If emails marked with sensitivity labels can become available to Copilot due to code issue how vulnerable are the current data protection or isolation mechanisms in Microsoft 365?

Question

Issue ID CW122634

Users' email messages with a confidential label applied are being incorrectly processed by Microsoft 365 Copilot chat.

Answer 1

Nothing can protect your data from code changes, be it intentional or unintentional ones. And this goes beyond Copilot, or Microsoft in general - it's inherent to the SaaS model where data for multiple customers is stored on the same physical infra. There's an implicit trust that the service provider will handle it properly... until they don't.

If this is a concern for you, explore solutions such as BYOK: https://learn.microsoft.com/en-us/purview/rights-management-byok

Answer 2

Microsoft 365 employs a multi-layered defense strategy to protect organizational data, including mechanisms to prevent unauthorized access and data leakage. The permissions model ensures that data is only accessible to authorized users, and Microsoft 365 Copilot honors these access controls. Additionally, the system uses encryption and logical isolation to protect customer content within each tenant.

However, if there are issues such as emails marked with sensitivity labels being incorrectly processed, it can indicate potential vulnerabilities in the data protection mechanisms. This could lead to sensitive information being exposed unintentionally. Microsoft continuously monitors for data leakage vectors and unauthorized access patterns to mitigate such risks.

In summary, while there are robust protections in place, any malfunction or oversight in the processing of sensitive data by Copilot could pose a risk to data security. It is crucial for organizations to regularly review and update their data loss prevention policies to ensure sensitive information is adequately protected.

---

References:

• Data, Privacy, and Security for Microsoft 365 Copilot
• Security for Microsoft 365 Copilot