DLP - Troubleshooting & Understanding Social Security Numbers
Situation | Your Data Loss Prevention (DLP) is experiencing issues with Social Security Numbers (SSN). |
---|---|
Solution | See below for information on how we scan for SSN. |
SSN usage in DLP
Usage
SSN usage in DLP can be used for HIPAA compliance, among other things. Choosing to use the DLP can be mandatory/regulatory or by choice.
Combine Smart ID and Dictionary
When using SSN as the smart ID, it is best paired with an associated Dictionary to have less false positives.
SSN Guide
SSN falls into two formats. Depending on which DLP is used, we scan for either or both formats.
- Formatted - Matches ###-##-####
- 3-2-4 format
- Unformatted - Matches #########
- 9-digit format
SSN in Smart Identifier set-up
Restrictive Social Security Number - checks only for formatted
Social Security Number - checks for both formatted and unformatted
SSN Check
Proofpoint checks the validity of a SSN. There are sites that you can test the SSN numbers to see if they are valid. If valid, these will trigger the filter. If you test against an invalid SSN, the message may not trigger the SSN filter, if it does not pass the standards used for creating SSNs.
Exclusions
Below are the known exclusions to the SSN DLP.
- All zeroes in any group
- Numbers start with 666 or 00
- Numbers from range 87654320 to 87654329
- Also they must have a valid SSN. Invalid SSN's will not be encrypted.
For additional information on the overall DLP, please see Data Loss Prevention (DLP) FAQs