Why are my DLP policies for credit card and social security numbers not triggering as expected?
This article provides guidelines for configuring the default credit card and social security numbers dictionaries so that your Data Loss Prevention (DLP) policy triggers as expected.
The default Credit Cards and Social Security Numbers (US) dictionaries use both the Number of Violations Threshold and Confidence Score Threshold. For more details about configuring DLP dictionaries, see How do I configure the DLP Dictionaries and Engines?
- Zscaler recommends that you set any value greater than 1 for the Number of Violations Threshold of a dictionary. Configuring a dictionary to have a Number of Violations Threshold value of 1, and a low Confidence Score Threshold results in too many false positives. To counterbalance the number of false positives, the service treats violation counts of one as false positives and ignores them. As a result, the DLP policy is not triggered.
- The default Credit Cards and Social Security Numbers (US) dictionaries are intended for bulk leaks of numbers, not individual leaks of numbers. Therefore, a violation count of one will not trigger the DLP policy if both the Number of Violations and Confidence Score thresholds are low. If you want to set the Number of Violations Threshold value to 1 to catch the leaks of single numbers, please set a Confidence Score Threshold value of High so that the dictionary does not determine a violation count of one to be a false positive.
- Rich Text Format (RTF) files contain formatting code that can mimic credit card and social security numbers, affecting when a DLP rule is triggered. Plain text files do not contain this formatting code, therefore the DLP rule triggers as expected. So that the DLP policy triggers if confidential numbers are leaked in RTF files, please set any value greater than 1 for the Number of Violations Threshold of the dictionary, or set a Confidence Score Threshold value of High if you prefer a lower Number of Violations Threshold.