Reporting violators of DLP policies
We use a DLP solution, Digital Guardian, at our healthcare organization. Based on set rules, emails that are detected to have PHI and PII are encrypted, even if the user does not initiate the encryption. Whenever someone does not encrypt a message with PII or PHI, we get alerted. Then, we send an email to the violator, adding people such as the CISO and chief compliance staff members to chime in. Is this necessary? I do not want to be a tattletale, but I also don’t want people violating security policy. Is there a better route to take, such as educating the user on the importance of email encryption and/or reporting violators to the compliance office without putting the user on blast.