Test cases and evidence collection procedures to validate privacy controls for consumer financial information in Copilot interactions, including the incident response program requirements under the 2023 Reg S-P amendments.
Test Cases
Test 1: DLP Detection of NPI in Copilot Interactions
- Objective: Verify that DLP policies detect nonpublic personal information in Copilot-assisted communications
- Steps:
- Using a test account, draft an email with Copilot that contains test SSN and account number data.
- Attempt to send the email to an external recipient.
- Verify that the DLP policy tip appears warning about NPI content.
- Confirm that high-volume NPI triggers blocking behavior.
- Expected Result: DLP detects NPI content, displays policy tips, and blocks high-volume transmissions.
- Evidence: Screenshots of DLP policy tips and block notifications.
- Objective: Confirm that information barriers prevent Copilot from surfacing NPI across business unit boundaries
- Steps:
- Create test documents containing consumer financial data in a restricted segment's SharePoint site.
- Have a user from a different segment use Copilot to search for or reference that content.
- Verify that Copilot does not surface the restricted content in its responses.
- Expected Result: Information barriers prevent cross-segment NPI exposure through Copilot.
- Evidence: Copilot response showing no restricted content surfaced.
Test 3: Sensitivity Label Protection for NPI Documents
- Objective: Validate that documents containing NPI are protected with appropriate sensitivity labels
- Steps:
- Create a document containing consumer financial data.
- Apply or verify auto-application of the appropriate sensitivity label.
- Confirm the label enforces encryption and access restrictions.
- Test that Copilot interactions with the document respect label protections.
- Expected Result: NPI documents are labeled, encrypted, and Copilot respects label-based access controls.
- Evidence: Document properties showing label and encryption status.
Test 4: Incident Response Program Verification (Rule 248.30(a)(4))
- Objective: Verify that the written incident response program covers Copilot-related NPI incidents and includes the required notification procedures
- Steps:
- Review the firm's written incident response program (IRP) for Copilot NPI coverage.
- Confirm the IRP is written (not informal) and includes: Copilot-specific incident scenarios, severity classification, escalation paths, containment steps, and notification procedures.
- Verify the 72-hour Microsoft notification procedure is documented (SEC Rule 248.30(a)(3)): confirm Microsoft notification channel, contact information, and notification template are accessible.
- Verify the 30-day customer notification timeline is documented.
- Confirm a named individual is responsible for executing the Microsoft notification within the 72-hour window.
- Expected Result: Written IRP exists, covers Copilot scenarios, and documents both the 72-hour vendor notification and 30-day customer notification procedures.
- Evidence: IRP document with Copilot section; 72-hour notification procedure documentation; responsible party assignment.
Test 5: Incident Response Simulation — NPI Exposure via Copilot
- Objective: Simulate a Copilot NPI exposure event to test the incident response program and verify the 72-hour notification window is achievable
- Steps:
- Run a tabletop exercise scenario: "Copilot Chat surfaced client account numbers to a user without appropriate permissions due to a permission misconfiguration. The exposure was detected via a DLP alert."
- Walk through the IRP steps: detection confirmation → severity classification → internal escalation (4 hours) → executive notification (24 hours) → Microsoft notification preparation (72-hour deadline).
- Time the exercise — confirm that the 72-hour notification to Microsoft could be executed within the required window.
- Identify any gaps in the notification chain (e.g., unavailable contacts, missing notification templates).
- Document exercise outcomes and any remediation items.
- Expected Result: Tabletop exercise completed with documented outcome; notification chain is achievable within the 72-hour and 30-day windows; gaps identified and assigned for remediation.
- Evidence: Exercise facilitation notes and outcome documentation; gap remediation log.
Test 6: Privacy Incident Response Alert Workflow
- Objective: Verify that NPI-related DLP incidents trigger the appropriate automated alert workflow
- Steps:
- Trigger a DLP incident involving consumer financial data (test environment).
- Verify the incident appears in the DLP incident report (Purview > Data loss prevention > Incidents).
- Confirm the compliance team and Privacy Officer receive notification via configured alert policy.
- Walk through the incident investigation and resolution process in Purview.
- Expected Result: DLP incidents trigger automated notifications, are logged for investigation, and can be resolved.
- Evidence: DLP incident report and notification confirmation.
Evidence Collection
| Evidence Item |
Source |
Format |
Retention |
| DLP policy configuration |
Purview portal |
Screenshot |
With control documentation |
| DLP incident reports |
Audit log |
CSV export |
7 years |
| Information barrier test results |
Copilot response |
Screenshot |
With control documentation |
| Privacy impact assessment |
Assessment document |
PDF |
7 years |
| Written IRP with Copilot section |
IRP document |
PDF |
7 years (updated annually) |
| 72-hour notification procedure |
IRP or standalone document |
PDF |
7 years |
| Tabletop exercise documentation |
Exercise records |
PDF |
7 years |
Compliance Mapping
| Regulation |
Requirement |
How This Control Helps |
| SEC Reg S-P Rule 248.30(a)(3) |
72-hour vendor notification for unauthorized NPI access |
Test 4 and 5 verify documented procedure and achievable window |
| SEC Reg S-P Rule 248.30(a)(4) |
Written incident response program |
Test 4 verifies existence and completeness of written IRP |
| SEC Reg S-P Rule 30 |
Safeguard customer records |
Supports compliance with NPI safeguarding in AI interactions |
| GLBA Title V |
Financial privacy |
Helps meet privacy requirements for consumer financial information |
| FTC Safeguards Rule |
Information security program |
Supports requirements for protecting customer information |
Next Steps