Content detected by predefined EDD rules

This topic provides specific details about the data detected by the DAR component A lightweight software component of the Secure Endpoint Agent that detects at-risk data stored on a Windows or Mac device during an EDD scan. The DAR component is deployed on a device only when the device is associated with a policy group in which the Endpoint Data Discovery policy is activated. of the Secure Endpoint Agent, which is installed on a device when the Endpoint Data Discovery Endpoint Data Discovery policies scan the hard drives of your managed Windows and Mac devices for confidential file content, such as personal health information, credit card numbers, and SSNs. Scan results are reported in EDD reports to help you identify at-risk devices. policy is activated. The topic also describes how file content is matched for each predefined EDD rule, and how Match Scores are generated.

To find file content that is of particular interest to your organization, you can create one or more custom EDD rules.

About expressions and expression sets

The DAR component uses expressions to identify some types of content, such as SSNs and identifiers. In EDD Rules, an expression consists of a combination of values, variables, operators, and functions that is executed during an EDD scan to detect specific file content. The expressions designed to find a particular type of content are combined into an expression set. When content in a file matches an expression, the file is assigned a Match Score.

About lexicons

The DAR component uses lexicon expression sets to identify some types of content, such as health terms and financial terms. A lexicon uses simple expressions to build a list of words and phrases, which is compared to file content when a device is scanned. When content in a file matches an expression in the lexicon, the file is assigned a Match Score.

Predefined EDD rules

By default, your Absolute account includes a set of predefined EDD rules. You can apply one or more predefined rules to an EDD scan when you configure an EDD policy in the Policies area. Predefined rules always use data encryption and may use redaction. The following predefined rules are available:

The DAR component uses expressions to identify brand-specific patterns in credit card numbers, such as Visa, MasterCard, Discover, American Express, and Diner's Club. Each credit card has its own unique numbering pattern, which includes specific prefixes and a defined number of digits.

Credit card numbers are recognized if they are broken into space-separated segments (tokens), as long as there are at least three digits in each segment. Special characters, such as a hyphen (-), are also recognized. In addition, the Luhn algorithm Also known as the modulus 10 or mod 10 algorithm. A simple checksum formula used to validate identification numbers, such as credit card numbers. is used to verify that the character string is a valid credit card number and not a series of random numbers.

Each occurrence of a valid, unique credit card number detected in a file generates a Match Score of 1. For example, if the same credit card number is detected three times in a file, a Match Score of 1 is generated. If three unique credit card numbers are detected, a Match Score of 3 is generated.

The DAR component uses expressions to identify valid US Social Security Numbers (SSN) written in the following pattern: nnn-nn-nnnn.

The following patterns indicate invalid SSNs:

  • Numbers with all zeros in any grouping (000-nn-nnnn, nnn-00-nnnn, or nnn-nn-0000).
  • Numbers that start with 666 or 9nn.

For more information about the SSN numbering system, see USrecordsearch.com.

Each occurrence of a valid, unique SSN detected in a file generates a Match Score of 1. For example, if the same SSN is detected three times in a file, a Match Score of 1 is generated. If three unique SSNs are detected, a Match Score of 3 is generated.

The DAR component uses the following expression sets to identify US Personal Health Information (PHI) content:

  • Health Terms
  • Personal Health Identifiers (includes Social Security Numbers and Medicare Beneficiary Identifiers)

Health Terms is a lexicon that includes words and phrases, such as:

  • fracture
  • CAT scan
  • convulsions
  • aggressive fibromatosis
  • ocular refraction

Personal Health Identifiers include expressions that define valid identifiers, such as:

  • Social Security Number or SSN, followed by a valid Social Security Number
  • Date of Birth , DOB, Birth Date, and so forth, followed by a date in a supported format
  • Patient, followed by a name or number
  • Account, Member, Record, and so forth, followed by a number

For the component to detect a match and report it in an EDD report, both lexicons must be matched. For example:

Detected file content Match detected?
DOB: 10/02/1974 and the word fracture are found in a file.

Yes

Match Score = 1
Date of Birth: 12/06/1953 and Patient 325487 are found in a file. No health terms are detected.

No

Match Score = 0

A file's PHI Match Score is calculated by tallying the total number of unique Personal Health Identifiers. Although a file must include at least one health term for a match to be detected, no Match Score is assigned to a matched health term. Therefore, the higher the Match Score, the more likely that a file contains Personal Health Information for many individuals rather than just one.

The DAR component uses expressions to identify personal data that is subject to the protection requirements set out in the General Data Protection Regulation (GDPR) The General Data Protection Regulation (GDPR) defines a set of data protection rules that apply to all organizations that process data related to individuals residing in the European Economic Area (EEA). for the countries of the European Economic Area (EEA) The EEA includes all European Union (EU) countries and also Iceland, Liechtenstein, and Norway. It defines the countries that participate in the European Single Market..

The following 40 personal identifiers are detected by the predefined GDPR Personal Data rule:

  • Tax Identification Number (Austria)
  • National Number (Belgium)
  • Uniform Civil Number (Bulgaria)
  • Master Citizen Number (Croatia)
  • Personal ID (Croatia)
  • Tax ID Number (Cyprus)
  • Birth Number (Czech Republic and Slovakia)
  • Civil Registration System (Denmark)
  • Personal ID Number (Estonia)
  • Personal ID Number (Finland)
  • Social Security Number (France)
  • Social Security Number (Germany)
  • Taxpayer ID Number (Germany)
  • Personal ID Number (Greece)
  • Social Security Number (Greece)
  • Tax Identifier (Greece)
  • Personal ID (Hungary)
  • Personal Number (Hungary)
  • Social Insurance Number (Hungary)
  • Personal ID (Iceland)
  • Public Service Number (Ireland)
  • Tax Code ID (Italy)
  • Personal Code (Latvia)
  • Personal ID Number (Liechtenstein)
  • Personal Code (Lithuania)
  • Personal ID (Luxembourg)
  • Identity Card Number (Malta)
  • Citizen Service Number (Netherlands)
  • Personal ID Number (Norway)
  • Personal Number (Poland)
  • Civil Identification Number (Portugal)
  • Social Security Number (Portugal)
  • Tax ID Number (Portugal)
  • Personal Numerical Code (Romania)
  • Master Citizen Number (Slovenia)
  • Citizen ID Number (Slovakia)
  • DNI Number (Spain)
  • Personal ID Number (Sweden)
  • National Health Service (UK)
  • National Insurance Number (UK)

The rule include expressions that define a valid EEA personal identifier, such as:

  • Codice Fiscal or CF, followed by a valid Italian Tax Code ID number
  • Documento Nacional de Identidad or DNI, followed by a valid Spanish DNI number

A file's GDPR Personal Data Match Score is calculated by tallying the total number of unique EEA personal identifiers.

The DAR component uses the following expression sets to identify US Personal Financial Information (PFI) content:

  • Financial Terms
  • Personal Financial Identifiers

Financial Terms is a lexicon that includes words and phrases, such as:

  • account balance
  • annual rate
  • direct deposit
  • mortgage loan
  • routing number

Personal Financial Identifiers include expressions that define valid identifiers, such as:

  • Social Security Number or SSN, followed by a valid Social Security Number
  • Account, Loan, Customer, Certificate, and so forth, followed by a name or number

For the component to detect a match and report it in an EDD report, both expression sets must be matched. For example:

Detected file content Match detected?
SSN 332-65-4872 and account balance are found in a file.

Yes

Match Score = 1
The phrases account balance and direct deposit are found in a file. No personal financial identifiers are detected.

No

Match Score = 0

A file's PFI Match Score is calculated by tallying the total number of unique Personal Financial Identifiers. Although a file must include at least one financial term for a match to be detected, no Match Score is assigned to a matched financial term. Therefore, the higher the Match Score, the more likely that a file contains Personal Financial Information for many individuals rather than just one.

The DAR component uses the Profanity lexicon to identify words or phrases that are considered to be profane in American English. Each unique term found in the file generates a Match Score of 1, regardless of how many times that particular term is used.

The DAR component identifies encrypted file A file that has been converted to an encrypted form to prevent unauthorized users from viewing the sensitive data contained within it. An encryption key is required to decrypt and view the file.s and password-protected files. Because the component is unable to open and analyze these files, it assigns the Encrypted content type to these occurrences. Each encrypted or password-protected file generates a Match Score of 1.

The DAR component uses a Bullying lexicon to identify file content that is inherently insulting, offensive, or threatening and therefore may indicate that a bullying incident has occurred. Internet slang (including commonly used acronyms) is also included in the lexicon if it's insulting, offensive, or threatening in nature. Each unique term found in the file generates a Match Score of 1, regardless of how many times the term is used.

The Bullying lexicon includes a preliminary list of terms; some instances of bullying may not be detected.

The DAR component identifies files that can't be scanned because they were in use at the time of the scan, or the files reside in an encrypted file directory. Each unscannable file generates a Match Score of 1.