)The console even considers internal issues such as monitoring communications for offensive or threatening language. You can create a policy that uses pretrained classifier to detect content containing profanities or language that might be considered threatening or harassment.Keep an eye Microsoft Purview and the additional guidance and resources the service brings to help you with your identification of compliance data. While the service tends to be geared at this time toward large enterprises and government entities, as more and more privacy and data loss notification legislation gets implemented, even smaller firms will be looking for such compliance resources. Related content news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry news UK data regulator warns that data breaches put abuse victims’ lives at risk The UK Information Commissioner’s Office has reprimanded seven organizations in the past 14 months for data breaches affecting victims of domestic abuse. By Michael Hill Sep 28, 2023 3 mins Electronic Health Records Data Breach Government news EchoMark releases watermarking solution to secure private communications, detect insider threats Enterprise-grade software embeds AI-driven, forensic watermarking in emails and documents to pinpoint potential insider risks By Michael Hill Sep 28, 2023 4 mins Communications Security Threat and Vulnerability Management Security Software news SpecterOps to use in-house approximation to test for global attack variations The new offering uses atomic tests and in-house approximation in purple team assessment to test all known techniques of an attack. By Shweta Sharma Sep 28, 2023 3 mins Penetration Testing Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe